Azure AD Connector external powershell command

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hello,

We are currently using the identityiq connector to provision groups into Azure.
We have a requirement for groups we provision to run this powershell command for the group that we created.

Set-Team -GroupId -AllowCreateUpdateChannels $false -AllowDeleteChannels $false -AllowAddRemoveApps $false -Visibility Private

I have looked into using a connector after create rule but it appears to only support account objects.

Does anyone have a way to trigger powershell commands after iiq provisions a group to Azure?

2

Hi @chaynes2434 ,

You’re correct that the Creation Rule in the connector framework only fires for account objects, not for groups or entitlements. However, there is still a practical approach you can use to trigger PowerShell or Graph API actions after a group is provisioned, even if the native rule hook doesn’t support it directly.

:white_check_mark: Option 1: Custom Post-Provisioning Rule via Workflow or ProvisioningPlan Interceptor

You can create a BeforeProvisioning or AfterProvisioning Rule at the application level, and inspect the ProvisioningPlan for AccountRequest objects targeting your Azure AD application with op = "Create" and object type = "group".

:brick: Sample Sketch (AfterProvisioning Rule)

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.AccountRequest;
import sailpoint.object.Application;

if (plan != null) {
    List accountRequests = plan.getAccountRequests();
    if (accountRequests != null) {
        for (AccountRequest ar : accountRequests) {
            // Check if it's a group object being created
            if ("group".equalsIgnoreCase(ar.getObjectType()) && "Create".equalsIgnoreCase(ar.getOperation())) {
                String groupId = ar.getNativeIdentity(); // or from attributeRequest if available

                // Here you trigger an external system to run the PowerShell command
                // Options:
                //  - Drop a message on a queue
                //  - Call a webhook or REST API that triggers PowerShell
                //  - Write to a DB table monitored by a PowerShell agent

                log.info("Trigger PowerShell script for group: " + groupId);
            }
        }
    }
}

:police_car_light: Important: IIQ can’t run PowerShell natively. You need to integrate this logic with an external bridge or job runner.

Hope this helps! :rocket: Let me know if you have any questions.

3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.