Groups in AAD with the same name are cached as a combined single group in K2

  • 16 February 2021
  • 0 replies
  • 349 views

Userlevel 5
Badge +20
 

Known Issue: Groups in AAD with the same name are cached as a combined single group in K2

KB003504

PRODUCT
K2 Five

 

Issue

Azure Active Directory allows groups with the same name but different members. While you cannot create two groups with the same name using the Azure Portal interface, you can add a group with the same name as an existing group in other ways, for example when using the Azure AD Connect app, a PowerShell script, or when creating teams with the same name in Microsoft Teams. In Microsoft Teams, creating a team uses the team name as the group name in Azure. Since Teams allows teams with the same name, this causes groups with the same name in Azure, and this, in turn, causes an issue in K2 when group membership is synchronized.

For example: Your organization might have a group called OurTeam created through the Azure Portal interface, with users from your HR department as members. The Sales department creates a team in Teams called OurTeam, which creates a group in Azure with the name OurTeam. Your IT department creates a team called OurTeam using a PowerShell script. Now your Azure tenant has three groups all named OurTeam, but with different members.

The K2 Sync engine caches the groups correctly, but when the ETL process happens, the groups' members are combined into a single group in the Identity schema because the DisplayName property of the three AAD groups is the same. Using the example above, this means that the HR, Sales and IT members are grouped together in a single group called OurTeam in K2.

It is best practice to have unique group names in your organization.

 

 

Resolution

If you experience the issue in your organization, follow these steps to correct group membership.

  1. To identify the duplicate group names, run this script against your K2 database:
    --find duplicate groups
    SELECT [P].[Name],[PS].[Name],[I].[ProviderInstanceID],[I].[Name],[I].[DisplayName],[I].[IdentifierNamePart],count(*) as [Count]
       FROM [SyncEngine].[Identity] as I
       Join [SyncEngine].[ProviderInstance] PS on [I].[ProviderInstanceID] = [PS].[ID]
       Join [SyncEngine].[Provider] P on [PS].[ProviderID] = [P].[ID]
          WHERE [I].[Name] <> ''
          AND [I].[Type]=3
          AND [I].[Status]=1
             GROUP BY [P].[Name],[PS].[Name],[I].[ProviderInstanceID],[I].[Name],[I].[DisplayName],[I].[IdentifierNamePart]
             HAVING count(*) > 1
             ORDER BY count(*) DESC
  2. In Azure AD, rename duplicate groups so each group has a unique name.
  3. Wait for your scheduled AAD sync process, or manually perform a sync. Once the sync has completed, you should see separate groups with the correct memberships. 

 


0 replies

Be the first to reply!

Reply