HI,
What is the best way to remove all the entitlements from the Azure AD account aggregated through the Azure AD connector?
Is it through Before provisioning rule, Before script or anything else is recommended?
Thanks.
Need to know more context here, is it one time activity or you need to remove as part of leaver or something else. Based on that we can look for best approach.
Possibilities are
- Before Provisioning Rule
- native Rules
- Workflows
We need to remove all the entitlements as part of Leavers.
Best way is to implement using Workflow. You can use this as a reference.
Note that, workflow is a licensed module.
Thanks Krishna for link but unfortunately we don’t have the Workflow module enabled.
Azure AD account can be controlled through AD account as well. If you disable AD account, Azure AD account also gets disabled as there will be sync.
In your LCS leaver, you might have already selected sources to disable.
Before Provisioning Rule
check Account Request operation, if it is disable then add account requests to remove all the entitlements.
-
If user is assigned with some Roles automatically using some conditions then, add LCS condition so that leaver will be removed from the Role(s).
-
If there are any manually requested Roles then those Roles will add Entitlements to the user again though you removed through Rule.
Depends on how your RBAC is modelled.
Certification Campaign
- Disable user AD or Azure AD account first
- Create a certification campaign for all leavers, ask certifier to revoke all the Roles.
Pick the use cases suitable for your requirement/environment.
We are already using the Before Provisioning Rule to remove entitlements from On-Prem AD accounts. However, in this case, we need to do this for Azure-only accounts (not synced with On-prem AD). These accounts are created through the Azure AD connector.
Certification is always an option but we need to remove them automatically 30 days after End date.
Ya same goes for Azure AD as well. You can remove through Before Provisioning Rule. Are you disabling Azure AD account for leaver, if yes then how ? Using LCS in Identity Profile ?
Yes, using LCS we are disabling the users.
Can we use Before Provisioning rule same as how we use it for On-prem AD? I though Azure AD connector uses Graph APIs to do operations and we might need to use Before script or powershell script to do so.
I see your point. Azure AD connector does support provisioning. I don’t think we need to make use of Native Rules to handle through PowerShell.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.