We have well well-defined PowerShell script in place for some AD changes. Can a workflow trigger that PowerShell script (inside the IQ server) when identity changes and modifications are applied to the AD source?
For this you are going to want an after provision connector rule. Currently I am not aware of any actions to call powershell scripts in workflow. It would be nice is that was a thing but at least we have the connector rule that can call the script. I have attached an example of how you can do this.
JSON:
{
"description": "This ConnectorAfterCreate will enable exchange online mailbox.",
"type": "ConnectorAfterCreate",
"signature": {
"input": [],
"output": null
},
"sourceCode": {
"version": "2021-03-05 15:26:29",
"script": "\n\n\t\t#$logDate = Get-Date -UFormat \"%Y%m%d\"\n\t\t\t#$logFile = \"C:\\IDNProvisioningScripts\\IDNProvisioningLogs_$logDate.log\"\n\t\t\t$command = \"C:\\IDNProvisioningScripts\\IDN-MailProvisioning.ps1\"\n\t\t\t$generate_guid = \"C:\\IDNProvisioningScripts\\IDN-ImmutableID.ps1\"\n\t\t\t$enableDebug = $true\n\t\t\t[string]$LogSource = \"IDNScripts\"\n\t\t#====================-------Helper functions-------====================\n\t\t Function LogWrite\n\t\t\t{\n\t\t\t\tParam (\n\t\t\t\t\t[string]$LogString\n\t\t\t\t\t ,\n\t\t\t\t\t[string]$EntryType\n\t\t\t\t\t ,\n\t\t\t\t\t[int]$EventID\n\t\t\t\t\t ,\n\t\t\t\t\t[string]$Source = 'Unspecified'\n\t\t\t\t\t ,\n\t\t\t\t\t[boolean]$DebugLog = $false\n\t\t\t\t)\n\t\n\t\t\t\t[boolean]$logExists = Get-EventLog -list | Where-Object { $_.log -eq \"SSMScripts\" }\n\t\n\t\t\t\tif (! $logExists)\n\t\t\t\t{\n\t\t\t\t\tNew-EventLog -LogName SSMScripts -Source \"User\", \"Computer\", \"Other\", \"Admin\", $Source\n\t\t\t\t\tLimit-Eventlog -OverflowAction OverwriteAsNeeded -LogName \"SSMScripts\" -MaximumSize 2048kb\n\t\t\t\t\tLogWrite -EntryType 'Information' -Source 'Admin' -EventID 9999 -logstring \"SSM Script Log Initialized\"\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tif (! ([System.Diagnostics.EventLog]::SourceExists($Source)))\n\t\t\t\t\t{\n\t\t\t\t\t\tNew-EventLog -LogName SSMScripts -Source $Source, \"Admin\" -ErrorAction SilentlyContinue\n\t\t\t\t\t\tLogWrite -EntryType 'Information' -Source 'Admin' -EventID 9999 -logstring \"Added New Source To Event Log: $Source\"\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif ($DebugLog -eq $true) { Write-Host $LogString } #Write to screen\n\t\n\t\t\t\t[string]$LogWrite = ($LogString)\n\t\n\t\t\t\tWrite-EventLog -LogName SSMScripts -Source $Source -EntryType $EntryType -EventID $EventID -Message $LogWrite\n\t\n\t\t}\n\t\t#====================-------Get the request object-------====================\n\t\t Try{\n\t\t if($enableDebug) {\n\t\n\t\t LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring \"Entering SailPoint Exchange Online rule\"\n\t\t }\n\t try\n\t {\n\t\t Add-type -path C:\\Users\\Administrator.LAB3CHILD\\Downloads\\IQService\\utils.dll;\n\t }\n\t catch\n\t {\n\t LogWrite -EntryType 'Warning' -Source $LogSource -EventID 1001 -logstring \"Not able to add utils.dll from lab path.\"\n\t\n\t }\n\t try\n\t {\n\t Add-type -path E:\\IQService\\utils.dll;\n\t }\n\t catch\n\t {\n\t LogWrite -EntryType 'Warning' -Source $LogSource -EventID 1001 -logstring \"Not able to add utils.dll from production path.