Hi,
I’m using Service Standard Before Provisioning to remove all the groups from Azure AD source during termination. I want to check if there is an option to give a filter to ignore group removal for a particular group during account disable.
I don’t think there’s a filter but if you set the “memberOf” attribute to that group, it will remove all other groups except that one. If you have multiple you need to filter, a leaver certification campaign is probably a better way to go.
The Services Standard IdentityNow BeforeProvisioning Rule supports the “Remove AD Entitlements” action. It sets the memberOf attribute (or equivalent for Azure AD groups) to a single specified group, effectively removing all other groups while retaining the one you want to keep.
Below is an example event config:
{
“Operation”: “Disable”,
“Identity Attribute Triggers”: [
{
“Attribute”: “cloudLifecycleState”,
“Operation”: “eq”,
“Value”: “inactive”
}
],
“eventActions”: [
{
“Action”: “RemoveADEntitlements”,
“Attribute”: “memberOf”,
“Value”: “CN=YourGroupToKeep,OU=Groups,DC=yourdomain,DC=com”
}
]
}
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.