Cloud Identity Engine not syncing some AAD (aka Entra ID) users and groups via SCIM Client.

Cloud Identity Engine not syncing some AAD (aka Entra ID) users and groups via SCIM Client.

4925
Created On 04/11/24 19:35 PM - Last Modified 02/10/25 20:30 PM


Symptom


Cloud Identity Engine is not syncing some new AAD (aka Entra ID) Groups added to the SCIM connector application in Azure.
 

Environment


  • Cloud Identity Engine (CIE)
  • Palo Alto Networks SCIM Connector
  • Azure AD (Active Directory)  
Note:
  • SCIM, stands for System for Cross-domain Identity Management
  • Azure AD is also called Microsoft Entra ID

Cause


  • During SCIM client incremental sync between Azure AD (aka Entra ID) and Cloud Identity Engine, some users and groups can be skipped on the AAD side and will not sync to CIE. 
  • To identify why the user or group was skipped:
    • Browse the SCIM Enterprise application in Azure, 
    • Click on Provisioning logs, 
    • Search for the missing user or group, 
    • Select the log
    • The log will have a detailed information about why the user or group was skipped.
    • The details of the example below is documented in the "additional section" of this article.
Provisioning Logs


 
 

Resolution


  1. By default, when using the SCIM connector, the Cloud Identity Engine only synchronizes the users and groups you assign to the app in the Azure Portal.
  2. Verify these users and groups are in the provisioning scope and assigned to the SCIM application in Azure AD
  3. If the users/groups are still being skipped, Engage Microsoft Azure support to further investigate this issue. 
Workaround:
  1. Restart Provisioning on Azure AD, which will trigger a full sync between CIE and the Azure AD (aka Entra ID) SCIM client.
  2. This will not impact existing data already in CIE. 

Additional Information


  • In the example (picture in cause):
    • Group g1 was skipped with SkipReason as NotEffectivelyEntitled, 
    •  This means that the group was not assigned to the SCIM application on Azure. 
The Group 'g1' will be skipped due to the following reasons:
1) This object does not have required entitlement for provisioning. If you did not expect the object to be skipped, update provisioning scope to 'Sync all users and groups' or assign the object to the application with entitlement of provisioning category
  • Due to these errors seen in the provisioning logs, these users and groups will not be updated on the CIE side
  • No error will be seen on CIE as the provisioned groups and users were skipped by Azure AD. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrLCCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail