Azure PIM Provisioning Policy

Feedback Documentation Feedback Connectivity Documentation Feedback
,
1

Specifies the duration for which role needs to be assigned to user from current time.

This is the companion discussion topic for the documentation at https://documentation.sailpoint.com/connectors/microsoft/entra_id/help/integrating_entra_id/azure_pim_provisioning_policy.html
2

Dear Developers,

From this documentation I do not understand where to set the attributes like the duration for example and where to pass them.

Please could you review the documentation and be more descriptive on what policy to use and how an example of hte policy could look like, rather than the output ?

Thank you !

1 Like
5

Hi Adam! Thank you for your input. We’ve created a Jira issue to track the effort, and we’ll update the comment thread when it’s been addressed: CONDOCS-5827

Thanks.

6

I’m in the same boat here. It is not clear where I need to update the source to enable adding these helpful values to Entra PIM assignments.

7

It is a beforeprovisioning rule to be attached to the source.
Below you can find a code snippet, just make sure to include all your other rules you might have for different attributes or account creation,disabling etc. So don’t take this as gospel :smiley: :

<![CDATA[
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.Attributes;
import java.util.HashMap;
import java.util.Map;

// Log rule execution
log.info("Executing Before Provisioning Rule for all applications");

    // Iterate over all account requests in the provisioning plan
    for (AccountRequest accountRequest : plan.getAccountRequests()) {

      // Iterate over all AttributeRequests
      for (AttributeRequest attributeRequest : accountRequest.getAttributeRequests()) {

          // Target azureADActiveRoles and azureADEligibleRoles AttributeRequests
          if ("azureADActiveRoles".equals(attributeRequest.getName()) ||
              "azureADEligibleRoles".equals(attributeRequest.getName())) {

            // Create MAP duuuuuh
            Map argsMap = new HashMap();
            argsMap.put("duration", "permanent");

            // Wrap the MAP inside Attributes object
            Attributes attributes = new Attributes();
            attributes.putAll(argsMap);

            // Set arguments in the attribute request
            attributeRequest.setArguments(attributes);

            // Log for testing
            log.info("Successfully set duration to: permanent");
          }
      }
    }
  ]]>