Technical Articles
Identity Provisioning: How to Get Users Based on Group Assignments from MS Azure AD
Filtering users and groups in MS Azure AD and provisioning them to target systems supported by Identity Provisioning is hardly any news for you. What might be news, however, is that you can combine filters to get users based on their group assignments. Moreover, you don’t need to add conditions in the default read transformation.
What used to be achieved by “condition-based” filtering (until now, to get users based on their group assignments, you had to define a condition for reading specific group and set the aad.user.attributes.membership.active to true), is now achieved by “property-based” filtering only.
For this, you need to set the aad.user.filter.group.filter.combine property to true. As its name implies, it combines filters defined on aad.user.filter and aad.group.filter properties. After running a Read or Resync job, the search result will be narrowed down to users that match the user filter and at the same time are members of а group that matches the group filter.
Note: When combining filters, it is important that both – user and group filters, are defined. Otherwise, you will not get the expected result. For more information, see: List of Properties -> aad.user.filter.group.filter.combine.
Example Scenario Overview
Let’s start from the basic filtering capabilities that Identity Provisioning service provides. First, we’ll apply group and user filters separately without combining them. Then, we’ll combine both filters by adding aad.user.filter.group.filter.combine=true.
Prerequisites
- In this example scenario, MS Azure AD is configured as a source system and Identity Authentication is configured as the target system.
- A provisioning job has already been run. As a result, in Identity Authentication there are 180 users and 67 groups provisioned from MS Azure AD.
- The following 3 users exist in MS Azure AD and Identity Authentication:
Name | City | Country | Member of Group |
Sarah Williams | Los Angeles | US | Employee |
Stefan Schmidt | Munich | Germany | Employee, Procurement |
Michelle Brown | Los Angeles | US | Employee, Procurement |
Filtering a Group
First, we’ll filter a group in MS Azure AD and provision it to Identity Authentication when aad.user.filter.group.filter.combine is not defined or is set to false.
1. On the Properties tab of your MS_Azure_AD source system, set aad.group.filter=displayName eq ‘Procurement’.
2. On the Jobs tab, run the provisioning job and verify that only one group is read.
After applying the group filter, one group is read, and the rest (previously existed) 66 groups in Identity Authentication are deleted. All 180 users in MS Azure AD are read but no users are deleted because a user filter is not yet defined.
3. In the User Groups section of your Identity Authentication tenant, verify that the Procurement group is created.
The Procurement group contains only two group members: Michelle Brown and Stefan Schmidt.
Filtering Users
Now, we’ll filter users in MS Azure AD and provision them to Identity Authentication when aad.user.filter.group.filter.combine is not defined or is set to false.
1. On the Properties tab of your MS_Azure_AD source system, set the aad.user.filter=City eq ‘Los Angeles’.
Keep the aad.group.filter property as-is.
Note: For performance reasons, try to define a user filter based on specific criteria as this will make Identity Provisioning read less users. Find something common for the users that you want to provision. For example, the domain of their email address, department, organization or other.
If you can’t find this “common thing”, there is no point in workarounding it by providing a filter such as: aad.user.filter=userPrincipalName ge ‘ ‘. This would mean that you want to read all users. It is the same as defining no user filter. In this case, the job will run longer because first, users are calculated internally based on the user filter, then groups are calculated based on the group filter and the user members matching the user filter. As a result, only users that are members of the group(s) matching the group filter will be provisioned.
2. On the Jobs tab, run the provisioning job and verify that only two users are read.
After applying the user filter, two users matching the user filter are read, and the rest (previously existed) 178 users in Identity Authentication are deleted.
3. In the User Management section of your Identity Authentication tenant, verify that the two users from Los Angeles – Michelle Brown and Sarah Williams, are read (the third user is the tenant administrator).
4. In the User Groups section of your Identity Authentication tenant, you will notice that Michelle Brown is the only member of the Procurement group. Stefan Schmidt (from Munich) is removed as a group member and deleted as a user because he doesn’t match the user filter City eq ‘Los Angeles’.
User and Group Filtering Combined
Finally, we’ll combine the user and group filtering.
1. On the Properties tab of your MS_Azure_AD source system, set aad.user.filter.group.filter.combine=true.
Keep the aad.group.filter and aad.user.filter properties as-are.
2. On the Jobs tab, run the provisioning job and verify that only one user is read.
After combining both filters, one group – Procurement, and one user – Michelle Brown, are read.
Michelle Brown is the only user that matches the user filter City eq ‘Los Angeles’ and at the same time is a member of the group Procurement.
Although Sarah Williams matches the user filter (she is from Los Angeles), she is not a member of the group Procurement (she is a member of the group Employee). Therefore, her user is deleted.
Although Stefan Schmidt is a member of the group Procurement, he doesn’t match the user filter (he is from Munich). Therefore, his user is deleted when the user filter is applied. The group is updated.
