We're using Azure AD as the Identity Provider for User Provisioning into our system.
We have started getting this error of late.
EntrySynchronizationError
Result Failure
Description Failed to match an entry in the source and target systems User 'XXX#XXX.com'
ErrorCode SystemForCrossDomainIdentityManagementMultipleEntriesInResponse
There has been no change in our scim server code. The error message is obviously stating it's fetching more than 1 entry when it should return 1 but in reality, there is no user with the said username & Azure AD should be sending a request to create a new one.
This is happening under the action "Other", I'm guessing it's a GET.
Any idea on what's going wrong here?
A GET operation with a filter (ie: GET /Users?filter=userName eq "Test_User_dfeef4c5-5681-4387-b016-bdf221e82081") is expecting either 0 or 1 result to be returned, but is receiving more than one result. Either your configuration in provisioning is matching on an attribute that is not uniqueness constrained (ie: department eq "Sales") or there's a problem with your logic for returning filtered results.
Related
Am I crazy or are all the HealthCloud field permissions just unavailable to be queried via the rest API Soql calls?
If I issue this query in the developer console:
SELECT Id, SobjectType, Field, PermissionsEdit, PermissionsRead FROM FieldPermissions where SObjectType = 'PlanBenefitItem'
It returns exactly what I expect it to return - data about the fields and permissions. Issuing it via the API returns no records at all. I've checked all the object permission stuff because there's some weird rules about showing and not showing row data, but all of that seems fine and I wouldn't expect any return in the dev console if it weren't the case.
Is there something I'm missing here?
Error detected during debug:
Create one OpportunityLineItem record where
OpportunityId = {!$Record.ConvertedOpportunityId} (null)
Product2Id = {!get_related_Product.Id} (01t5j000000I80nAAC)
Quantity = {!DefaulQuantityOfProduct} (1)
TotalPrice = {!TotalPriceDefaultForNewOpp} ($637.54)
Result
Info
Failed to create record.
Info
Error Occurred:
This error occurred when the flow tried to create records: INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY: insufficient access rights on cross-reference id. You can look up ExceptionCode values in the SOAP API Developer Guide.
Manually or using Apex, I can add a record. The fields that I add (opportunityid,Quantity,TotalPrice,Product2id) are not read-only. I need a detailed answer. Am I missing some permission?
1 flow schema
2 trigger condition
3 get related record
4 create new record
OpportunityId = {!$Record.ConvertedOpportunityId} (null)
This looks like the opportunity doesn't exist yet (got any errors? Do you create them always or only when certain condition is met? Did it fail?). Or it exists but it just has been inserted, SF didn't manage to update the Lead with the Id yet? Maybe add entry criteria that check if the field is populated.
Lead conversion is bit nasty topic, see https://salesforce.stackexchange.com/questions/3956/lead-conversion-trigger-order-of-execution
Actually you might be better of on SF stackexchange, more admins over there and flows are no-code solution so not a good fit for stackoverflow?
I want to get all group members in the Azure AD group. 5000 users are there. I'm only getting the 500 users using the Azure AD connector Get group members how can I do it in loop so that it will move to 101 to 200 users like that all the way. Any suggestions?
It is a bit more involved, but what you need to do is to get the raw response, azure ad connector is essentially a graph api call, so when you call that, it'll get some max amount of users, but also in the response, there will be a url in the #odata.nextLink field. this field contains the url to the next page of results. so in logic app or flow, you will have to first have a return list variable, create a loop that checks if the value of that while odata.nextlink is not null. then keep iterating and adding the results to the return list variable . until you reach the end, then return the return list variable.
Is it possible to query for users, filtered by an X500 proxy address?
