Services Standard Before Provisioning Rule Not Triggering for Azure AD

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi, I’m running into an issue where my Services Standard Before Provisioning Rule is not executing. Below is the rule:

"op": "add",
"path": "/connectorAttributes/cloudServicesIDNSetup",
"value": {
    "eventConfigurations": [
            {
                "eventActions": [
                    {
                        "Action":"ChangeOperation",
                        "Attribute": null,
                        "Value":"Enable"
                    },
                    {
                        "Action": "RemoveEntitlements",
                        "Attribute": "groups",
                        "Value": null
                    },
                    {
                        "Action": "RemoveEntitlements",
                        "Attribute": "servicePrincipals",
                        "Value": null
                    }
                ],
                "Identity Attribute Triggers": [
                    {
                        "Attribute": "cloudLifecycleState",
                        "Value": "recentInactive",
                        "Operation": "eq"
                    }
                ],
                "Operation": "Disable"
            }
        ]
    }

The rule seems to not be recognized by IDN as the ChangeOperation is ignored and no entitlements are even requested to be removed from the user’s account in Azure AD. Azure AD is configured to be disabled upon entering the recentInactive lifecycle state within the id profile.
Any ideas?

2

Hi @edkmak,

Welcome to the community. Here are the steps that could help troubleshoot the issue:

  1. Check if you have the before provisioning rule assigned to the source. You can make use of the Visual studio code extension and check the source to see if the values exist under the before provisioning. If not, add them as below :

image

image
image697×65 8.25 KB

  1. Make sure you see the event configurations under the source.

  2. Click on the Disable button under the accounts section to see if the disable operation behavior and check the events/search to see the activities that are generated.

  3. Remove the Identity trigger from the event config and check the behavior on clicking the disable button.

Let me know how it goes.

3

@jesvin90 I don’t see anything under the “beforeProvisioningRule” in the Azure AD source. However, I am unsure what values to populate into the “id” and “name” values. I thought the Services Standard Before Provisioning Rule is added to the source? I cannot find a id or name value available.

4

Hi @edkmak,

Have you uploaded the rule to the cloud.? If yes, do a GET call https://{{tenant}}.api.{{domain}}.com/cc/api/rule/list and you should be able to get the rule ID and name, which can then be added to your Azure source.

If the rule is not deployed yet, you can raise a SailPoint ticket to do that or make use of the SP-config. Take a look at the below thread which can be helpful.

5

ok, did you attach the Rule to your source ?

SailPoint will deploy the Rule in cloud but won’t patch to the source rite.

Thanks
Krish

6

I have added the beforeProvisioningRule id and name to the Azure AD source and it seems to be picking it up now.

image

image

I am having trouble removing the entitlements but it seems that the rule is at least executing.