Hello Community,
I need to create an external user in Azure AD based on the user details from a ServiceNow ticket. To do this, I first need to establish the user’s identity in the Identity Domain (IDN). Could you guide me through the process?
By “external user”, I assume you mean an Azure Guest Account?
I am going to assume you are referring to Guest accounts in your Azure tenant.
Here is what we did to manage that with a ServiceNow request and workflow.
-
Create a new Entra ID Source and ensure it’s considered an authoritative source.
-
Ensure your account filter on that source is only aggregating guest accounts
-
Using the Graph API, Create an Invitation for the guest account, but ensure the sendInvitationMessage property in the request JSON is set to false. You can use this same API call once an identity has been created to actually send out the invitation
-
Make sure you store the Azure object ID somewhere like a scratchpad variable (assuming you’re using ServiceNow workflow) so it can be used in later steps
-
Initiate an account aggregation for the Entra guest source using the import-accounts API endpoint
-
Once the aggregation is finished, you can check and see that the account has been aggregated using the list-accounts API endpoint. Assuming you get a result, you will now have the identityId in the response body.
-
Repeat step 3, but change the sendInvitationMessage property to true
For us, we go further and do provisioning requests since we have the identityId. Our main use case is creation of the guest account and provisioning them to Teams groups
2 Likes
Hello Mark,
What about the guest user’s information like there email address and their role assignment which would come from service Now forms. How can i get that information to create the Guest User Account in Entra ID?
You have to collect that information in the form and store it in variables
You mean service Now forms and then will store it in variables? Sorry i am new to this and not have much idea about it.
Correct. The fields on ServiceNow forms are called variables and they can be utilized in ServiceNow workflows.
There are 2 ways of doing.
you can call SailPoint forms through apis and you can associate the form with the workflow to do the required job as needed. I think there was a developer days video also on how to acheive this.
Second approach is you can have the user submit the form in Service Now and then make an api call to IDN to create a request or trigger a workflow to do the required job
I am incline towards using the second option but once the service now form is submitted with the required field how can i create the external user in Azure AD?
Using the steps I described in my original response
I have completed step 1 and step 2 and now for calling Graph API i need those values from Service Now how can i get those values?
That entirely depends on how the catalog item and workflow are built/configured in ServiceNow. Assuming a relatively sane person built this, you would get those values from Requested Item Variables.
Thank for your quick response Mark. What about the roleAssignment if i want the specific group/role assignment to be assign to the external users. Will that be possible while creating an invitation?
Hi Nirmal,
do you have azure ad onboarded in isc?
Yes. I do have Azure AD onboarded.
I guess in that case once form is submitted you can create an identity and then you can create an Azure AD account for the user by access request APIs, will need to check myself also.
I guess in that case once form is submitted you can create an identity and then you can create an Azure AD account for the user by access request APIs, will need to check myself also.
Can you create an Azure guest account directly from ISC? I was under the impression you have to create them via invite.
You would use the ISC access request APIs to request the entitlements that map to the roles/groups in azure you want to assign to that user