question

miloszengel avatar image
0 Votes"
miloszengel asked ManibharathyRajkumar-4223 commented

Azure AD user provisioning to SalesForce

hey all,
I'm struggling with the following error in AzureAD user provisioning to Salesforce. All was working ok but suddenly my sync falls under quarantine due to below error:

 This Azure Active Directory service principal has app roles with duplicate attribute values: 8d002630-e7ea-47e0-8118-a23670f76bcf: "Salesforce". The attribute with the duplicate values is displayName. The duplicated value is { Add:"Standard Platform User" (Source) }. The synchronization job cannot proceed until the duplication is remedied. One way of remedying the duplication would be to edit the service principal using the Azure Active Directory Graph or the Microsoft Graph. Both of those Web application programming interfaces are documented on the World Wide Web. If the documentation is insufficient, please file a request for support using the Microsoft Azure Active Directory Graph or the Microsoft Graph via Azure support.

The thing is i have no idea how I could remove this duplicate in order to fix this issue?

azure-webappsazure-ad-user-provisioning
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@miloszengel Have you had a chance to perform below suggestion?

0 Votes 0 ·
ManibharathyRajkumar-4223 avatar image
0 Votes"
ManibharathyRajkumar-4223 answered

This helped me fix the issue, high level steps below.
1. using graph connected to the Service principal of the app.
2. Collected all the existing roles for this app in Azure end.
3. Assigned test user to the new profile and pushed through provisioning on demand.
4. Find the profile id from the Azure provisioning logs and validate the profile ID in salesforce or the any app using SCIM.
5. From the Graph API remove the nonexistent role.
6. Restart the Sync Services.
7. Issue fixed.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MioszEngel-7136 avatar image
0 Votes"
MioszEngel-7136 answered

hello it's been a while because I was able to fix the issue by editing app manifest and manually removing duplicates. It was working ok but it started appearing again.
I can see below roles when editing the user:

The problem is with Salesforce Profiles translation. I can see these profiles:

  • "Standard Platform User" - disabled

  • "Standardowy użytkownik plaftormy" - Polish translation (active)

I do not use these profiles but since it's one of salesforce default ones- I can't remove it.

Now, the problem is when I go to app Manifest at App Registrations/Salesforce/Manifest - there are no SF roles at all. There is just msiam_access Azure default one.
Yet, all SF profiles are available to be selected(well, only active ones but all are displayed) when adding or editing user in Azure.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ManibharathyRajkumar-4223 commented

Hello @miloszengel


Could you please confirm if you go to Salesforce Application > Users and Groups > +Add User > Select a role, do you see any two roles with "Standard Platform User" name?


If yes, you need to remove one role by using steps mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management#delete-an-existing-role




Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@miloszengel were you able to resolve the issue? Please let me know if you need any assistance.

0 Votes 0 ·