Azure AD groups provisioning limitation

Hi all,

We have a particular need to manage Azure AD accounts. There are 10 specific groups, and users can only belong to one of these groups at a time. This means that if a user already has one of these groups—regardless of how it was assigned (through a business role, access request, or aggregation)—and they are assigned to another group, the new group should replace the first one. What could be the easiest approach to implement this? Any idea would be appreciated. Thanks!

Hi @sahincelik,

Welcome to the Sailpoint developer community !

You can use an SOD Policy for that need Managing Policies - SailPoint Identity Services

By defining set of entitlement that user cannot have at same time. WIth that if user already have one of the group and when try to adding another a violation is detected and violation can take appropriate action.

Another way to define the entitlement as non multivalued attribute But if think in your that’s will difficult because your user’s has probably others azure ad groups.

Best regards.

Hi Ousmane, thanks for your reply. But the requirement is not to allow more than one group to be provisioned. With SODs, I can only detect who has more than one group assigned but I need something preventative. Beside, you would still manual action in that solution which is not acceptable unfortunately.

@sahincelik SOD preventive mode work also when access are requested from request center.

But i never test preventive mode when access are provisionned automaticaly based on criteria

I will test that too, thanks. But, I am still looking for an option that I can replace the entitlement with newly requested entitlement. Then I can have complete solution. So, I am also considering workflows or before provisioning rule to implement this. Do you have any idea on that? Do you think that it can be done via any of them?

Yeah before provision rule can be a good idea, but the difficluty was to compare the requested entitlement into the entitlements that user already has.

Hi @sahincelik

Welcome to SailPoint Developer community.

SOD won’t help you here, it is just to detect.

  1. Preventive actions
  • Let’s say that user already has one of those 10 groups, user is requesting for one more group again then what do you need to do ?
  • You can reject the request by using a workflow. Refer to this
    Implementing A Request Response Type Trigger in Workflows
  • If you would like to add that group and remove the existing group then you need to handle this in Before Provisioning Rule which is cloud rule.
  1. Access Reviews
    Running a certification campaign is recommended to have a look at the current data, remove if user has more than 1 group. Certifier need to work on which all groups to be removed.

  2. Detective

  • After implementing step 1 & 2, if user gets added to the Group at target end (ideally shouldn’t be), just incase then you can go for Access Reviews Periodically.
  • You can create an Identity attribute for this, see if user has more than 1 group then mark it as yes.
  • Based on this attribute, you can trigger the workflow. Or you can schedule the workflow to run and check if user has more than 1 group in workflow directly if you don’t like to have an identity attribute for this requirement alone.
  • Using workflow you can remove the access.

Thanks
Krish

2 Likes

Hi Krishna,

Thanks for your reply. Currently I am working on a workflow to fulfill this requirement. Trying to resolve an issue in Access Removal step at the moment. If I can solve it, I will update here. Otherwise, I will try before provisioning rule as you suggested.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.