I have a requirement where in the request will be made for Azure PIM roles from ServiceNow Service Catalogue. The implementation at our client side is that we need to first create an Active Directory account and it will then do a sync and create the Azure Account. After the Azure Account is created we need to add this Azure PIM role in the same.
I am not sure how can we implement this in ISC without Application dependency feature we have for IIQ. Has anyone come across this scenario and has implemented anything in this line ?
Need to create workflow to do
1)create AD account
2)sync it to azure (this ensures newly created account is replicated is azure)
3)assign azure pim role
The request coming from ServiceNow will be for Azure Group. What trigger to use in ISC where we will create Active Directory first then wait and then sync and add the Azure PIM Role to Azure Account?
Hi @RAKGDS Are you able to challenge the requirement that it’s a hybrid identity? I consider it best practice that any Entra accounts eligible for PIM roles are cloud native.
Hi @j_place,
We tried that but this is a genuine requirement where the user will request this for a Secondary Privilege account. I tried but they are not agreeing on the same.
I see. I don’t think you can have the user request the PIM entitlement directly since SailPoint would want to create an account.
Perhaps you could
Create an access profile tied to the AD source where the account would be created. It would be linked to some dummy group used only for this purpose
Have the user request this AP
Create a role that assigns the PIM entitlement based on the user having an active Entra account and being assigned the entitlement from the access profile in step 1
What if the user request 2 Access Profile and have the same dummy group in it ? Will you bel able to request in Service Catalogue ? Can we request 2 access profiles with different name and same access profile ?
Hi @RAKGDS Still trying to get my head around the requirement. Is this for a second “admin” account for the user? If not, how does the user get an identity/service now account in the first place? How does PIM role eligibility work in this context?
This is the requirement. This user is requesting for Secondary Privilege accounts. The request should be for Azure PIM for this account. The architecture here is that we first need to create an AD Account and then wait for the Sync to create the Azure account. Once this is completed you need to add the Azure PIM which you requested from Service Catalogue. Hope this clarifies
Thanks @RAKGDS Apologies for the questions, like I say, just trying to clarify requirement. Can I assume you’ve got 2 AD connectors? Is PIM role eligibility assigned to Groups or users directly? You’ve mentioned both Groups and Roles above.
No problem. Yes, we will have two sources: one for Primary ID Creation and another for Privileged Accounts for on-premises. These two sources will be Active Directory. We are considering two Entra sources: one for Primary ID and another for the Privileged source. The request will be for an Access Profile from the second Privileged Entra source, which will create the second Privileged on-premises source, sync the account to the second Privileged Entra ID, and then add the entitlement to the second Privileged Entra ID.
Feel free to let me know if you need any further assistance!
HI @RAKGDS - What is the actual Entra entitlement you want to assign? Is it Active Role or Eligible Role, or an Entra Group that has Active Role or Eligible Role assigned?