Check that Entitlement exists on an identity using a transform

Identity Security Cloud (ISC) ISC Community Knowledge Base
, ,
1

Problem

Need a count of how many persons have an Entra license

Diagnosis

Need to retrieve the existing entitlement for anything starting with O365.

Solution

Example transform:

"type": "lookup",
    "attributes": {
        "requiresPeriodicRefresh": true,
        "input": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "accountPropertyFilter": "(memberOf.contains(\"O365\"))",
                            "attributeName": "sAMAccountName",
                            "sourceName": "Active Directory-Lab"
                        },
                        "type": "accountAttribute"
                    },
                    "FALSE"
                ]
            }
        },
        "table": {
            "FALSE": "false",
            "default": "true"
        }
    },

Reference Document:
Account Attribute | SailPoint Developer Community

4 Likes
2

Hey @ts_fpatterson,
This is great! Just wanted to share another way of doing this same thing that may be a bit more effective in some situations.

If you have an Entra ID source that pulls in assignedLicenses as an attribute, you can crawl that to check the license(s) actually assigned to an account. By checking directly against Entra ID, you’re ensuring that your data is catching all licenses applied to all accounts, regardless of whether it was set via AD or some other way, or if someone messed with the group mappings without you knowing.

In this transform, we are checking for specific String ID values that map to Entra license types; you can find the mapping here to select which license types actually apply to your environment, and just update/add to the list in the transform. Note that if you change any of the variable names or add new ones, you’ll also need to update the array in the value at the bottom! In this example, we’re looking for whether a user has an E1, an E5, and/or an F1 license (they can have more than one!!).

{
    "name": "licenseCheck",
    "type": "static",
    "attributes": {
        "e5": {
            "attributes": {
                    "values": [
                    {
                        "type": "accountAttribute",
                        "attributes": {
                            "attributeName": "assignedLicenses",
                            "sourceName": "Entra ID",
                            "accountPropertyFilter": "(assignedLicenses.contains(\"ENTERPRISEPREMIUM\"))"
                        }
                    },
                    "false"
                    ]
                },
                "type": "firstValid"
            },
            "e1": {
            "attributes": {
                "values": [
                    {
                        "type": "accountAttribute",
                        "attributes": {
                            "attributeName": "assignedLicenses",
                            "sourceName": "Entra ID",
                            "accountPropertyFilter": "(assignedLicenses.contains(\"STANDARDPACK\"))"
                        }
                    },
                    "false"
                    ]
                },
                "type": "firstValid"
            },
            "f1": {
            "attributes": {
                "values": [
                    {
                        "type": "accountAttribute",
                        "attributes": {
                            "attributeName": "assignedLicenses",
                            "sourceName": "Entra ID",
                            "accountPropertyFilter": "(assignedLicenses.contains(\"M365_F1_COMM\"))"
                        }
                    },
                    "false"
                    ]
                },
                "type": "firstValid"
            },
        "value": "#set($out = '')#foreach($item in [$e1,$e5,$f1])#if($item != 'false')#if($out.length() > 0)#set($out = $out + ',')#end#set($out = $out + $item)#end#end $out"
    }
}

Since we can’t gracefully join an array, we have to manually combine the items, and we only want to drop in a delimiter where necessary. The Velocity in the value breaks down like so:

#set ($out = '')                   ##Instantiate a string variable
# foreach ($item in [$e1,$e5,$f1]) ##Create and populate array
  #if ($item != 'false')           ##Check the current item
    #if ($out.length() > 0)        ##Check if there's already a value
      #set ($out = $out + ',')     ##If so, add a comma delimiter
    #end                           ##Close the inner if statement
    #set ($out = $out + $item)     ##Add value to string
  #end                             ##Close outer if
#end                               ##Close foreach loop
$out                               ##Output the string
4 Likes
3

thanks Mark!!

This is great. I agree going to the source makes the most sense.

In my particular situation the customer is maintaining the license based on AD groups that are synchronized through AD Connect. The AD groups are populated through role assignments, but they also have exceptions where someone may be assigned a higher tier license manually through the group assignment.

4

Yeah, being able to return a list of which licenses users have gives the added benefit of being able to find users with multiple licenses to help reduce costs :slight_smile: (though, you can probably also set assignedLicenses as a multi-valued entitlement in the Entra ID schema, and then use SOD to find redundant licenses).

3 Likes