Active Directory
A set of directory-based technologies included in Windows Server.
6,794 questions
API-driven provisioning to on-premises Active Directory - Provisioning Failure
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 68%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Andy Nicholls
0
Reputation points
Hi. Hoping someone can help with this.
I have a logic app that handles multiple user remediations, and one of those is to disable accounts. This works fine in a cloud only environment, however; I want to extend the disable account element to on-prem hybrid accounts. I've configured the API-driven provisioning to on-premises Active Directory enterprise app, installed the Entra provisioning agent, amended my logic app to utilise the provisioning endpoint, along with additional get user steps to pull properties such as userPrincipalName, ID, employeeID.
Using employeeID (the default mapping for the API-driven provisioning) then it works no problem. However, if I try to use any other valid attribute such as UPN, AccountName, ID etc, the provisioning app fails with:
Result: Failure
Description: Source identifier of an entry cannot be empty.
SkipReason: UnprocessableEntry
ErrorCode: EmptySourceIdentifier
ErrorMessage: Source identifier of an entry cannot be empty.
The sources I've used above are not empty, and I've confirmed this via GraphAPI, so I'm confused as to why this is happening. Again, employeeID works fine. The ID is reflected on both the cloud and on-prem accounts, so no different to the other attributes I have tried using.
Any help would be appreciated.
Sign in to answer