Azure AD sync fails to add users to the group via auto-provisioning if the group has security_admin roles granted.
Release or Environment
- Instance on London or Later releases.
- Configuration for auto user provisioning with Azure Active Directory done.
- The group in which the user has to be provisioned has a Security_admin role assigned.
There are some design changes in the sys_user_role ACL with the READ operation since the London release. Per the change we have locked the contains role checks in the ACL for READ operations.
Remove the security_admin role from the group role for the user to sync/provisioned to the group.
The security_admin role is an elevated privilege role provided with High-Security Settings that lets users create and change access controls and change High-Security Settings.
In the base system, only the default System Administrator (admin) user has the security_admin role. Since it requires elevating privileges, the admin user does not have this role at login. After elevating privileges, the admin user has the security_admin role for the duration of the user session.