This article provides a solution to a common issue encountered when synchronizing roles with user creation in Azure using Identity Manager. The issue arises when attempting to create Azure Guest emails, resulting in a "Not Found" error.

When trying to synchronize roles with user creation in Azure, the process fails with the following error:

JCS@jcshostname: AzureRest: Not Found, Detailed Error: {"error":{"code":"Request_ResourceNotFound","message":"Resource '[email protected]' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"202-03-25T20:32:39","request-id":"4ae1b522-e5a8-4f84-a423-101ff36fddb6","client-request-id":"4ae1b522-e5a8-4f84-a423-101ff36fddb6"}}}

CA Identity Manager on Vaap 14.5.1 CHF01
Microsoft Azure endpoint

The issue occurs because the email address provided (e.g., [email protected]) is not in the format expected by Microsoft Azure for IM Account Template Account field. The email address needs to be formatted as emailsample@#EXT#@companyname.onmicrosoft.com.

To resolve this issue, you need to use the REPLACEFIRST function in the Account ID rule string. This built-in rule function replaces the first occurrence of the matching substring with the replacement string. In this case, it replaces the first occurrence of "@" in the guest user email address with "_".

Example:

guest.user_gmail.com#EXT#@myCompany.onmicrosoft.com

To match the Identity Manager Account ID with the Microsoft Entra ID userPrincipalName format, you must enter the Account ID in the following format:

Format: %$$REPLACEFIRST(<rule_string>,@,_)%#EXT#@<domain>.com
Example: %$$REPLACEFIRST(%AC%,@,_)%#EXT#@myCompany.onmicrosoft.com

In this example the Guest e-mail in Azure will be created as  [email protected]#EXT#@myCompany.onmicrosoft.com formating as determined by REPLACEFIRST function in the Account ID rule string.

Consult docops Azure User Types for further reference