question

JSJS avatar image
0 Votes"
JSJS asked sikumars-msft answered

SCIM provisioning error: Manager attribute from SF > AD

Seeing the following error when using the employeeID/employeeNumber to define the manager attribute of a user. Using the Azure AD user provisioning service.

Error code
SystemForCrossDomainIdentityManagementBulkOperationResponseError

Error message
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"System.ArgumentException\",\"Message\":\"Invalid value\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":\" at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryExtendedDistinguishedName.ToExtendedDistinguishedName(String objectGuid)\\r\\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryPropertyTranslator.PopulateValues(DirectoryAttribute directoryAttribute, IReadOnlyCollection`1 originalValues)\\r\\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryPropertyTranslator.Convert(PatchOperation2 operation)\\r\\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator.TryCreateModifyRequest(PatchRequest2Legacy patchRequest, SearchResultEntry currentEntry, ModifyRequest& modifyRequest)\\r\\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator.ToModifyRequests(PatchRequest2Legacy patchRequest, SearchResultEntry currentEntry)\\r\\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.

SF Attribute; managerId or manager

API Exp: $.employmentNav.results[0].userNav.manager.empInfo.customString5
OR
$.employmentNav.results[0].userNav.manager.empInfo.personIdExternal

(doesn't matter which one you use, in theory).

AD target attribute; manager

manager
OR
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

Translating that ID to a distinguished name appears to be the issue - Why would it be an option if it's failing?

An Azure engineer suggested that this is because our CN values are in the format 'CN=Smith\, John,OU=London,DC=Contoso,DC=com' and that the backslash may be the cause. I know the backslash to be a reserved character, to negate the comma in a binding string i.e. distinguished name. Therefore I don't think that is the reason: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names

Anyone have any other suggestions..?







azure-ad-user-provisioning
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChetanDesai-4206 avatar image
1 Vote"
ChetanDesai-4206 answered JSJS edited

@JStiles

The SuccessFactors to AD user provisioning job automatically resolves manager references. There are three important things to note about this process.
1. During manager resolution, the Azure AD provisioning service retrieves the employee's manager's personIdExternal attribute from SuccessFactors and automatically sets the manager attribute in Active Directory. The manager attribute in Active Directory is of type "Distinguished Name" or DN. That is the reason why we convert the manager information from SuccessFactors to a DN string.
2. In order for the provisioning service to successfully resolve the manager reference, ensure that the manager's record from SuccessFactors is in scope of the provisioning job and it has been processed by the provisioning service prior to creating the user's record. This gives the provisioning service visibility into the manager's account existence in Active Directory.
3. The default out-of-the-box manager attribute mapping is of type "Reference" so that this translation is automatically handled. Please do not change this mapping, else reference resolution will not work.


With this background, follow the steps below to resolve the issue:
• If you have changed the default manager attribute mapping, please restore the default mapping.
• If you want to flow the manager's actual personIdExternal value from SuccessFactors to AD, use the managerID attribute and map it to a different AD attribute that is of type string (e.g. description or extensionAttribute1).
• Run provision-on-demand for the manager's record first and then run provision-on-demand for the user's record.

This should hopefully resolve the issue.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You're a saint.

Your suggestion in step 2 was what resolved the issue for me. "Ensure that the manager's record from SuccessFactors is in scope of the provisioning job and it has been processed by the provisioning service prior to creating the user's record".

It's a wonder why this isn't a documented consideration for the provisioning service, unless I have missed it somewhere.

I appreciate your help.

0 Votes 0 ·
sikumars-msft avatar image
0 Votes"
sikumars-msft answered

Thanks @ChetanDesai-4206 for providing detailed information.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.