Stephen Bubb (Customer) asked a question.
We are attempting to collect in all Entra ID cloud only groups (not synced from on-premises AD) using a Generic REST Account Collector. The only way we can determine to collect in ONLY cloud groups and NOT groups synced from on-premises AD is to use the filter query 'NOT (onPremisesSyncEnabled eq true)' or another such query that relies on filtering on the onPremisesSyncEnabled value being null. In order to do such, we are required to use advanced querying in Graph API (ConsistencyLevel: eventual and $count=true). This works as intended and only collects in cloud groups from Entra.
The issue is we also need to be able to collect in group owner information for Entra groups. The only way we can find to do this is by using the $expand query parameter in the API call.
Herein lies the problem, use of advanced query parameters (ConsistencyLevel: eventual and $count=true) cannot be used at the same time as the $expand parameter.
Has anyone been able to configure their REST collectors for Entra in order to be able to collect in ONLY cloud groups but also collect group owner information?
Disclaimer:
I haven't fully tested it and haven't given it much thought on whether this should be done.
Do your own testing and your own research.
--------------------------------------------------------------------------
The only thing that comes in mind, is this workaround:
Remove the $filter
Add the $expand
collect the value of onPremisesSyncEnabled
In pre processor config, delete the records which have onPremisesSyncEnabled =True from:
T_DC_SOURCEDATA_GROUP
T_DC_SOURCEDATA_GROUP_MEM
In the example below (as a proof of concept) I was relying on group name. in your use case, you will need to adjust the PL SQL query to identify the relevant groups (which are not synced from AD).
Thank you Boris, this got me headed in the right direction. I was able to filter out the onPremisesSyncEnabled groups using the pre-processor on the account collector. This allowed me to use the $expand parameter and collect owner property as well.
The downside is it makes the collection time go from ~2 minutes to ~16 minutes due to the need to process a lot more groups and group memberships in the collection but that's a fair trade off to get this additional information.
In case it helps others with a similar issue, this is how I handled in the preprocessor.
BEGIN
-- 1. Delete all rows from T_DC_SOURCEDATA_GROUP_MEM for groups where cas10 (onPremisesSyncEnabled) = 'true' in the T_DC_SOURCEDATA_GROUP table
DELETE FROM T_DC_SOURCEDATA_GROUP_MEM entragroupmem
WHERE entragroupmem.dc_id = v_dc_id
AND entragroupmem.run_id = v_run_id
AND entragroupmem.group_name IN (
SELECT name
FROM T_DC_SOURCEDATA_GROUP
WHERE dc_id = v_dc_id
AND run_id = v_run_id
AND cas10 = 'true'
);
-- 2. Delete all rows from T_DC_SOURCEDATA_GROUP for groups where cas10 (onPremisesSyncEnabled) = 'true'
DELETE FROM T_DC_SOURCEDATA_GROUP
WHERE dc_id = v_dc_id
AND run_id = v_run_id
AND cas10 = 'true';
COMMIT;
END;