Run custom workflows in Azure AD entitlement management
Automating complex processes for managing user access is now even easier with the recent introduction of custom workflows in entitlement management using Azure Logic Apps, and today we'd like to walk through a couple scenarios where you can use this new capability to customize the flow of on- and offboarding users to access packages. Being able to automate these processes reduces the amount of mistakes inherent in manual processes and frees up time to focus on other business priorities.
Providing or removing access is not just about provisioning to resources like Teams, SharePoint, Groups, or apps. There are often additional steps organizations want to take, like sending an email or updating records in a database. Historically, these steps were often done manually. For example, with an understanding that the approver of an access package was also responsible for sending an email to the team about the newly onboarded person, or scripts were run periodically to notice changes in access package membership and make subsequent downstream changes.
Being able to use specific events in entitlement management – such as when an access package request is approved or when user access expires – to trigger custom workflows can extend entitlement management with a bevy of native Microsoft cloud applications as well as external applications like Salesforce and ServiceNow to allow automation of formerly manual processes. Let’s explore a couple ways our fictional company Contoso can take advantage of these capabilities.
Link entitlement management to an external application
As an example, Contoso uses Salesforce to manage deals and opportunities for its Sales team. The Sales team has an Access Package in Azure Active Directory (Azure AD) entitlement management to grant members of the Sales team access to relevant resources and SharePoint sites and provision their access into Salesforce. In addition to granting access to Salesforce, they want to make sure that new members of the Sales team are assigned to specific deals and contacts in Salesforce, and when people leave the team their deals and contacts are assigned to someone else on the team.
What used to be a manual process for updating Salesforce records can now be automated by configuring custom workflows. When a new user is approved for access to the Sales team Access Package, a Logic App is automatically triggered which also assigns that person to the appropriate deals and contacts. Likewise, when someone is removed from the Access Package, a different Logic App is automatically triggered and does the reassignment for the Salesforce artifacts they were responsible for. Automating these processes allows the team to focus more on getting actual work done rather than managing access.
Send custom emails linked to policies
Contoso also wants to send an email to the Contoso Sales Team when a user is granted the Sales Team access package, so they are aware that a new sales member has joined the team. By creating a simple Azure Logic App that invokes Outlook Web for Office 365 and triggering that when a user is approved for the Sales Team Access Package, they’re able to automate this part of their process in a seamless manner.
Resources and feedback
These are just a couple of the scenarios for how you can now address even more use cases with entitlement management by linking your access packages to custom workflows written with Azure Logic Apps. We encourage you to try it out and let us know what you think.
For more information, please view the documentation and video walkthrough.
We want to hear from you! Feel free to leave comments down below or reach out to us on aka.ms/AzureADFeedback.
Learn more about Microsoft identity:
- Related Articles: Onboard partners more easily with new Azure AD entitlement management features
- Return to the Azure Active Directory Identity blog home
- Join the conversation on Twitter and LinkedIn
- Share product suggestions on the Azure Feedback Forum