CODEWITHSUNDEEP
azuresynchronizationprovisioningmicrosoft-entra-idscim
Ama
Ama

Reputation: 1

EntraID/AzureAD - SCIM API driven provisioning to Entra - why employeeLeaveDateTime is not syncing to Entra

I use proper date format for both employeeHireDate time and employeeLeaveDateTime which is "YYYY-MM-DDThh:mm:ssZ" as per https://learn.microsoft.com/en-us/entra/id-governance/how-to-lifecycle-workflow-sync-attributes

Provisioning log states that both attributes in Azure have been updated Provisioning Log, but when checking in Graph Explorer/MgGraph, employeeHireDate has value, but employeeLeaveDateTime is null Graph Explorer Output

Both attributes are synced with Direct mapping rule.

Custom schema attributes:

                "urn:ietf:params:scim:schemas:extension:itixcustom:1.0:User": {
                    "employeeType": "internal",
                    "HireDateTime": "2024-07-07T01:00:00Z",
                    "LeaveDateTime": "2033-07-07T21:00:00Z"    
                }

Direct mapping: Direct Mapping

API permissions assigned to Service Principal which is calling /bulkupload API: API Permissions

As a workaround I can do a separate call to GRAPH API to update employeeLeaveDateTime - you need following Graph API for this: User-LifeCycleInfo.ReadWrite.All - Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user. But it doesn't really meet the expectations of /bulkupload

Upvotes: 0

Views: 219

Answers (1)

Ama
Ama

Reputation: 1

I resolved this.

  1. If you use API-Driven Provisioning TO ENTRA , employeeHireDate and employeeLeaveDateTime must be in format "YYYY-MM-DDThh:mm:ssZ" . Other formats will be treated as "skipped" action, even if datetime values change. https://learn.microsoft.com/en-us/entra/id-governance/how-to-lifecycle-workflow-sync-attributes
  2. I couldn't read employeeLeaveDateTime in Graph Explorer, because I had no User-LifeCycleInfo.Read.All permission consented, User.Read.All/Directory.Read.All don't work and it shows NULL values. https://learn.microsoft.com/en-us/graph/tutorial-lifecycle-workflows-set-employeeleavedatetime - after assigning User-LifeCycleInfo.Read.All to my Service Principal I could finally read employeeLeaveDateTime via MgGraph:
$User = Get-MgUser -UserId $UserId -Property EmployeeLeaveDateTime
$User.EmployeeLeaveDateTime

Upvotes: 0

Related Questions