We have a particular need to manage Azure AD accounts. There are 10 specific groups, and users can only belong to one of these groups at a time. This means that if a user already has one of these groups—regardless of how it was assigned (through a business role, access request, or aggregation)—and they are assigned to another group, the new group should replace the first one. What could be the easiest approach to implement this? Any idea would be appreciated. Thanks!
By defining set of entitlement that user cannot have at same time. WIth that if user already have one of the group and when try to adding another a violation is detected and violation can take appropriate action.
Another way to define the entitlement as non multivalued attribute But if think in your that’s will difficult because your user’s has probably others azure ad groups.
Hi Ousmane, thanks for your reply. But the requirement is not to allow more than one group to be provisioned. With SODs, I can only detect who has more than one group assigned but I need something preventative. Beside, you would still manual action in that solution which is not acceptable unfortunately.
I will test that too, thanks. But, I am still looking for an option that I can replace the entitlement with newly requested entitlement. Then I can have complete solution. So, I am also considering workflows or before provisioning rule to implement this. Do you have any idea on that? Do you think that it can be done via any of them?
Yeah before provision rule can be a good idea, but the difficluty was to compare the requested entitlement into the entitlements that user already has.
If you would like to add that group and remove the existing group then you need to handle this in Before Provisioning Rule which is cloud rule.
Access Reviews
Running a certification campaign is recommended to have a look at the current data, remove if user has more than 1 group. Certifier need to work on which all groups to be removed.
Detective
After implementing step 1 & 2, if user gets added to the Group at target end (ideally shouldn’t be), just incase then you can go for Access Reviews Periodically.
You can create an Identity attribute for this, see if user has more than 1 group then mark it as yes.
Based on this attribute, you can trigger the workflow. Or you can schedule the workflow to run and check if user has more than 1 group in workflow directly if you don’t like to have an identity attribute for this requirement alone.
Thanks for your reply. Currently I am working on a workflow to fulfill this requirement. Trying to resolve an issue in Access Removal step at the moment. If I can solve it, I will update here. Otherwise, I will try before provisioning rule as you suggested.