Error: "Could not create matching member system objects for the other side of the target system for 1 system objects of schema type (Group)." (4321011)

The BETA version of AAD's API allows groups to be assigned to roles. If these assignments are now read in via Sync, the following error occurs:

Error executing projection step (DirectoryRole) of projection configuration (Initial Synchronization (Initial Synchronization)). VI.Base.ViException: Error executing projection step (DirectoryRole) of projection configuration (Initial Synchronization (Initial Synchronization)). ---> VI.Base.ViException: Error executing synchronization step (DirectoryRole)! ---> System.AggregateException: One or more errors occurred. ---> VI.Base.ViException: The mapping rule (vrtMember_Members) was unable to execute synchronization between system objects (Application Administrator) and (Application Administrator) successfully! ---> VI.Base.ViException: Could not create matching member system objects for the other side of the target system for 1 system objects of schema type (Group). "

We currently only support users as members, and only these are read in during the sync.

This is a product defect (33399).

WORKAROUND:

Define a whitelist at the mapping for members at the DirectoryRole that only users are allowed. This is exactly what the fix would do.

STATUS:

This will be fixed in a future release of the product. If you require this immediately corrected, please contact support for a hotfix referencing the defect ID 33399.