TL DR: What's the problem? I don't see any output for users when testing 'AppRoleAssignmentsComplex([appRoleAssignments])' in Expression Builder. How do I see this output in the context of a specific app, and test how conditional logic around it will impact User provisioning scope or provisioned fields?
Background GitHub Enterprise Managed Users relies on Azure AD SCIM provisioning as its only source of configuration of user information/management. The out-of the box user provisioner looks like this:
r/AZURE - Default Provisioner Mapping for Users Default Provisioner Mapping for Users I also have 2 types of Groups I want to pass through to the provisioner:
License level groups: Security Groups which use Roles like User, Enterprise Owner, Admin, etc. which consume a license for a user Permission set groups: M365 Groups with "isSecurityEnabled=True" which are used to set GitHub Team memberships which match the M365 Teams ONLY IF the user is already licensed (For details on GitHub IdP teams https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups). I have essentially accomplished this by setting the License level groups with the appropriate role, and setting the M365 groups with a role of "Restricted User". However, this leads to excessive API calls through SCIM with numerous errors, for each appearance of an unlicensed user.
How to solve this? I think the best way to solve this would be to use either a Scoping Rule, which ignores users who do not have one of the actual roles like "User", "Enterprise Owner", "Billing Contact", etc. assigned. Another way to solve this would be use similar logic to set the 'active' attribute to false if the user does not have these roles assigned.
What is the issue? I cannot find a way to query the user's appRoles in Expression Builder. Everytime I try to use "AppRoleAssignmentsComplex([appRoleAssignments]) in Expression Builder, I get null for output. Will this work to get the list of App Role assignments in the SCIM provisioning? What is the expected ouput? I am warry to edit this on our production connection, any suggestions on how best to test the resulting output and logic filtering around this field?
output for AppRoleAssignment
I cannot find a way to query the user's appRoles in Expression Builder. Everytime I try to use "AppRoleAssignmentsComplex([appRoleAssignments]) in Expression Builder, I get null for output. Will this work to get the list of App Role assignments in the SCIM provisioning? What is the expected ouput? I am warry to edit this on our production connection, any suggestions on how best to test the resulting output and logic filtering around this field?
