Version 8.2
Hi Community,
What is the best way to remove the Azure AD groups on the leaver process, also what is the best place approach to do so. Does it require me to build a PowerShell script please suggest.
Regards,
Charan
No need for powershell - the only thing you have to do is to create ProvisioningPlan and for each Azure AD account create account request in which for each entry in memberOf attribute you execute REMOVE operation.
Then you can just execute the plan in your leaver workflow.
@charan18
Is Azure application integrated with SailPoint in your case, also are you referring to remove the AD group membership of the user when the user is offboarded , instead of disabling or deleting the account?
Can you please provide more specifics here
Yes, the Azure is integrated with SailPoint in my case.
I’m referring to removing all the memberOf groups from Azure application on Leaver event.
This is the example of the rule you can use to remove groups - you have to only execute the plan and check if I didn’t do any typo.
ProvisioningPlan plan = new ProvisioningPlan();
List links = identity.getLinks();
for(Link link :links) {
AccountRequest accReq;
if(link.getApplicationName().equals("Azure AD")) {
List groups = link.getAttribute("memberOf");
if(groups != null && !groups.isEmpty()) {
accReq=new AccountRequest();
accReq.setOperation(Operation.Modify);
accReq.setNativeIdentity(link.getNativeIdentity());
for(String group: groups) {
accReq.add(new AttributeRequest("memberOf",Operation.Remove,group);
}
plan.add(accReq);
}}
@charan18 if you have role assignment then use below approach, the bad outcome was when you will do refresh with provision assignment, it will again assign those memberships. so we handle sticky assignment by code in leaver.
Solved: Re: How to remove attributeAssignments by leaver workflow? - Compass (sailpoint.com)
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.