Removing Azure AD Entitlements using Services Standard Before provisioning rule

Sachin_Rajathadri · August 8, 2023, 7:10pm

Hello,

We are trying to remove the shared mailbox (Type: Entitlement) using Services Standard Before provisioning rule. We aggregated this as an entitlement from Azure AD source. So far, we have tried:

                       {
                            "Action": "RemoveEntitlements",
                            "Attribute": "Entitlement",
                            "Value": null
                        }

And,

                        {
                            "Action": "RemoveEntitlements",
                            "Attribute": "Entitlements",
                            "Value": null
                        }

And,

                        {
                            "Action": "RemoveEntitlements",
                            "Attribute": "groups",
                            "Value": null
                        },

We even noticed that this doesn’t come up in CCG logs (maybe because its an entitlement). We were able to remove this using certification but not using Before provisioning rule. Just FYI, we want to remove this entitlement upon LCS changes.
Any help regarding this is much appreciated. Thanks!

iam_nithesh · August 8, 2023, 7:16pm

Can you please share the entire eventConfiguration json that you have added to the cloudServicesIDNSetup

Sachin_Rajathadri · August 8, 2023, 7:23pm

Here it is,

                 "cloudServicesIDNSetup": {
            "eventConfigurations": [                
                {
                    "eventActions": [
                        {
                            "Action": "RemoveEntitlements",
                            "Attribute": "Entitlement",
                            "Value": null
                        },
                        {
                            "Action": "RemoveEntitlements",
                            "Attribute": "groups",
                            "Value": null
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Value": "inactive",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Disable"
                }
            ]
        },

Just FYI, I have tried with both “Attribute”: “Entitlement” and “Attribute”: “groups” together and separately.

Thanks!

iam_nithesh · August 8, 2023, 7:29pm

Here is a screenshot from the READ ME file

Are Entitlements and groups the attribute names that you want to remove?

Sachin_Rajathadri · August 8, 2023, 7:35pm

This makes sense. The attribute name is sharedMailbox, I will try this and let you know. Thanks!

iam_nithesh · August 8, 2023, 7:36pm

SSI BeforeProvisioning Rule - README.pdf (110.2 KB)

File for your future reference

Sachin_Rajathadri · August 8, 2023, 7:42pm

It worked, thanks for your help!

system · October 7, 2023, 7:43pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove AD groups ISC Discussion and Questions	3	2731	July 19, 2023
Entitlements removal when Lifecycle State changes to inactive ISC Discussion and Questions identity-security-cloud , entitlements	4	895	July 19, 2023
Remove requested entitlements on termination ISC Discussion and Questions identity-security-cloud	10	862	November 25, 2023
Best way to remove all the entitlements from Azure AD accounts ISC Discussion and Questions identity-security-cloud , entitlements	10	310	December 30, 2023
Active directory entitlement removal ISC Discussion and Questions identity-security-cloud , lifecycle-management	4	505	December 24, 2023

Removing Azure AD Entitlements using Services Standard Before provisioning rule

Related Topics