Azure Group Provisioning Workflow

chaynes2434 · March 28, 2025, 4:09pm

Hello,

Our team has been tasked with triggering a identityiq workflow from servicenow. The goal of this identityiq workflow is to provision a new teams enabled group in our azure instance.

I have already successfully called a workflow by testing with postman at the identityiq/scim/v2/LaunchedWorkflows endpoint.

I have been trying to call the lcm provisioning out of the box workflow but I get an error message back saying identityName is required. Obviously, the newly provisioned azure team group ( which of course is really a new entitlement) will not be assigned to a particular identity and instead is just identityiq provisioning a new entitlement group.

Does anyone have an example of a workflow that will simply just take in the plan as a input and execute it? All the approvals for this new group will be handled in servicenow so no approvals on the identityiq side is needed. Additionally, I would like to return the provisioning result to servicenow so their team knows if the provisioning was successful. Also I would like this to as least show up as an access request in identityiq show we can see them clearly and its not just some sort of background process.

Here is an example of a azure group provisioning plan that was confirmed to work:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
  <ObjectRequest application="Azure APP" op="Create" type="group">
    <AttributeRequest name="teamsEnabled" op="Set">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </AttributeRequest>
    <AttributeRequest name="mailNickname" op="Set" value="msteams_Demo3"/>
    <AttributeRequest name="displayName" op="Set" value="Dev Demo 365 Group 3"/>
    <AttributeRequest name="mailEnabled" op="Set">
      <Value>
        <Boolean></Boolean>
      </Value>
    </AttributeRequest>
    <AttributeRequest name="description" op="Set" value="Demo group for 365 creation 3"/>
    <AttributeRequest name="groupTypes" op="Set" value="Office365"/>
    <AttributeRequest name="addOwnerAsMember" op="Set">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </AttributeRequest>
    <AttributeRequest name="owners" op="Add">
      <Value>
        <List>
          <String>EMAIL1</String>
        </List>
      </Value>
    </AttributeRequest>
  </ObjectRequest>
</ProvisioningPlan>

SanjeevIAM · March 28, 2025, 4:59pm

The LCM provisioning workflow is executed for a particular identity and hence you will need to pass the argument identityName when calling the workflow with API.

The response for the API call will have error messages in case there is any error. You can handle any error scenarios in workflow and return error by setting Message object in the workflow.
The LCM provisioning workflow will be creating identityRequestId.

chaynes2434 · March 28, 2025, 10:05pm

Sanjeev,

Thank you for your reply. I understand your post completely. What we are looking for is an example of a new workflow that simply will create a new entitlement for an application. In our particular case it will be a new azure group.