SCIM provisioning error: Manager attribute from SF > AD

Question

Seeing the following error when using the employeeID/employeeNumber to define the manager attribute of a user. Using the Azure AD user provisioning service.

Error code
SystemForCrossDomainIdentityManagementBulkOperationResponseError

Error message
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"System.ArgumentException\",\"Message\":\"Invalid value\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":\" at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryExtendedDistinguishedName.ToExtendedDistinguishedName(String objectGuid)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryPropertyTranslator.PopulateValues(DirectoryAttribute directoryAttribute, IReadOnlyCollection`1 originalValues)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryPropertyTranslator.Convert(PatchOperation2 operation)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator.TryCreateModifyRequest(PatchRequest2Legacy patchRequest, SearchResultEntry currentEntry, ModifyRequest& modifyRequest)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator.ToModifyRequests(PatchRequest2Legacy patchRequest, SearchResultEntry currentEntry)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.

SF Attribute; managerId or manager

API Exp: $.employmentNav.results[0].userNav.manager.empInfo.customString5
OR
$.employmentNav.results[0].userNav.manager.empInfo.personIdExternal

(doesn't matter which one you use, in theory).

AD target attribute; manager

manager
OR
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

Translating that ID to a distinguished name appears to be the issue - Why would it be an option if it's failing?

An Azure engineer suggested that this is because our CN values are in the format 'CN=Smith\, John,OU=London,DC=Contoso,DC=com' and that the backslash may be the cause. I know the backslash to be a reserved character, to negate the comma in a binding string i.e. distinguished name. Therefore I don't think that is the reason: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names

Anyone have any other suggestions..?

Answer 1

@JStiles

The SuccessFactors to AD user provisioning job automatically resolves manager references. There are three important things to note about this process.

1. During manager resolution, the Azure AD provisioning service retrieves the employee's manager's personIdExternal attribute from SuccessFactors and automatically sets the manager attribute in Active Directory. The manager attribute in Active Directory is of type "Distinguished Name" or DN. That is the reason why we convert the manager information from SuccessFactors to a DN string.
2. In order for the provisioning service to successfully resolve the manager reference, ensure that the manager's record from SuccessFactors is in scope of the provisioning job and it has been processed by the provisioning service prior to creating the user's record. This gives the provisioning service visibility into the manager's account existence in Active Directory.
3. The default out-of-the-box manager attribute mapping is of type "Reference" so that this translation is automatically handled. Please do not change this mapping, else reference resolution will not work.

With this background, follow the steps below to resolve the issue:
• If you have changed the default manager attribute mapping, please restore the default mapping.
• If you want to flow the manager's actual personIdExternal value from SuccessFactors to AD, use the managerID attribute and map it to a different AD attribute that is of type string (e.g. description or extensionAttribute1).
• Run provision-on-demand for the manager's record first and then run provision-on-demand for the user's record.

This should hopefully resolve the issue.

Answer 2

Thanks @Chetan Desai for providing detailed information.