ARSS Step or Connection handler, or other options to run powershelll commands. but the commands are not related to syncing attributes. and rather to process a command against the target users

Hello ARSS Community.  We use Active Roles Synchronization Service.

I believe my question is related to Handlers, Step, or Connection.

I am trying to determine if ARSS can run separate powershelll commands as part of step, but the commands are not related to syncing attributes. and rather to process a command against the target users. 

Here is the overview.

We currently Sync users from AD to Azure AD and M365 using the connectors. When new users are created by a provision workflow step, I then need to run afterwards, a completely separate few lines of Azure AD powershell against each created user. I am not sure if this can be done by trying to use the $destObj and if so, where to place this code to run it. Any advice or links to samples or information would be great if you have any ideas.

I was trying to find more examples on Step Handlers as a post step. I was also not sure if each of the 3 lines of pshell below need to be a separate step in the step handler, or just 1 step with all the code together. I guess I'm just trying to sort out what, where,. how.

Here is the detail:

Users source from Active Directory

1. Run a workflow step that provisions new users in the destination (Azure AD)

Each user has a unique 8 character ID that we place to the left of the @ sign on the UPN

Each users email address is included when the user is created.

I was thinking that variable to get the UPN and Mail by $destObj but not sure how or where to try it.

2. Once the Azure AD user is created, I need to run this code. However, I am not sure how or where to try and run it within ARSS steps, handlers, etc.

Example of 1 user:

#STEP 1: Set Variable to collect the existing Azure AD user.
$ADGraphUser = Get-AzureADUser -objectID

#STEP 2: Set Variable for msgraph
$msGraphUser = New-Object Microsoft.Open.MSGraph.Model.User -ArgumentList $ADGraphUser.ObjectId

#STEP 3: convert member to external member
New-AzureADMSInvitation -InvitedUserEmailAddress -SendInvitationMessage $False -InviteRedirectUrl -InvitedUser $msGraphUser

Any thoughts or advice would be much appreciated. Thank you for your time.

  • Assuming that these users are also getting provisioned in the on-prem AD, I wouldn't use ARSS for this at all.  Rather, I would have an Automation Workflow in Active Roles do this work.

    Here's my high level design / flow for you:

    Have your ARSS sync job stamp can additional virtual attribute (VA) on the newly created user (for example:  QueueforAdditionalAzureProvisioning).  Make it a Boolean and apply a value of TRUE.

    Create a Managed Unit who's membership rule consists of users with the attribute set to TRUE

    Create an Automation Workflow that runs every 15 minutes.

    In it, embed a script activity that begins by enumerating the contents of the Managed Unit - here's a snippet to do that:

    $UsersToProcess = Get-QADUser -Search Root <your Managed Unit DistinguishedName> -includedproperties Userprincipalname | select -ExpandProperty Userprincipalname

    Add some code to your script to initially establish a connection to your tenant.

    Then take the rest of your code and iterate through the above list of UPNs executing the commands you listed above to update the users.

    The last thing the script activity should do is either clear the VA or set it to $False.

    'Hope this helps.

  • Hello and thank you for your comments.  In our case, we are not currently running Active Roles Suite, only ARSS.  Would be able to comment on what is, vs. in not possible for my scenario within ARSS specifically?  I appreciate your comments and guidance.