Using the following query which filters by an SMTP address, I can return all of my proxy addresses:
/v1.0/users/?$filter=proxyAddresses/any(x:x eq 'smtp:me#here.com')&$select=proxyAddresses
However, if I take one of the X500 addresses that was returned in the above query and try and filter by that:
/v1.0/users/?$filter=proxyAddresses/any(x:x eq 'x500:/o=ExchangeLabs/ou=Exchange Administrative Group (blahblah)/cn=Recipients/cn=trimmed')&$select=proxyAddresses
then I get a 400:
{
"error": {
"code": "Request_UnsupportedQuery",
"message": "Unsupported or invalid query filter clause specified for property 'proxyAddresses' of resource 'User'.",
"innerError": {
"request-id": "adcdefg",
"date": "2019-01-01T01:01:01"
}
}
}
I've tried URL encoding the address, and also tried with and without the "X500:" scheme.
Is filtering by X500 address supported?
I am able to use X500 addresses as filters without any modification to the address from a clone of GraphExplorer. The following queries both return the correct user record
https://graph.microsoft.com/v1.0/users/?$filter=proxyAddresses/any(x:x eq 'x500:/o=Company Exchange/ou=First Administrative Group/cn=Recipients/cn=UIDHere')&$select=proxyAddresses
and
https://graph.microsoft.com/v1.0/users/?$filter=proxyAddresses/any(x:x eq 'X500:/o=Company Exchange/ou=External (FYDIBOHF25SPDLT)/cn=Recipients/cn=z804261192zc46c4az4f6032z322540z')&$select=proxyAddresses
Like Lisa - this is not about parenthesis. I have Any lambda queries on proxyAddresses using X500 addresses containing parentheses that working just fine in Graph Explorer.
I suspect that the issue is actually size of the search string. I repro the error if the size of the search string is greater than 120 characters.
I'm following up with the engineering team.
In the meantime Paul, as a workaround (and excuse my lack of X500 knowledge), is there a way to query using the shortest X500 string?
Hope this helps,
As Dan Kershaw answered - this does seem to be a hard coded limit of 120 characters in the email address being filtered on.
A simple workaround is to trim the email address (including the scheme - "x500:" or "smtp:") to 120 characters, and search using a "startswith":
/v1.0/users/?$filter=proxyAddresses/any(x:startswith(x, 'x500:/o=ExchangeLabs/ou=Exchange Administrative Group (blahblah)/cn=Recipients/cn=trimmed'))&$select=proxyAddresses
This may return more than one match, so its then a case of looking through each returned user, and looking at their "proxyAddresses" collection to see which matches the original untrimmed email address that's being searched for.
I can confirm that this is still an issue as of today's date.
I'm actually using the AzureAD PowerShell cmdlets, which leverage the Graph API.
I couldn't figure out why my query was failing until I found this thread, so thanks for that.
I was getting essentially the same error message in PowerShell:
"Unsupported or invalid query filter clause specified for property 'proxyAddresses' of resource 'Group'."
When I took a substring of the first 120 characters and ran a startsWith, it worked fine.
It's a shame that this issue still hasn't been resolved.
Using the Salesforce Web Services API is it possible to check (or query) if a User is Locked Out (if they have attempted to log in unsuccessfully too many times and are therefore blocked from logging in)?
Although there is no specific field on the User object to indicate that they are locked out, you can query the LoginHistory object.
select Id, UserId, LoginTime, Status from LoginHistory where
UserId = 'xxxxxxxxx' order by LoginTime desc limit 20
Then loop through the results, checking the value of the Status field. If the user has been locked out, the most recent login attempts will have a value of "Password Lockout" in this field.
Other possible values of this Status field include:
Success
User is Inactive
Invalid Password
Failed: API security token required
Failed: Computer activation pending
Failed: Computer activation required
Failed: Invalid Timestamp
Failed: Mobile License Required
Nevermind; I found the answer.
It says in the documentation:
The password lockout status and the ability to reset the User locked-out status is not available via the API. You must check and reset the User password lockout status using the user interface.
For admin users - it's now possible to unlock users on iphone / ipad via the SalesforceA mobile app. https://itunes.apple.com/au/app/salesforcea/id731117958?mt=8
In Apex, I can check the IsPasswordLocked field on UserLogin object to check if a User is locked out or not by using the following SOQL -:
[SELECT IsPasswordLocked FROM UserLogin
WHERE UserId = 'ENTER YOUR USER ID HERE'];