azure-active-directoryprovisioningscim

AzureAD Group Provisioning to ServiceNow - Cannot change group details in ServiceNow due SYSID being stored


I am trying to understand AzureAD Provisioning and ServiceNow. Group provisioning is OOTB and set to map on the Group NAME field, and it does. However, AzureAD is storing the ServiceNow ID for the group (SYSID) from the initial match and then using it as part of later provisioning synchronisations.

My objective is to determine:

  1. Based on recent issues I suspect there has there been a recent change to AzureAD Provisioning to store the target ID (ServiceNow sysid) after creating or matching a record. Am I correct?
  2. If 1 above is true then where is this stored and can I access it using GraphAPI, or config screen
  3. How much control do I have in ServiceNow to make AzureAD provisioning match groups I create and reconfigure

To force a test I have made some group changes in ServiceNow to test how AzureAD Provisioning is working and caused a failure in provisioning I would like to understand.

  1. Added group "Test Provisioning Group" to my enterprise app
  2. Azure Provisioning ran and created a group in ServiceNow "Test Provisioning Group" - (ID=31f1f3792f630110fc1e52172799b6fa)
  3. In ServiceNow I Renamed the group created by AzureAD provisioning to "Test Provisioning Group Renamed" (ID=31f1f3792f630110fc1e52172799b6fa)
  4. In ServiceNow I created a new group named "Test Provisioning Group" - (ID=8bd8394e2f2b0110fc1e52172799b6e2)
  5. Azure Provisioning ran and FAILED

Failure Analysis

  1. In the Provisioning Logs in "Section 1. Import sys_user_group from Azure Active Directory" starts with the ID value which is the old group ID
  2. In "3. Match sys_user_group between Azure Active Directory and ServiceNow" I see
    • EntryImportByJoiningProperty finds the new group by name
    • EntryImport finds the old renamed group by ID - It even lists the new name of the group "Retrieved 'Test Provisioning Group Renamed' from ServiceNow"

Sorry, dont have enough points to post an image so here is a table of the results

EntryImportByJoiningProperty

Result Success
Description A target entry in ServiceNow has been matched with the source entry by matching attribute name: Test Provisioning Group
Active 1
Name Test Provisioning Group
Sys_id 8bd8394e2f2b0110fc1e52172799b6e2

EntryImport

Result Success
Description Retrieved 'Test Provisioning Group Renamed' from ServiceNow
Active 1
Description Testing AzureAD provisioning issues
Name
Test Provisioning Group Renamed
Sys_id 31f1f3792f630110fc1e52172799b6fa

Solution

  • Whenever an object (user, group..) is created or located for the first time, the target system ID value (sys_id for ServiceNow SOAP API) is stored internally to the provisioning service. That value cannot be manually cleared. Your options are either to remove the original group entirely so that the next time AAD Provisioning attempts to locate the first group via sys_id it fails and reverts to searching again by friendly name, OR restart provisioning via MS Graph API with a resetScope of Full, which will clear the provisioning internal mapping of ID values between systems.

    This data surrounding links between source/target systems is not accessible to you, it's only visible to the provisioning service. In general, I'd recommend not doing what you've described - it isn't an expected scenario for AAD Provisioning. It raises the question - why are you renaming the group in ServiceNow and trying to replace it with another group that would end up in the same state?

    MS Graph restart API doc: https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http