Delete operation supported by AzureAD source

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi team,

Firstly, thanks for doing a great job for creating a proactive community, really appreciated.

I’ve a requirement wherein when a user touches “inactive” lifecycle state, I want to delete corresponding AzureAD account for the same user. I can see that delete operation is not OOTB supported as per the AzureAD documentation -
https://documentation.sailpoint.com/connectors/microsoft/azure_ad/help/integrating_azure_active_directory/account_management_for_user__fd_and_gu.html#Account

So, I was thinking to use before provisioning rule with the logic that any “disable” account request will be converted to “delete” account request. My question here is, do AzureAD source has the implementation written for “delete” account request or is there any other better way to implement this?
I’ve tried Workflow as well for the same requirement, but it currently has a limitation of inline variables not working inside HTTP Request URL field.

Would appreciated if anyone can assist. Thanks!

2

Hi Gaurav,

Workflows should support inline variables in the URL. What does your HTTP action configuration look like? I might be able to spot the issue.

3

Thanks @colin_mckibben for taking this up.
Within HTTP Request action, the Request URL field (which is a value) looks something like this (I’ve used inline variable with a filter) -
https://targetsystem.com/users/{{$.getAccounts.accounts[?(@.sourceName == \"Test Source\")].attributes.objectId}}

Once the workflow runs, it fails at the HTTP Request step where I can see that the Request URL hasn’t resolved the expression to a value.

There is another post for the HTTP Request inline variable -

4

Ah yes, JSONpath filters aren’t supported in inline variables at this time. It is a known issue and engineering is looking into it.

5

Thanks @colin_mckibben for confirming the known issue.

Apart from workflow, the other part of my question was to know if “Delete Account” operation is supported by AzureAD connector via Before Provisioning Rule (intent is change “disable” to “delete”) ?

6

Just got confirmation from the engineers that the “Delete Account” operation is not supported. Usually, disable is preferred because you can then recover an account in the event that the identity returns and is enabled again.

7

Thanks again, @colin_mckibben! :slight_smile:

Eagerly waiting for the JSONpath filters to be supported inside inline variables for HTTP Request action.

1 Like