Hi Sonia,
Ticket 689014 / 2023
First, please understand the technical reason of the performance issue is the missing feature of Azure AD, which is explained in the KBA.
3277026 - Performance issue while provisioning users from Azure AD
MS Graph API User endpoint does not provide an option to filter users by group, so if there is no filter defined for users(property aad.user.filter), all users will be read and this takes long time.
So IPS implemented aad.user.filter.group.filter.combine as a workaround for the missing feature of Azure AD, but the cost is the performance.
It means, if you want to get the same result as IPS in third party tool, it will cost similar or even more time then IPS.
As another workaround I would suggest you to check the following part of the KBA.
To avoid reading all users, set a filter using property aad.user.filter, instead of using aad.user.filter.group.filter.combine=true and aad.group.filter.
You may find a common attribute value for the users you want to provision and use it as filter, or add a new attribute to all these users and filter them by it.
All in All not very helpful. I am not sure why it would be such a weird customer request to select all users belonging to a certain group filtered by aad.group.filter. Seems like in SQL everybody could write the statement in a second. And I am not really convinced that the API given by Microsoft Azure does not support such a statement. But that is the drag with standard software: you are doomed to have the standard software developer understand what you really need.
But thanks for answering anyway. I am suprised not to be alone in the world.
Martin
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.