Hi,

I have also found this limitation to fulfill AD permission when AD is also used as the Identity Source. (no account for AD)

But in your case, as IDM (edir) is the identity source, I wonder why you don't use the Identity Manager Fulfillment with AD resources & entitlement ?

thanks

Sylvain