3. In the User Management section of your Identity Authentication tenant, verify that Michelle Brown is the only user read from MS Azure AD (the second user is the tenant administrator).
Now, the floor is yours! You can test it out and share your feedback.
Nice and well-detailed documentation, thank you, Ivelina Kiryakova 🙂
Very nice blog, I was looking for this an long time, i set it up and it's working.
One question is it also possible to filter on multiple groups or to filter for example on "Procurement*"
Thanks E. Schuiteman,
Filtering on multiple groups is possible by using the eq and or operators.
For example, is you want to filter three groups, provide the value of the aad.group.filter property as follows: displayName eq 'Procurement' or displayName eq 'Development' or displayName eq 'Operations'
Hi Ivelina Kiryakova
do I understand it correctly that if setting the aad.group.filter = displayName eq 'Procurement' and aad.user.filter.group.filter.combine = true, I will get all Users belonging to Group 'Procurement'?
Is it normal that such a job runs for like 30 minutes in IPS?
Also I am not getting my Group created in my IAS
regards,
Benedikt
Hi Benedikt,
Sorry for my late reply.
To make the aad.user.filter.group.filter.combine property work, both user and group filters must be configured.
I guess it's normal for the job to run longer as first, users are calculated based on the user filter, then groups are calculated based on the group filter and the user members matching the user filter.
Best Regards,
Ivelina
Informative write-up - thanks.
One thing to note: If you are trying to filter users that are in a specific group only (but have no user filters that are needed) then you have to populate the aad.user.filter property with some value that will allow all users to be queried.
What I tried and did not work:
mail ne ' ' <-this would filter for users where mail does not equal blank space (trying to pull in all users).
Based on MSFT graph API for user, ne should be a supported filter but it does not seem to be currently.
What I tried that did work:
mail ge ' ' <-this would filter for users where mail value is greater than equal blank space.
Based on testing in the MSFT graph explorer, this returned all users successfully.
This filter was used in the aad.user.filter and allowed me to create all users in the filtered group.
Hello Ivelina Kiryakova,
Thank you for the blog post. When configuring this sync from Azure for the very first time, how do I avoid brining in all of my Azure users in my organization (about 200,000). If I setup a group filter for 1 single Azure group, would the sync job pull in the single Azure group but also pull in ALL my 200k users?
I guess my question is, if I only want the specific group and only users within that group to be synced into IAS, would I need only:
aad.group.filter | displayName eq 'my group in Azure'
or would I need to do Group filter + a user filter?
aad.group.filter | displayName eq 'my group in Azure'
aad.user.filter | displayName eq 'my specific users'
Thank you so much,
Chris
Hi Chris,
I think what Miles O'Connor mentioned earlier may work. Having mail ge ' ' on the user filter along with group filter and combine property.
If something has worked for you please do share your results.
BR,
Ganesh S
Ivelina,
My customer is in the process of setting up IPS to read users-groups from Azure AD and populate cloud solutions such as SAC and IBP. They followed the procedure outlined in your blogs to set up the Azure Graph application and the appropriate parameters in IPS.
https://blogs.sap.com/2021/09/28/identity-provisioning-how-to-get-users-based-on-group-assignments-from-ms-azure-ad/comment-page-1/#comment-611678
As a trial, they setup a test Azure AD group with 4 members and are attempting to read them from IPS. We configured both user and group filters within IPS. However, the IPS job runs for a very long time (hours) and times out, It seems to be cycling through all users and groups within their large Corporate Azure AD.
If they restrict the query to a specific user, it returns quickly. It is only when you want to read all users within a Azure AD group the time out occurs.
Also, when they run the same query against Azure AD using Graph Explorer it runs only a few seconds.
Their Azure AD support team has confirmed it is nothing from their side. They are seeking your expert opinion on where to investigate.
Is there a way to optimize the read query for IPS? Are there any traces in IPS that can be enabled to identify the source of the delay?
Thank you - John Hormaechea
Thanks, Ivelina.
This is a very useful feature.
Does this property support wildcards for group names? For example, if I would like to filter members assigned to groups beginning with SAP then would I enter displayName eq 'SAP*' or will use an operator such as cp (Contains Pattern)?
Regards,
Subbu Iyer
Hi Subbu Iyer,
You can only use the filter operators supported by Azure, listed here: https://learn.microsoft.com/en-us/graph/filter-query-parameter. As far as I can see, cp (Contains Pattern) is not among the supported ones. Following your question, I tested it with aad.group.filter=startsWith(displayName, 'SAP_') and it worked.
Best regards,
Ivelina
Hi Ivelina,
Reading your blog was really useful for me during my configuration. Thank you so much for the information provided here. F
On that subject of the filtering, I tried to use the function endsWith...but I not certain of the format...every syntax I used seems to be not fuctional. Do you know if that function is supported on IPS ?
Best regards,
Sebastien