'AuditLog.Read.All' permission now required for AAD sync in 9.2
説明
After upgrading to version 9.2, when running an Azure AD synchronization the following error may be encountered:
"Calling principal does not have required MSGraph permissions AuditLog.Read.All"
The following error may also be displayed:
'Neither tenant is B2C or tenant doesn't have premium license'
原因
This requirement was added with enhancement #33776, adding the ability to read the lastSignInDateTime for AADUser. To use these four new attributes a premium license is required for the Azure Active Directory tenant.
対策
After assigning the 'AuditLog.Read.All' permission the synchronization should continue successfully.
If a premium license is not being used, it is recommended to delete the mappings for the four properties:
Only the synchronization will work by deleting these properties. If trying to view such objects in the target system browser, the permission is required on the Azure side. If the permission is not set the error will occur in the target system browser because all available properties are loaded, not only the mapped ones.
It has also been observed and mentioned that when read-only permissions are used it is required to use "Authenticate as web application with…" for the authentication method. Using "Authenticate as mobile device or desktop application" may not work with read-only permissions.