\"\n\t }\n\t\t # Read the environment variables\n\t\t $sReader = New-Object System.IO.StringReader( [System.String]$env:Request );\n\t\t $sResult = New-Object System.IO.StringReader( [System.String]$env:Result );\n\t\t # Form the xml reader object\n\t\t $xmlReader = [System.xml.XmlTextReader]( [sailpoint.utils.xml.XmlUtil]::getReader( $sReader ) );\n\t\t $xmlReader_Result = [System.xml.XmlTextReader]( [sailpoint.utils.xml.XmlUtil]::getReader( $sResult ) );\n\t\t # Create SailPoint Request object\n\t\t $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest( $xmlReader );\n\t\t $resultObject = New-object Sailpoint.Utils.objects.ServiceResult( $xmlReader_Result );\n\t\t $requestAsString = $env:Request\n\t\n\t\t $createdOnServer = $resultObject.Attributes[\"createdOnServer\"];\n\t\t LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring \"Account created on: $createdOnServer\"\n\t\t # Get sAMAccountName\n\t\t foreach ( $attribute in $requestObject.AttributeRequests ) {\n\t\t if ( $attribute.Name -eq \"sAMAccountName\" ) {\n\t\t $sAMAccountName = $attribute.Value;\n\t\t }\n\t\t if ( $attribute.Name -eq \"memberOf\" ) {\n\t\t $memberOf = $attribute.Value;\n\t\t $attributeOperation = $attribute.Operation;\n\t\t }\n\t\t }\n\t\t if ( $enableDebug ) {\n\t\n\t\t LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring \"Request as XML object is: $requestAsString\"\n\t\n\t\t LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring \"sAMAccountName is: $sAMAccountName\"\n\t\t }\n\t\t #Call the client script if there's no errors in the results.\n\t\t foreach($member in $memberOf) {\n\t\t if ( ( $member -like \"CN=G999-O365-ClinicalWorker-F3*\" -or $member -like \"CN=G999-O365-KnowledgeWorker-E5*\") -and ( $attributeOperation -like \"Add\" ) ) {\n\t\t $command = -join ( $command, \" -UserID '$sAMAccountName' -ssmExch '1'\" )\n\t\t $output = Invoke-Expression $command\n\t\n\t\t LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring \"AfterCreate - Customer script Output: $output\"\n\t\t }\n\t\t }\n\t\t $generate_guid = -join ( $generate_guid, \" -UserID '$sAMAccountName'\" )\n\t\t $generate_guid_output = Invoke-Expression $generate_guid\n\t\t $timestampString = (Get-Date -Format \"yyyy-MM-dd_HH-mm-ss\").ToString()\n\t\t LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring \"AfterCreate - Customer script Output: $generate_guid_output\"\n\t\t } Catch {\n\t\t $ErrorMessage = $_.Exception.Message\n\t\t #$ErrorItem = $_.Exception.ItemName\n\t\t #LogWrite(\"Error: Item = $ErrorItem -> Message = $ErrorMessage\")\n\t\t LogWrite -EntryType 'Error' -Source $LogSource -EventID 1002 -logstring \"Error: -> Message = $ErrorMessage\"\n\t\t }\n\t\t if ( $enableDebug ) {\n\t\n\t\t LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring \"Exiting SailPoint Exchange Online rule\"\n\t\t }\n #$requestObject.toxml() | out-file $logfilename -append\n\n\t"
},
"attributes": {
"ObjectOrientedScript": "true",
"extension": ".ps1",
"sourceVersion": "2021-03-05 15:26:29",
"disable": false,
"disabled": "false",
"program": "powershell.exe",
"timeout": "360"
},
"id": "b57382d6f6194594bbca2076db19fd33",
"name": "AfterCreate Exchange Online",
"created": "2022-05-05T05:11:39.494Z",
"modified": "2023-01-24T23:06:23.024Z"
}
CODE:
#$logDate = Get-Date -UFormat "%Y%m%d"
#$logFile = "C:\IDNProvisioningScripts\IDNProvisioningLogs_$logDate.log"
$command = "C:\IDNProvisioningScripts\IDN-MailProvisioning.ps1"
$generate_guid = "C:\IDNProvisioningScripts\IDN-ImmutableID.ps1"
$enableDebug = $true
[string]$LogSource = "IDNScripts"
#====================-------Helper functions-------====================
Function LogWrite
{
Param (
[string]$LogString
,
[string]$EntryType
,
[int]$EventID
,
[string]$Source = 'Unspecified'
,
[boolean]$DebugLog = $false
)
[boolean]$logExists = Get-EventLog -list | Where-Object { $_.log -eq "SSMScripts" }
if (! $logExists)
{
New-EventLog -LogName SSMScripts -Source "User", "Computer", "Other", "Admin", $Source
Limit-Eventlog -OverflowAction OverwriteAsNeeded -LogName "SSMScripts" -MaximumSize 2048kb
LogWrite -EntryType 'Information' -Source 'Admin' -EventID 9999 -logstring "SSM Script Log Initialized"
