Leveraging Outlook "Out of Office Status" and Workflow for Auto-Reassignment of Work during holidays

IdentityNow (IDN) Show and Tell
, , ,
1

We are all waiting for the “Auto-Reassignment of Work” feature in IDN. Meantime, what if we can leverage Outlook Office 365 out of office status and workflows as a workaround ?

When someone is on leave, there is a good chance that she/he sets an out of office in Outlook before leaving. This status is available through Azure AD Graph API. It returns 3 different values :

  • disabled
  • scheduled (startDate and endDate are available in scheduledStartDateTime and scheduledEndDateTime)
  • alwaysEnabled

We can then have a web service connector getting that info. And with the new Loop Feature and Inline Variables in workflows, we can create a scheduled workflow that will automatically reassign pending access request to someone else (the manager in my case).

Note: Those artifacts are not developed, maintained or supported by SailPoint. It is a community effort.

Warning: Due to the current limitation of 50 iterations within a workflow loop operator, the worfklow can only parse the first 50 pending access requests. You might want to add a “sort” or “filter” in the “Get Pending Approvals” step.

Get the artifacts

You can get the files in that repo : https://github.com/olivier-detilleux-sp/idn-out-of-office

Connector Supported Operations

Operations Configured
Custom Authentication
Test Connection Yes
Account Aggregation Yes
Entitlement Aggregation
Enable Account
Disable Account
Change Password
Add Entitlement
Remove Entitlement
Create Account
Update Account
Get Object
Pass-Through Authentication
Delete Account
Unlock Account

Prerequisites

To allow IdentityNow to query the Microsoft Graph APIs to get outlook mailboxes out of office status, you need to create a new application in Azure Active Directory with the below permissions:

API Type Permission
Microsoft Graph Delegated User.Read
Microsoft Graph Application Directory.Read.All
Microsoft Graph Application MailboxSettings.Read

Get a client secret and id for that application.

Import the Source Config file

You need to configure the following attributes in the file for your own environment :

  • connectorAttributes.client_id
  • connectorAttributes.genericWebServiceBaseUrl
  • connectorAttributes.connectionParameters.contextUrl for the operationType "Test Connection"
  • connectorAttributes.connectionParameters.contextUrl for the operationType "Account Aggregation" : there is mention of a specific skuId to filter accounts. This is the skuId of Office365 Business Essentials licences.
  • connectorAttributes.oauth_request_parameters.client_secret : put the clientSecret of your AAD application
  • connectorAttributes.oauth_request_parameters.client_id : put the clientId of your AAD application
  • connectorAttributes.token_url : you need to replace the id with the TenantId of your AAD Tenant (can be found in the overview page in AAD)

You can then import the file using the sp-config/import api

Transform

In order to enrich the Identity with the Out of Office Status, create a new attribute named outOfOffice. Import this transform, and use it in your IdentityProfile for the outOfOffice attribute.

Workflow

The purpose of this workflow is to forward any pending access request assigned to identities that are out of the office.

OutofOfficeForwardPendingAccessRequest20221207
OutofOfficeForwardPendingAccessRequest20221207805×1160 47.6 KB

You may have to change the settings related to your IDN environment (client_id, client_secret, token_url …) that are used in the Get Pending Approvals and Forward Access Request steps

3 Likes