What is the best way to manage Entitlement precedence?
Hi all, forgive me for being fairly new to ISC.
Users in my company, by birthright, are created with some kind of a combination of MS licenses.
My question is what is the best way to automate, e.g. user is born with entitlement A+B (F1+ Exchange Online Kiosk) in a role (the role can not be revoked as it contains multiple other access profiles) and user’s manager decides to purchase a different license, e.g entitlement C (Standardpack), that has more features.
I need now the user having A+C instead and suspend B so I avoid double licensing. Each entitlement is a AD security group pointing at a license.
Put entitlement A in a role that you assign by birthright. Put entitlement B in an access profile, which you provision by using the Provisioning settings on the ‘active’ state in your identity profile. That will give A and B when someone joins the org
Build it in to your business process to have managers request to remove B when adding C. Set up a SOD policy that will alert when C is being requested and the user still has B, which should remind the manager to submit a request to remove B. Run a report weekly to catch any that have fallen through the cracks.
This seems a bit manual of a process. I am more looking to automate it, where ISC has a predefined priority list with role/ap or entitlement precedence and revokes one when the other is assigned automatically.