Error messages and problem solving

Edit online

You might encounter some problems at run time. Use this information to resolve some of these common runtime problems.

Runtime problems and corrective actions are described in the following table.

Table 1. Runtime problems
Problem Corrective Action

Reconciliation does not return all Azure Active Directory accounts. Reconciliation is successful but some accounts are missing.

 For the adapter to reconcile many accounts successfully, you must increase the WebSphere JVM memory. Do the following steps on the WebSphere host computer:
Note: Do not increase the JVM memory to a value higher than the system memory.
  1. Log in to the administrative console.
  2. Expand Servers in the left menu and select Application Servers.
  3. A table contains the names of known application servers on your system. Click the link for your primary application server.
  4. Select Process Definition from the Configuration tab.
  5. Select the Java Virtual Machine property.
  6. Enter a new value for the Maximum Heap Size. The default value is 256 MB.

If the allocated JVM memory is not large enough, an attempt to reconcile many accounts with the adapter results in log file errors. The reconciliation process fails.

The adapter log files contain entries that state ErmPduAddEntry failed. The WebSphere_install_dir/logs/itim.log file contains java.lang.OutOfMemoryError exceptions.

Getting the following error from Azure API:

Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration

 This error indicate AzureAD adapter trying to update account synced with Windows AD. From Azure AD adapter (which use graph API), accounts cannot be updated which are synced with Windows AD.
Failed to modify additional attributes [businessPhones]. as they are not exist in configuration file.Azure message. This error indicate you are trying to update attribute (here businessPhones) which is not exists in AzureAD-Attributes.properties file.

To update that property you need to add that attribute in AzureAD-Attributes.properties file
Not Supported Attributes From File are: userType

This error indicate you have added attribute in an AzureAD-Attributes.properties file which is not supported in that file so you need to remove that attribute.

See Table 2 for all attributes supported in attribute properties file.
Too many Request error
  • Review the Additional Attributes properties file for added attributes. Retain only the necessary ones; remove those that are not.
  • If present in the Additional Attributes properties file, remove the SignInActivity attribute.
  • See Service Tuningfor further configuration details.
Table 2. Invalid Group attributes value combination and it's error messages.
  • Mail Nick Name has to be unique for Microsoft 365 type of groups.
  • The adapter supports read-only access to Distribution and Mail-Enabled Security Group.
groupType visibility isAssignableToRole securityEnabled ResponseCode Error
Security Public true true 400 Visibility can only be set to Private for groups assignable to role.
Security HiddenMembership true true 400 Visibility can only be set to Private for groups assignable to role.
Security HiddenMembership

true 400 HiddenMembership is only supported on Unified groups.
Security Private false false 400 The service does not currently support writes of mail-enabled groups. Ensure that the mail-enablement property is unset and the security-enablement property is set.
Microsoft 365 HiddenMembership true true 400 HiddenMembership cannot be set on security enabled groups.
Microsoft 365 Public true true 400 Visibility can only be set to Private for groups assignable to role.
Microsoft 365 Private false 400 SecurityEnabled should be set to true for groups assignable to role.