• State Not Answered
  • Replies 0 replies
  • Subscribers 97 subscribers
  • Views 56 views
  • Users 0 members are here
Options
Related

Selectively update fields in a sub-identity person record from an AADAccount field - possible to also include master record?

kelvin smith

Not sure of the best way to do this.  Version 9.0LTS

We have Users coming into AADAccount through synchronisation for tenants.  Some of these AADAccounts are from a Cross-Tenant-Sync (CTS) arrangement, which means IAM does not control when these accounts turn up or not.  We have SEARCH as the matching criteria (for the synchronisation), and part of the onboarding, is that a Sub-Identity is created (IT Shop request) so that the CTS account can be matched to a person record (otherwise random accounts will become persons within IAM).  With CTS accounts, updates from the primary tenant, such as firstname, lastname etc will be updated in the destination tenant when MS does its CTS sync and those items are changed in the home tenant (ie I can change the property in IAM which will sync to Entra, and hold until that property is changed in the home tenant).  What this means, is that our AADAccount could end up with different information than our sub-identity.  We can restrict what MS could update, but items like First Name, Last Name and email address are likely to change as people get married etc.  What I am wanting. is a way to only update certain attributes of the Sub-Identity, (First name, last name, email etc) and only for particular AAD Tenants.

I am aware of the PersonUpdate global variable, and the AAD_PersonUpdate script (or similar named). I am not really wanting to override the script in case there are use cases where we have not through it through clobber other tenants/accounts etc.  FWIW there are random tenants that will be coming and going in IAM.

I am aware that Account Definitions force person fields down to accounts.

Is there an easy way of doing what I am wanting to do?  Also, would like to change these values on the Main identity (sub-identites parent) but only for those that meet specific criteria.

Hopefully this is enough information to go on.  There are probably other specifics, but trying to keep it relatively simple!

SO, in a nutshell - Entra CTS account gets sync'd - it is authoritative for specific fields (First Name, Last Name, Email etc) and these get written back to the sub-identity, and possibly the sub-identities parent.

I am not sure this is out of the box, so given the problem, what could be other ways of doing this? Script that talks through the API daily?