You are viewing the Kantega SSO legacy documentation. The new documentation site is:
Skip to end of metadata
Go to start of metadata

In version 3.4.17, we changed the APIs we use to fetch group memberships from Azure AD. For some directories Azure AD now requires the permission Directory.Read.All.

The error you will see in your logs if you need to add this permission is:

ERROR [o.k.a.connector.crowdserver.CrowdApiHandler] Exception occurred handling API call GET /rest/rest/usermanagement/1/group/membership for connector ''
org.kantega.atlaskerb.connector.api.JsonException: HTTP 403 '403' {"error":{"code":"Authorization_RequestDenied","message": "Insufficient privileges to complete the operation.","innerError": ...

The easiest way of adding this is using the new App Registrations (preview) blade in :


Open Connector you created before, and go to the "API permissions" menu:

If Directory.Read.All is not there, use "Add a permission" at the top. Then select "Microsoft Graph" then "Application Permissions" in the blade that pops up. In the search field, enter Directory.Read.All and then save and close the blade.

You may now need to reload the API permissions page from before. Then finally click "Grant admin consent" to activate the permissions.
It may take a couple of minutes for this to take effect due to caching, but connector sync should now hopefully work.

  • No labels