Comments on: Revoke user access in case of an emergency with a single click – on-premises AD integration

By: Andy

Andy — Tue, 14 Jan 2025 08:46:07 +0000

Don’t worry, I got it working. It was the primary key in the advanced API attribute mapping settings, within the enterprise app.

By: Andy

Andy — Fri, 10 Jan 2025 11:29:57 +0000

Hi Peter, thanks for the reply. Thought I’d replied back but clearly not.

What about using a different attribute? I’ve baked this config into an existing Logic App I have, and it works with employeeID, but if I switch the mapping to userPrincipalName, or displayName, I get and error in provisioning which is ‘
Source identifier of an entry cannot be empty’. I’ve tried the expression mapping of UPN and even tried direct UPN to UPN but I get the same error.

By: Peter Klapwijk

Peter Klapwijk — Tue, 07 Jan 2025 12:53:57 +0000

In reply to Andy. Hi Andy, The OU filled in is indeed only a provisioning OU. As long as you can make a match, like I do on the default employeeID, the user account can be located on other OUs. I'm not aware of any requirement to exclude the provisioning OU. I have my provisioning OU synced with Entra ID Connect sync.

By: Andy

Andy — Tue, 07 Jan 2025 12:32:36 +0000

Hi Peter. Great article, and something I am currently working on where I feel this could really benefit us. A question I do have, as I noticed the provisioning OU was different to where your test account resides. I assume the provisioning OU is just a means to configure the enterprise app API. Would this OU need to be excluded from Entra ID Connect sync, as my understanding is you can have both EID-C and Cloud Sync in place, but not for the same OU’s / objects.

In my environment we already have EID-C in place, with specific OUs selected to sync those users to Entra.