We’ve a use case to reset password for user once user LCS turned to terminated. I’ve used Standard service before provisioning rule to call (below attached JSON) unfortunately this event was not triggered in user identity. Rather remove entitlement was triggered which was configured as part of phase 1 development activity. Now I need to change this existing setup (i.e.) Remove entitlement should not triggered for terminated lifecycle state rather it should trigger password reset.
How about the below event configuration, i believe it should work
{
"eventActions": [
{
"Action": "ScramblePassword",
"Attribute": "password", //this is dependent on the schema attribute for password e.g. the same attribute used in create policy for password setting
"Value": null
}
],
"Identity Attribute Triggers": [
{
"Attribute": "cloudLifecycleState",
"Value": "terminated",
"Operation": "eq"
}
],
"Operation": "Disable"
}
Some important things to consider,
The password reset operation should be defined on the source.
There should be an operation which should get triggered to disable the account once the user reaches a particular CLS. But it will not work if the account is already disable for some reason and moves to terminated CLS because the disable action will not trigger as the account is already disabled. So if in your case, before terminated status the user is already disabled, then may be you can change the cloud lifecycle state to make the identity Enable and then change the enable action to change the password. If more question, please let me know.
Make sure to move this action on top of the list of actions unless others should get priority. I believe if there are conflicting actions, then it should be an OR operation but will need to double check the code.
The attribute value in the event action is dependent on the source schema , so please adjust it properly.
Remove other events unless they are really needed.
I hope this helps.
I’ve Service Standard Before Provisioning rule deployed in my tenant and for source which I’ve created has no before provisioning rule,
I tried to add/patch that to source but still I couldn’t able add that to source.
I followed above solution provided by @jesvin90 I tried to export that Azure AD source and added rule name & id and again exported back no result still its showing beforeProvisioningRule : null
Could you please assist if there is any other approach to do so?
Hi @Vikas, I was able to add standard services before provisioning rule to my source and configured cloudServicesIDNSetup but I’m not able to achieve use case as its not generating event for scramble password, I’ve configured password policy and sync group for that source. What could be the issue here?
Thanks!
Two points which i can think of on top of my head.
Please make sure that password reset is allowed for the source. For that you can double check the source json and see the features if that include PASSWORD in it.
Another important point is when you are changing the cloud lifecycle state of the user to terminated, make sure that the user does not have disabled account in ISC for the current source. Because if it is already disabled, then disable action will never be performed and thus the trigger will never take place.
You can do below in my opinion
Make sure that account of the user is enabled.
update the CLS of the user manually to terminated.
check the events if the password reset was triggered. It could also be possible that it is failing.
