Lately, I have been working a lot in Sitecore environments integrated with Azure AD and last week while troubleshooting a permission issue which I couldn’t reproduce using my user.

After struggling a bit, I decided to compare the problematic user with mine and move forward from there.

Azure AD membership

I want to check which groups I belong that are different from the problematic user, and vice-versa. In order to have a better overview I executed the following Powershell that highlights the differences between two users

Please note the Powershell script below shows ALL Azure AD groups and not just the ones used for Sitecore Claiming Roles, it is up to you to look into the output and make adjustments using the right groups

$referenceUser = “[email protected]”

$differenceUser = “[email protected]”

Compare-Object -ReferenceObject (Get-AzureADUser -SearchString $referenceUser | Get-AzureADUserMembership -All $true | ? {$_.ObjectType -ne “Role”} | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName | sort-object -property displayname}) -DifferenceObject (Get-AzureADUser -SearchString $differenceUser | Get-AzureADUserMembership -All $true | ? {$_.ObjectType -ne “Role”} | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName | sort-object -property displayname}) -property DisplayName -passthru

The result of the comparison indicates whether a property value appeared only the reference object (<=) or only in the difference object (=>)

Having the following output, you will be able to determine whether you should be added / removed to match the reference User.

Then, I did adjustments and now I was part of the same Azure AD groups as the problematic user but still not able to reproduce the issue…

So, I’ve decided to double check Sitecore User Manager

Sitecore User Manager

When you first sign-in to a Sitecore that is integrated with Azure AD, a username is created into User Manager, and in a randomic set of letters and numbers as you can see

When I double-clicked at my user, I noticed that I had the Administrator checkbox marked

I decided to uncheck the Administrator box, sign out from Sitecore CM and access it again.

Voilá! I was able to reproduce the issue, and figure out the Administrator box overlap the Azure AD claiming.

I hope you liked it, and I’ll see you on my next post!