Azure AD SSO provisioning duplicates group assignments / mappings in sys_user_grmember

cphanson · ‎07-20-2017

I am configuring the Azure AD plugin for user provisioning and SSO. In the future state, every domain in our ServiceNow instance (we are domain separated) may or may not use SSO, each with its own Identity provider. In my PoC, I am using Azure AD. We are on Helsinki.

Azure AD SSO Plugin: Microsoft Azure Marketplace

Tutorial: Tutorial: Azure Active Directory integration with ServiceNow | Microsoft Docs

My provisioning user is in a "customer" domain in ServiceNow and has two roles: user_admin and SOAP (not full admin role). Everything is working well except for Group syncing:

Working:

Azure AD users get synced to ServiceNow based on my scoping criteria, get assigned the right domain in SN, etc (good)
Azure AD Groups that meet my scoping criteria get created in ServiceNow, including a couple of extra attributes we have in the sys_user_group table (Company and Type). (good)
Azure AD Group members get added to the appropriate groups in ServiceNow (good)
Users and Groups become inactive if I delete or deactivate them in AD (good)

Problems with Group syncing:

Every time I add a new user to a group in Azure AD (a group that is also synced to SN), when it syncs the group member to SN it creates duplicate records of the existing users in the group. (it is not creating new SN users, it is creating duplicate user-group mappings in sys_user_grmember table). If I have 5 members in a group, then I add a user, I get 11 members (2 of each of the first 5, plus the new one). The next time I sync with a new group user, I'll get those 11 plus 7 more (6 are dupes, 1 is new). The same thing happens when I manually restart provisioning in Azure AD Classic portal > Application > Configure tab > Restart provisioning button. It duplicates the existing user mappings in the group. Expected behavior: I should only see NEWLY added users get added to the group, and no duplicates.
When I remove a member from the AD group, nothing happens in the ServiceNow group. The user is not removed. Expected behavior: User should be removed from the ServiceNow group

I tried giving my SN provisioning user (user configured for Azure AD provisioning) full admin role, and that hasn't helped.

Any ideas on how to troubleshoot / solve these two problems?

nyancer3 · ‎01-25-2018

That sounds about right. We had an issue recently where the UPN was coming in instead of email, even though to all appearances the email was populating correctly in Azure. MS support took a while to come back with a fix (a workaround really). Glad you got it worked out!

meetanand7 · ‎11-15-2018

Hi Chris,

I found this thread when I was checking for how to provision group and member detail from Azure AD. You have mentioned above "Azure AD Group members get added to the appropriate groups in ServiceNow (good)", Can you explain us how did you configure the group provisioning in Azure AD? we need to change any attributes in Azure AD for group provisioning?

Because today, when I turn on auto provisioning for groups in Azure AD , group member details are not updating to the groups. Could you please help us on this?

the below Group Attributes mapping in AD

Azure AD attribute ServiceNow

display Name Name

description description

mail email

members user

Regards,

Anandakumar L

kashifansari07 · ‎02-26-2020

Hello Anand,

I am facing the similar issue, did you find a solution for the same?

Developer3 · ‎05-08-2020

Hi,

I am also facing the same issue. We enabled the azure ad group provisioning but group member details are not updating to the groups. Please let me know the solution for this issue

meetanand7 · ‎05-08-2020

Hi,

I fixed this issue by disabling a ACL running for user and group field in sys_user_grmember table. This ACL blocking the Azure to write and create a record in sys_user_grmember table. Please check and let me know this fix your issue.

Regards,

AnandaKumar L