Summary

      After adding the Azure connector or doing a full synchronization all membership to the groups will not be synchronized to the Crowd from Azure AD.

      Environment

      • Azure AD
      • Latest Crowd (tested with 3.2.1)

      How to Replicate

      1. Set AZURE AD directory on Crowd
      2. After synchronization,

      Expected Results

      • users, groups, and membership to the groups to be synched normally on Crowd

      Actual results

      • Users and groups synched, but users are not showing under their respective groups on Crowd.

      Notes and Resolution

      The issue has been fixed in Crowd 3.0.3, 3.1.4 and 3.2.2 - please update to any of these versions to obtain the fix.

      It may however occur that Crowd continues to incrementally synchronize with Azure AD, without picking up the existing memberships. In such case it's possible to force a full synchronization using the following steps:

      • Uncheck the "Enable incremental sync" checkbox
      • Click the "Update" button
      • Check the "Enable incremental sync" checkbox
      • Click the "Update" button again

            [CWD-5192] Azure AD synchronisation remove membership

            Patryk added a comment - - edited

            Hello,

            The fix is available in Crowd 3.0.3, Crowd 3.1.4 and Crowd 3.2.2. It may however occur that Crowd continues to incrementally synchronize with Azure AD, not picking up the existing memberships. In such case please:

            • Uncheck the "Enable incremental sync" checkbox
            • Click the "Update" button
            • Check the "Enable incremental sync" checkbox
            • Click the "Update" button again

            Best regards,
            Patryk Petrowski

            Patryk added a comment - - edited Hello, The fix is available in Crowd 3.0.3, Crowd 3.1.4 and Crowd 3.2.2. It may however occur that Crowd continues to incrementally synchronize with Azure AD, not picking up the existing memberships. In such case please: Uncheck the "Enable incremental sync" checkbox Click the "Update" button Check the "Enable incremental sync" checkbox Click the "Update" button again Best regards, Patryk Petrowski

            Hello!

            Yes, in fact as others have mentioned, the way Crowd was querying the group memberships should not have worked as per the Graph API. We have traced the calls made by Catalina and it seems it is calling 

            https://graph.microsoft.com/v1.0/groups/delta?$select=displayName,members,description,id

            When it should be calling: https://graph.microsoft.com/v1.0/groups/delta?$select=displayName,members,description,id&$expand=members

            Performing a URL rewrite for this single call "fixes" the issue.

            Regards,

            István

            Papp István added a comment - Hello! Yes, in fact as others have mentioned, the way Crowd was querying the group memberships should not have worked as per the Graph API. We have traced the calls made by Catalina and it seems it is calling  https://graph.microsoft.com/v1.0/groups/delta?$select=displayName,members,description,id When it should be calling:  https://graph.microsoft.com/v1.0/groups/delta?$select=displayName,members,description,id&$expand=members Performing a URL rewrite for this single call "fixes" the issue. Regards, István

            A workaround would be to enable a Crowd Internal Directory and import Users and Memberships by CSV-Files.

            https://www.cleito.com/products/odcc/documentation/#uninstall

            Benjamin Brummer added a comment - A workaround would be to enable a Crowd Internal Directory and import Users and Memberships by CSV-Files. https://www.cleito.com/products/odcc/documentation/#uninstall

            g added a comment -

            From the technical side what we know is that Microsoft no longer supports asking for memberships using the $select parameter, however it works using the $expand parameter.

            https://stackoverflow.com/questions/50961874/groups-delta-query-does-not-return-members-when-specified-in-select

            If you can please vote on the question.

            g added a comment - From the technical side what we know is that Microsoft no longer supports asking for memberships using the $select parameter, however it works using the $expand parameter. https://stackoverflow.com/questions/50961874/groups-delta-query-does-not-return-members-when-specified-in-select If you can please vote on the question.

              Unassigned Unassigned
              srezkalla@atlassian.com Sarah Rezkalla (Inactive)
              Affected customers:
              10 This affects my team
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: