• State Verified Answer
  • Replies 6 replies
  • Subscribers 62 subscribers
  • Views 819 views
  • Users 0 members are here
Options
Related

Use workflow script to modify Azure attribute of removed member (disabling)

dpeltier
over 1 year ago

Good morning

I am a beginner in ARS Workflows....

I have a use case where an account which is synched from AD on-Premise to Azure is disabled on premise and must be immediately disabled on Azure without waiting for next the AAD synch run.

i know how to script this with Ms.Graph but i don't know how to retrieve the DN of the removed member and transfer it to this script as parameter.

can you please recommend me a way to achieve this?

thanks

  • 0 over 1 year ago

    It sounds like these hybrid users may have existed before Active Roles was installed or are being created outside of Active Roles?

    In these cases, there is a way to tell Active Roles that an onprem AD user has an associated Azure AD object using the Backsync process in the Synchronization Service. Then, once Active Roles has the necessary mapping information stored in Virtual Attributes, when an onprem AD user is disabled through an Active Roles interface, the mapped Azure object will get disabled immediately by Active Roles, ahead of Azure AD Connect.

    Take a look at the Synchronization Service Admin Guide for 'Azure Backsync' and see if this might help you utilize built-in Active Roles functionality.

  • 0 over 1 year ago

    To add a bit to  's comments,  assuming the Cloud object is also being managed by Active Roles, you can force an immediate disable of the Azure object by setting the property  edsaAzureUserAccountEnabled of the associated on premises object to FALSE.

    This could be done using an Update Activity in a workflow or directly using Powershell like this:

    Set-QADUser -proxy -identity $MyOnPremObjectDN -AzureUserAccountEnabled $False

  • 0 over 1 year ago in reply to JohnnyQuest

    Good morning

    Thanks for your answers.

    As they are not synched thanks to ARS synch tool but by the default Ms one (don't ask me why but it is like this), edsaAzureUserAccountEnabled is not usable or i don't see how it can be updated

    this is why i would like to use ARS workflow that i have created (removed member of a group) to insert a script to disable the azure account associated to this removed member. inside the workflow "Remove member from group",
    step 1 => disable on premise member [Done and works perfectly]
    Step 2 => script to disabling Azure account (Synched by MS AAD synch tool)
    My question is:                 how i can retrieve the UPN of this removed member and use it in the script?

  • +1 over 1 year ago in reply to dpeltier

    Ah OK - I would create a Change Workflow that detects the disabling of the on-premise user.

    For the start condition, you want to detect where edsaUserEnabled is FALSE from Requested Changes

    (In the start conditions for the workflow, you may also want to select which OU's to "watch" in case you don't want the workflow to react to ALL account disables)


    Attribute change trigger

    Selection of changed attribute in transaction

    Full workflow start condition including sample OU filter

    Here's a snippet of code to determine UPN of the user being disabled:

    (You can just add the additional code to disable the Azure user.  Then add this as a script module (Policy Script type) into Active Roles and reference it in a Script Activity that is added to the above mentioned Change Workflow)

    Function TrapDisableAndDisableAzureUser ($Request)
{

# $DirObj gives you access to the Active Roles in-process AD user object

$DisabledUserUPN = $DirObj.get("userprincipalname")

# Add code below to disable this user in Azure

}

  • 0 over 1 year ago in reply to JohnnyQuest

    Correction to attribute name above - should be edsaAccountIsDisabled is TRUE (this is reflected in the linked screen caps)

  • 0 over 1 year ago in reply to JohnnyQuest

    thanks for this solution. it works perfectly...