We are all waiting for the “Auto-Reassignment of Work” feature in IDN. Meantime, what if we can leverage Outlook Office 365 out of office status and workflows as a workaround ?
When someone is on leave, there is a good chance that she/he sets an out of office in Outlook before leaving. This status is available through Azure AD Graph API. It returns 3 different values :
- disabled
- scheduled (startDate and endDate are available in scheduledStartDateTime and scheduledEndDateTime)
- alwaysEnabled
We can then have a web service connector getting that info. And with the new Loop Feature and Inline Variables in workflows, we can create a scheduled workflow that will automatically reassign pending access request to someone else (the manager in my case).
Note: Those artifacts are not developed, maintained or supported by SailPoint. It is a community effort.
Warning: Due to the current limitation of 50 iterations within a workflow loop operator, the worfklow can only parse the first 50 pending access requests. You might want to add a “sort” or “filter” in the “Get Pending Approvals” step.
Get the artifacts
You can get the files in that repo : https://github.com/olivier-detilleux-sp/idn-out-of-office
Connector Supported Operations
| Operations | Configured |
|---|---|
| Custom Authentication | |
| Test Connection | Yes |
| Account Aggregation | Yes |
| Entitlement Aggregation | |
| Enable Account | |
| Disable Account | |
| Change Password | |
| Add Entitlement | |
| Remove Entitlement | |
| Create Account | |
| Update Account | |
| Get Object | |
| Pass-Through Authentication | |
| Delete Account | |
| Unlock Account |
Prerequisites
To allow IdentityNow to query the Microsoft Graph APIs to get outlook mailboxes out of office status, you need to create a new application in Azure Active Directory with the below permissions:
| API | Type | Permission |
|---|---|---|
| Microsoft Graph | Delegated | User.Read |
| Microsoft Graph | Application | Directory.Read.All |
| Microsoft Graph | Application | MailboxSettings.Read |
Get a client secret and id for that application.
Import the Source Config file
You need to configure the following attributes in the file for your own environment :
connectorAttributes.client_idconnectorAttributes.genericWebServiceBaseUrlconnectorAttributes.connectionParameters.contextUrlfor theoperationType"Test Connection"connectorAttributes.connectionParameters.contextUrlfor theoperationType"Account Aggregation": there is mention of a specific skuId to filter accounts. This is the skuId of Office365 Business Essentials licences.connectorAttributes.oauth_request_parameters.client_secret: put the clientSecret of your AAD applicationconnectorAttributes.oauth_request_parameters.client_id: put the clientId of your AAD applicationconnectorAttributes.token_url: you need to replace the id with the TenantId of your AAD Tenant (can be found in the overview page in AAD)
You can then import the file using the sp-config/import api
Transform
In order to enrich the Identity with the Out of Office Status, create a new attribute named outOfOffice. Import this transform, and use it in your IdentityProfile for the outOfOffice attribute.
Workflow
The purpose of this workflow is to forward any pending access request assigned to identities that are out of the office.
You may have to change the settings related to your IDN environment (client_id, client_secret, token_url …) that are used in the
Get Pending Approvals and Forward Access Request steps