API-driven provisioning to on-premises Active Directory - Provisioning Failure

Question

Hi. Hoping someone can help with this.

I have a logic app that handles multiple user remediations, and one of those is to disable accounts. This works fine in a cloud only environment, however; I want to extend the disable account element to on-prem hybrid accounts. I've configured the API-driven provisioning to on-premises Active Directory enterprise app, installed the Entra provisioning agent, amended my logic app to utilise the provisioning endpoint, along with additional get user steps to pull properties such as userPrincipalName, ID, employeeID.

Using employeeID (the default mapping for the API-driven provisioning) then it works no problem. However, if I try to use any other valid attribute such as UPN, AccountName, ID etc, the provisioning app fails with:

Result: Failure

Description: Source identifier of an entry cannot be empty.

SkipReason: UnprocessableEntry

ErrorCode: EmptySourceIdentifier

ErrorMessage: Source identifier of an entry cannot be empty.

The sources I've used above are not empty, and I've confirmed this via GraphAPI, so I'm confused as to why this is happening. Again, employeeID works fine. The ID is reflected on both the cloud and on-prem accounts, so no different to the other attributes I have tried using.

Any help would be appreciated.

Answer 1

Hi @Andy Nicholls , check if the attribute you are trying to use is mapped correctly in the provisioning configuration. You can check this by going to the "Mappings" tab in the provisioning configuration and verifying that the attribute you want to use is mapped correctly.

Also check whether the attribute you are trying to use is required for provisioning. Some attributes may be required for provisioning to work correctly, so make sure that all required attributes are present and mapped correctly.

Please let me know your results and I can help you further.

Best,

James