You are viewing the Kantega SSO legacy documentation. The new documentation site is:

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

In version 3.4.17, we changed the APIs we use to fetch group memberships from Azure AD. For some directories Azure AD now requires the permission Directory.Read.All.

The error you will see in your logs if you need to add this permission is:

Code Block
ERROR [o.k.a.connector.crowdserver.CrowdApiHandler] Exception occurred handling API call GET /rest/rest/usermanagement/1/group/membership for connector ''
org.kantega.atlaskerb.connector.api.JsonException: HTTP 403 '403' {"error":{"code":"Authorization_RequestDenied","message": "Insufficient privileges to complete the operation.","innerError": ...

The easiest way of adding this is using the new App Registrations (preview) blade in :


Open Connector you created before, and go to the "API permissions" menu:

If Directory.Read.All is not there, use "Add a permission" at the top. Then select "Microsoft Graph" then "Application Permissions" in the blade that pops up. In the search field, enter Directory.Read.All and then save and close the blade.

You may now need to reload the API permissions page from before. Then finally click "Grant admin consent" to activate the permissions.
It may take a couple of minutes for this to take effect due to caching, but connector sync should now hopefully work.