Azure AD Connector external powershell command

chaynes2434 · May 8, 2025, 11:43pm

Hello,

We are currently using the identityiq connector to provision groups into Azure.
We have a requirement for groups we provision to run this powershell command for the group that we created.

Set-Team -GroupId -AllowCreateUpdateChannels $false -AllowDeleteChannels $false -AllowAddRemoveApps $false -Visibility Private

I have looked into using a connector after create rule but it appears to only support account objects.

Does anyone have a way to trigger powershell commands after iiq provisions a group to Azure?

angelborrego · May 10, 2025, 8:31am

Hi @chaynes2434 ,

You’re correct that the Creation Rule in the connector framework only fires for account objects, not for groups or entitlements. However, there is still a practical approach you can use to trigger PowerShell or Graph API actions after a group is provisioned, even if the native rule hook doesn’t support it directly.

Option 1: Custom Post-Provisioning Rule via Workflow or ProvisioningPlan Interceptor

You can create a BeforeProvisioning or AfterProvisioning Rule at the application level, and inspect the ProvisioningPlan for AccountRequest objects targeting your Azure AD application with op = "Create" and object type = "group".

Sample Sketch (AfterProvisioning Rule)

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.AccountRequest;
import sailpoint.object.Application;

if (plan != null) {
    List accountRequests = plan.getAccountRequests();
    if (accountRequests != null) {
        for (AccountRequest ar : accountRequests) {
            // Check if it's a group object being created
            if ("group".equalsIgnoreCase(ar.getObjectType()) && "Create".equalsIgnoreCase(ar.getOperation())) {
                String groupId = ar.getNativeIdentity(); // or from attributeRequest if available

                // Here you trigger an external system to run the PowerShell command
                // Options:
                //  - Drop a message on a queue
                //  - Call a webhook or REST API that triggers PowerShell
                //  - Write to a DB table monitored by a PowerShell agent

                log.info("Trigger PowerShell script for group: " + groupId);
            }
        }
    }
}

Important: IIQ can’t run PowerShell natively. You need to integrate this logic with an external bridge or job runner.

Hope this helps! Let me know if you have any questions.

Topic		Replies	Views
Provisioning Plan update ISC Discussion and Questions identity-security-cloud , provisioning	10	304	July 8, 2024
Bulk Create Entra ID Security Groups through IIQ IIQ Discussion and Questions identityiq	3	312	June 18, 2024
Need to provision Azure AD groups from SailPoint IIQ where we are provisioning Digital Workers IDs to on-premises Active Directory (ADs) IIQ Discussion and Questions identityiq	0	102	September 11, 2024
Using the PowerShell script to add user to a group in AD IIQ Discussion and Questions rules , identityiq	15	379	November 13, 2024
sailpoint.connector.ObjectNotFoundException in Azure Active Directory group creation IIQ Discussion and Questions identityiq , provisioning	9	152	March 3, 2026

Azure AD Connector external powershell command

Option 1: Custom Post-Provisioning Rule via Workflow or ProvisioningPlan Interceptor

Sample Sketch (AfterProvisioning Rule)

Related topics