[midPoint] Group Membership in Azure AD / Entra

[Sebastien Braun]

Hi,

I'm looking to understand whether MidPoint could be a good IDM solution for my environment.

Part of that is that I want to manage Azure AD / Entra group memberships via MidPoint. I have successfully created a resource with the MS Graph connector that imports existing users and groups into MidPoint. This resource also creates special "Support" users for dedicated work upon assignment (kind=account, intent=support).

So far,  this all works out, and I can assign "support" accounts to Azure AD groups managed by midPoint. But for some reason that I can't understand, I cannot put "default" accounts into Azure AD groups. The association on both intents is configured exactly the same. Both of them are assigned via the "Entra Group" archetype, but only the support account ends up in the group.

I can see in the logs and traces that the association is correctly evaluated for both projections, but for the default account it is not written back into Azure AD.  I can't see any error messages or exception traces that seem relevant, and no differences between the two ObjectTypes that explain the difference to me. I haven't found the right keywords to find any solutions in the Wiki, the JIRA or the mailing list archives either, so now I'm asking for help here: Can anyone point me in the right direction to find out what I'm doing wrong here?

Relevant configuration is attached as ZIP.
Thank you all in advance!

BR,
Sebastien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: objects.zip
Type: application/x-zip-compressed
Size: 19272 bytes
Desc: objects.zip
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231121/99de154f/attachment-0001.bin>