Email Forwarding Upon Termination

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , , ,
1

Hello,

We want to be able to update ‘ForwardingAddress’ and ‘DeliverToMailboxAndForward’ properties on some Identities Exchange Online accounts when they move into the Sunset Lifecycle State.

Our Entra Source is using the Entra SaaS connector. We have the options for Manage M365 and Exchange Online configured on the source.

In the HR Source there are two values for this need – ‘EmailForward’ (True/False) and 'ForwardingRecipient’ (UPN of recipient).

We have the EXO_ values in the Entra Source Schema and the HR values are added to the Identity Profile as Identity Attributes.

Transform/Attribute Sync doesn’t seem to work because the value will sometimes return empty if the Identity is not marked as requiring forwarding.

Workflow doesn’t seem to work because you can’t manipulate account attributes via a Workflow.

Looking for some guidance on how to achieve this goal. Is anyone else setting up email forwarding upon termination, and if so, how are you accomplishing it?

Thanks.

2

Hello @chrisk ,

Regarding your following statement “Transform/Attribute Sync doesn’t seem to work because the value will sometimes return empty if the Identity is not marked as requiring forwarding.”

I think the better and standard way for your usecase is to use transform /attributes sync. If value is empty sometime in your HR Source, you can handle this in the transform (for example with firstvalue transform by adding a default value).

Thanks.

3

A transform seems to be the best way to do this. Do you want to share it so that we can provide feedback?

4

I may have worded that a bit wrong. The value from the HR source is not empty, the value coming back from the Transform will be empty sometimes which causes an error on the Identity. (I guess Transform can’t return an empty value?)

Here is an example for the ‘DeliverToMailboxAndForward’ Attribute.

If Identity is in ‘Sunset’ LCS AND the HR Attribute ‘emailforward’ is ‘True’, we want to return a value of ‘False’ ELSE don’t return anything.

{
    "name": "deliverAndForward",
    "type": "conditional",
    "attributes": {
        "expression": "$lifecycleState eq sunset",
        "positiveCondition": "$forwardingResult",
        "negativeCondition": "",
        "lifecycleState": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "cloudLifecycleState"
                        }
                    },
                    {
                        "type": "static",
                        "attributes": {
                            "value": "active"
                        }
                    }
                ]
            }
        },
        "forwardingResult": {
            "type": "conditional",
            "attributes": {
                "expression": "$emailForward eq true",
                "positiveCondition": "false",
                "negativeCondition": "",
                "emailForward": {
                    "type": "firstValid",
                    "attributes": {
                        "values": [
                            {
                                "type": "identityAttribute",
                                "attributes": {
                                    "name": "emailforward"
                                }
                            },
                            {
                                "type": "static",
                                "attributes": {
                                    "value": "false"
                                }
                            }
                        ]
                    }
                }
            }
        }
    },
    "internal": false
}

Since this Attribute will be setup as Attribute Sync – we can’t have it pushing values such as ‘N/A’ or ‘NULL’ etc. to the Exchange Online properties.

Same thing happens with the ‘forwardingRecipient’ transform. We want to Attribute Sync the email to the EXO Property of the Identity if LCS = ‘Sunset’ and emailForward = ‘True’ so we can’t have an arbitrary value pushed to Entra.

{
    "name": "forwardingrecipient",
    "type": "conditional",
    "attributes": {
        "expression": "$lifecycleState eq sunset",
        "positiveCondition": "$forwardingResult",
        "negativeCondition": "",
        "lifecycleState": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "cloudLifecycleState"
                        }
                    },
                    {
                        "type": "static",
                        "attributes": {
                            "value": "active"
                        }
                    }
                ]
            }
        },
        "forwardingResult": {
            "type": "conditional",
            "attributes": {
                "expression": "$emailForward eq true",
                "positiveCondition": "$recipientValue",
                "negativeCondition": "",
                "emailForward": {
                    "type": "firstValid",
                    "attributes": {
                        "values": [
                            {
                                "type": "identityAttribute",
                                "attributes": {
                                    "name": "emailforward"
                                }
                            },
                            {
                                "type": "static",
                                "attributes": {
                                    "value": "false"
                                }
                            }
                        ]
                    }
                },
                "recipientValue": {
                    "type": "firstValid",
                    "attributes": {
                        "values": [
                            {
                                "type": "accountAttribute",
                                "attributes": {
                                    "sourceName": "CORP HR",
                                    "attributeName": "ForwardingRecipient"
                                }
                            },
                            {
                                "type": "static",
                                "attributes": {
                                    "value": ""
                                }
                            }
                        ]
                    }
                }
            }
        }
    },
    "internal": false
}

These work for an Identity that is terminated and moves to ‘Sunset’, but causes all other Identities to error because of the ‘blank’.

Was really hoping to use Attribute Sync, but haven’t figured it out.

Any thoughts or suggestions?

Thanks!

5

For all others cases that sunset,what if you retrived the current exo property ?

6

Like :

{
    "name": "deliverAndForward",
    "type": "static",
    "attributes": {
        "value": "#if($lifecycleState == 'sunset' && $emailForward == 'true')false#{else}$exoForwardEnabled#end",
        "lifecycleState": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "cloudLifecycleState"
                        }
                    },
                    {
                        "type": "static",
                        "attributes": {
                            "value": "active"
                        }
                    }
                ]
            }
        },
        "emailForward": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "emailforward"
                        }
                    },
                    {
                        "type": "static",
                        "attributes": {
                            "value": "false"
                        }
                    }
                ]
            }
        },
        "exoForwardEnabled": {
            "type": "accountAttribute",
            "attributes": {
                "sourceName": "Exchange Online",
                "attributeName": "DeliverToMailboxAndForwardAttribute"
            }
        }
    },
    "internal": false
}

This will keep Identity Attribute and account attribute always same and sync will not triggered expect in sunset case

Also one remark :

  • In A transform expect lifecycleState, a transform associated to Identity attributes should always prioritize the account attributes if possible :
  • Like instead of : {
    “type”: “identityAttribute”,
    “attributes”: {
    “name”: “emailforward”
    }
    }
  • I should use if possible : {
    “type”: “accountAttribute”,
    “attributes”: {
    “sourceName”: “Your HR Source Name”,
    “attributeName”: “emailforwardAttribute”
    }
    }
1 Like
7

I’ll give this a try and report back results, thank you!

Tried this with high hopes, however, I am still getting : “sailpoint.api.AttributePromotionException: Applying transform[reference] to attribute[deliverAndForward] failed”

I’m thinking it is because the value on the actual EXO accounts are also blank by default until populated. So this too is trying to return a ‘blank’ for the Transform.

1 Like