Description
This is a simple Pipedream workflow that helps creating access profiles in bulk for Azure service plans. These plans are discovered by IdentityNow as assignedPlans entitlements. The default names are all caps and hard to associate with the service plan and product they refer to. In fact, Microsoft keeps a list of most of these service plans here. For instance, SHAREPOINTWAC : O365_BUSINESS entitlement is actually Office Online service plan from Microsoft 365 Apps for Business product. By cross-referencing this list, the workflow creates the access profiles with the appropriate names.
For those processes beyond 5 min duration, the workflow will time out. The workflow keeps track of the created access profiles and it will pick it up where you left off. It’s also the rollback mechanism so you can remove all created access profiles. Remember they must not be in use or assigned to any app to be deleted.
Pre requisites
Pipedream account and an IdentityNow tenant.
Limitations
Microsoft’s list does not contain all existing service plan/product combinations, sorry!
Configuration
- Deploy this workflow on your Pipedream account.
- Open the workflow and change the default settings to something like this:
Configure the following variables using your tenant information and personal access token:
Change the following parameters to suit your needs:
- steps.input[Mode]: set it to either add or remove, depending on what you want to do.
- steps.input[Query]: the IdentityNow search that yields the desired entitlements to create access profiles for.
- steps.input[Owner]: user name of the access profiles owner.
- steps.input[AccessRequestConfig]: you may want to change the approval scheme.
- steps.input[ApplicationId]: existing application ID to add the profiles to. Leave blank to skip.
- The $checkpoint variable keeps track of all changes made. Should you want to rollback changes just change Mode to remove and run again.