• State Not Answered
  • Replies 8 replies
  • Subscribers 63 subscribers
  • Views 2218 views
  • Users 0 members are here
Options
Related

Workflow Add Several User to Group

JackO2
over 2 years ago

Hello i would like to build a workflow that

- Use Trigger "Add Member to Group"  > TriggerGroup01

- All User that are added to trigger group should be added to a second AD Group > TargetGroup01

- Would like to execute a script to add the user to an Azure AD Group

This lets me add one User at a time to my trigger group, but if a add two at same time only one user works with the workflow

Workflow: Adding a user to a specific group and execute a script - Forum - Active Roles Community - One Identity Community

Is it possible to build a workflow that will execute this for several added members to a trigger group or would it be even the right tool for this. It seems that its not practiable to add several user to a group this way, maybe its easier to create a auto group cloned from trigger group

It seems like after i do a user search and find the members i cant check if user is already member of desired group but i think doing a user search and than save object is the only way to do a "ForEach"

edit

it seems like you can do a "start trigger add group" > "User Search get member from Trigger Group" > "save search" > IF Member from "add to group" does not contain user from save search"

Top Replies

Parents
  • 0 over 1 year ago

    Hi  

    There are other ways to do this, other than via a workflow.

    However from a workflow point of view, you could:

    1) Configure the start conditions for add to group, and have filter conditions to limit the workflow to the trigger group

    2) The workflow steps would appear on the post side, with first a "Save Object Properties" activity step, followed by a "Update" workflow Activity Step

     

    2a) The "Save Object Properties" activity step should target the Workflow Target Object, with the only target property we require being "Members"

    2b) The "Update" activity step would target the Target Group, and the target property to update is the "members" property from the "Save Object Properties" activity step above

    To set the value as the members field from the trigger group, choose "Object identified by DN-value rule expression" from the drop down

    Click Add Entry and select "Property of object from workflow data context"

    From the Target Object drop down, select "More choices"

    Select "Saved Object Properties" from the left hand pane, and chose the activity created in 2a

    From the Target Property drop down, select "More choices"

    From the Select object property select members

    3) Save you workflow.

    4) Test

    This works when adding multiple users/objects to a group, it will not however remove the users/groups when they are removed from the trigger group, then somone else is added to the trigger. 

    An easier method would either be to turn the Target Group into a Dynamic Group, or create a Dynamic Group which you add to the target group (I'm going to use the intermediately group example)

    Create the group then convert to be dynamic, the new membership rule should be "Include Group Members"

    Select the Trigger Group are the object the members are going to be managed from

    Hope this helps

    Stu

Reply
  • 0 over 1 year ago

    Hi  

    There are other ways to do this, other than via a workflow.

    However from a workflow point of view, you could:

    1) Configure the start conditions for add to group, and have filter conditions to limit the workflow to the trigger group

    2) The workflow steps would appear on the post side, with first a "Save Object Properties" activity step, followed by a "Update" workflow Activity Step

     

    2a) The "Save Object Properties" activity step should target the Workflow Target Object, with the only target property we require being "Members"

    2b) The "Update" activity step would target the Target Group, and the target property to update is the "members" property from the "Save Object Properties" activity step above

    To set the value as the members field from the trigger group, choose "Object identified by DN-value rule expression" from the drop down

    Click Add Entry and select "Property of object from workflow data context"

    From the Target Object drop down, select "More choices"

    Select "Saved Object Properties" from the left hand pane, and chose the activity created in 2a

    From the Target Property drop down, select "More choices"

    From the Select object property select members

    3) Save you workflow.

    4) Test

    This works when adding multiple users/objects to a group, it will not however remove the users/groups when they are removed from the trigger group, then somone else is added to the trigger. 

    An easier method would either be to turn the Target Group into a Dynamic Group, or create a Dynamic Group which you add to the target group (I'm going to use the intermediately group example)

    Create the group then convert to be dynamic, the new membership rule should be "Include Group Members"

    Select the Trigger Group are the object the members are going to be managed from

    Hope this helps

    Stu

Children
  • 0 over 1 year ago in reply to Stu.Pollock

    thank you i will test this, its seems easier.

    I already noticed that for removing you need a diffrent logic. With my aproach you compare the trigger group with the "Add to group" but when you remove user they are no longer member of the trigger group and wont be compared. so you would need to compare "add to group" with the trigger group.

    i thought about using dynamic groups but i need to execute a script to ad the user to an azure ad group ( i guess is not possible with workflow tools, i know you can do it via gui but we want to avoid to write down instructions where poeple see in which X Groups the user needs to be added) so i need an tigger group, not sure if it would work with dynamic groups.

    its basically our access configuration to Mircosoft Dynamic CRM, for this a user needs to be added to an OnPrem Group wich for Permission on a Mailbox and a Azure AD Security Group.

  • 0 over 1 year ago in reply to JackO2
    JackO2 said:
    its basically our access configuration to Mircosoft Dynamic CRM, for this a user needs to be added to an OnPrem Group wich for Permission on a Mailbox and a Azure AD Security Group.

    Why don't you "master" your Azure AD Security and mailbox permissions groups from on-premises?  That way, when they are added to the on-premises groups, AADC will add them to their Cloud equivalents.

  • 0 over 1 year ago in reply to JohnnyQuest

    Theoretically this is possible, but it is not yet part of our Active Directory concept. We sync all Exchange OnPrem groups because it is important for Exchange Online but we have many OnPrem access groups that we do not need in the cloud. Here we would have to develop an area for cloud access groups. It is also interesting in which direction Active Roles will develop with regard to O365.

  • 0 over 1 year ago in reply to JackO2

    Yes - I would suggest you put these "special" groups into a separate OU that is included into the scope of AADC.

    Active Roles support for Cloud-Only objects is improving with each release.  I just wish it supported direct management of Cloud-only Distribution Groups. However, I can understand why this might not have been given priority initially because Microsoft themselves did not seem too keen on people using them.  But I think they (Msft) may be turning the corner on this so hopefully, we will see this in Active Roles soon.  It would help ease customers in making the transition to using Active Roles to manage Exchange Online exclusively in the Cloud.