}
else
{
if (! ([System.Diagnostics.EventLog]::SourceExists($Source)))
{
New-EventLog -LogName SSMScripts -Source $Source, "Admin" -ErrorAction SilentlyContinue
LogWrite -EntryType 'Information' -Source 'Admin' -EventID 9999 -logstring "Added New Source To Event Log: $Source"
}
}
if ($DebugLog -eq $true) { Write-Host $LogString } #Write to screen
[string]$LogWrite = ($LogString)
Write-EventLog -LogName SSMScripts -Source $Source -EntryType $EntryType -EventID $EventID -Message $LogWrite
}
#====================-------Get the request object-------====================
Try{
if($enableDebug) {
LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring "Entering SailPoint Exchange Online rule"
}
try
{
Add-type -path C:\Users\Administrator.LAB3CHILD\Downloads\IQService\utils.dll;
}
catch
{
LogWrite -EntryType 'Warning' -Source $LogSource -EventID 1001 -logstring "Not able to add utils.dll from lab path."
}
try
{
Add-type -path E:\IQService\utils.dll;
}
catch
{
LogWrite -EntryType 'Warning' -Source $LogSource -EventID 1001 -logstring "Not able to add utils.dll from production path."
}
# Read the environment variables
$sReader = New-Object System.IO.StringReader( [System.String]$env:Request );
$sResult = New-Object System.IO.StringReader( [System.String]$env:Result );
# Form the xml reader object
$xmlReader = [System.xml.XmlTextReader]( [sailpoint.utils.xml.XmlUtil]::getReader( $sReader ) );
$xmlReader_Result = [System.xml.XmlTextReader]( [sailpoint.utils.xml.XmlUtil]::getReader( $sResult ) );
# Create SailPoint Request object
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest( $xmlReader );
$resultObject = New-object Sailpoint.Utils.objects.ServiceResult( $xmlReader_Result );
$requestAsString = $env:Request
$createdOnServer = $resultObject.Attributes["createdOnServer"];
LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring "Account created on: $createdOnServer"
# Get sAMAccountName
foreach ( $attribute in $requestObject.AttributeRequests ) {
if ( $attribute.Name -eq "sAMAccountName" ) {
$sAMAccountName = $attribute.Value;
}
if ( $attribute.Name -eq "memberOf" ) {
$memberOf = $attribute.Value;
$attributeOperation = $attribute.Operation;
}
}
if ( $enableDebug ) {
LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring "Request as XML object is: $requestAsString"
LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring "sAMAccountName is: $sAMAccountName"
}
#Call the client script if there's no errors in the results.
foreach($member in $memberOf) {
if ( ( $member -like "CN=G999-O365-ClinicalWorker-F3*" -or $member -like "CN=G999-O365-KnowledgeWorker-E5*") -and ( $attributeOperation -like "Add" ) ) {
$command = -join ( $command, " -UserID '$sAMAccountName' -ssmExch '1'" )
$output = Invoke-Expression $command
LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring "AfterCreate - Customer script Output: $output"
}
}
$generate_guid = -join ( $generate_guid, " -UserID '$sAMAccountName'" )
$generate_guid_output = Invoke-Expression $generate_guid
$timestampString = (Get-Date -Format "yyyy-MM-dd_HH-mm-ss").ToString()
LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring "AfterCreate - Customer script Output: $generate_guid_output"
} Catch {
$ErrorMessage = $_.Exception.Message
#$ErrorItem = $_.Exception.ItemName
#LogWrite("Error: Item = $ErrorItem -> Message = $ErrorMessage")
LogWrite -EntryType 'Error' -Source $LogSource -EventID 1002 -logstring "Error: -> Message = $ErrorMessage"
}
if ( $enableDebug ) {
LogWrite -EntryType 'Information' -Source $LogSource -EventID 1001 -logstring "Exiting SailPoint Exchange Online rule"
}
#$requestObject.toxml() | out-file $logfilename -append
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.