Home

User provisioning (not SCIM)

%3CLINGO-SUB%20id%3D%22lingo-sub-352706%22%20slang%3D%22en-US%22%3EUser%20provisioning%20(not%20SCIM)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352706%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20find%20a%20way%20to%20provision%20users%20to%20an%20API%20enabled%20SaaS%26nbsp%3Bapplication%20when%20the%20account%26nbsp%3Bgets%20synchronized%20to%26nbsp%3BAzure.%20Unfortunately%20the%20SaaS%20app%20is%20not%20really%20SCIM%20compliant%20and%20runs%20basic%20auth.%20I%20am%20looking%20to%26nbsp%3Bdo%20something%20serverless%20like%20Automation%20Runbooks.%26nbsp%3BI%20have%20tried%20Graph%20and%20PowerShell%20but%20am%20not%20finding%20a%20good%20way%20to%20Filter%20users%20based%20on%20createdDateTime%20for%20all%20users%20in%20last%20x%20amount%20of%20time.%20In%20fact%2C%20it%20seems%20I%26nbsp%3Bcan%20only%20read%20createdDateTime%20for%20a%20user%20if%20I%20specify%20their%20objectID%20and%20not%20their%20UPN%20which%20seems%20odd%20to%20me.%20PowerShell%20seems%20to%20have%20problems%20with%20the%20same%20type%20of%26nbsp%3Bfiltering%26nbsp%3Bwith%20extensionproperty.createddatetime%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20lots%20of%20examples%20that%20don't%20work%20such%20as%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24filter%3DcreatedDateTime%2520gt%20datetime%20'2019-01-01'%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24filter%3DcreatedDateTime%20gt%20datetime%20'2019-01-01'%3C%2FA%3E%3C%2FP%3E%3CP%3Eor%3C%2FP%3E%3CP%3E%26nbsp%3B%24When%20%3D%20((Get-Date).AddDays(-30)).Date%3CBR%20%2F%3E%26nbsp%3BGet-AzureADUser%20-Filter%20datetime%20'extensionproperty.CreatedDateTime%20-ge%20%24When'%3C%2FP%3E%3CP%3EBut%20these%20queries%20works%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E((get-azureaduser%20-objectID%20%3COBJECTID%3E%20).extensionproperty).createdDateTime%3C%2FOBJECTID%3E%3C%2FP%3E%3CP%3Eand%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%2F(objectid)%3Fselect%3DcreatedDateTime%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%2F(objectid)%3Fselect%3DcreatedDateTime%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20totally%20likely%20that%20I%20don't%20understand%20the%20odata%20query%20syntax%20or%20have%20been%20looking%20at%20this%20too%20long%20LOL%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20tried%20this%3F%3C%2FP%3E%3CP%3EAnother%20angle%20I%20thought%26nbsp%3Bof%26nbsp%3Bmight%20be%20to%20watch%20the%20Azure%20Audit%20logs%20for%20Add%20User%20but%20that%20seems%20pretty%20far%20down%20the%20rabbit%20hole%20and%20might%20involve%20an%20event%20hub.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20any%20help%2C%20other%20ideas%2C%20concerns%2C%20commiseration%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECharlie%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-352706%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eprovisioning%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-882850%22%20slang%3D%22de-DE%22%3ESubject%3A%20User%20provisioning%20(not%20SCIM)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-882850%22%20slang%3D%22de-DE%22%3E%3CP%3EI%20have%20the%20same%20problem.%20Did%20you%20solve%20this%20for%20you%3F%20%3CBR%20%2F%3EI%20want%20to%20write%20some%20powershell%2C%20that%20returns%20me%20the%20last%20created%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Charles Ferreira
Occasional Contributor

Hi

I am trying to find a way to provision users to an API enabled SaaS application when the account gets synchronized to Azure. Unfortunately the SaaS app is not really SCIM compliant and runs basic auth. I am looking to do something serverless like Automation Runbooks. I have tried Graph and PowerShell but am not finding a good way to Filter users based on createdDateTime for all users in last x amount of time. In fact, it seems I can only read createdDateTime for a user if I specify their objectID and not their UPN which seems odd to me. PowerShell seems to have problems with the same type of filtering with extensionproperty.createddatetime

 

I have lots of examples that don't work such as:

https://graph.microsoft.com/beta/users?$filter=createdDateTime gt datetime '2019-01-01'

or

 $When = ((Get-Date).AddDays(-30)).Date
 Get-AzureADUser -Filter datetime 'extensionproperty.CreatedDateTime -ge $When'

But these queries works:

 

((get-azureaduser -objectID <objectid> ).extensionproperty).createdDateTime

and

https://graph.microsoft.com/beta/users/(objectid)?select=createdDateTime

 

It's totally likely that I don't understand the odata query syntax or have been looking at this too long LOL

 

Has anyone tried this?

Another angle I thought of might be to watch the Azure Audit logs for Add User but that seems pretty far down the rabbit hole and might involve an event hub.

 

Thanks in advance for any help, other ideas, concerns, commiseration, etc.

 

Charlie

1 Reply

I have the same problem. Did you solve this for you?
I want to write some powershell, that returns me the last created users.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies