Blog Post

Microsoft Entra Blog
3 MIN READ

Run custom workflows in Azure AD entitlement management

Joseph Dadzie's avatar
Joseph Dadzie
Icon for Microsoft rankMicrosoft
Feb 24, 2022

Automating complex processes for managing user access is now even easier with the recent introduction of custom workflows in entitlement management using Azure Logic Apps, and today we'd like to walk through a couple scenarios where you can use this new capability to customize the flow of on- and offboarding users to access packages. Being able to automate these processes reduces the amount of mistakes inherent in manual processes and frees up time to focus on other business priorities.

 

Providing or removing access is not just about provisioning to resources like Teams, SharePoint, Groups, or apps. There are often additional steps organizations want to take, like sending an email or updating records in a database. Historically, these steps were often done manually. For example, with an understanding that the approver of an access package was also responsible for sending an email to the team about the newly onboarded person, or scripts were run periodically to notice changes in access package membership and make subsequent downstream changes.

 

Being able to use specific events in entitlement management – such as when an access package request is approved or when user access expires – to trigger custom workflows can extend entitlement management with a bevy of native Microsoft cloud applications as well as external applications like Salesforce and ServiceNow to allow automation of formerly manual processes. Let’s explore a couple ways our fictional company Contoso can take advantage of these capabilities.

 

Link entitlement management to an external application  

As an example, Contoso uses Salesforce to manage deals and opportunities for its Sales team. The Sales team has an Access Package in Azure Active Directory (Azure AD) entitlement management to grant members of the Sales team access to relevant resources and SharePoint sites and provision their access into Salesforce. In addition to granting access to Salesforce, they want to make sure that new members of the Sales team are assigned to specific deals and contacts in Salesforce, and when people leave the team their deals and contacts are assigned to someone else on the team.

  

 

Here, the custom callout is created, and the customer adds the specific Logic App to the Catalog to invoke it on specific policy actions (such as access package assignment).

 

What used to be a manual process for updating Salesforce records can now be automated by configuring custom workflows. When a new user is approved for access to the Sales team Access Package, a Logic App is automatically triggered which also assigns that person to the appropriate deals and contacts. Likewise, when someone is removed from the Access Package, a different Logic App is automatically triggered and does the reassignment for the Salesforce artifacts they were responsible for. Automating these processes allows the team to focus more on getting actual work done rather than managing access.

 

 

 

Notice how invoking a Logic App that edits Salesforce—tied to access package assignment—added a salesperson as a contact for a customer account.

 

Send custom emails linked to policies 

Contoso also wants to send an email to the Contoso Sales Team when a user is granted the Sales Team access package, so they are aware that a new sales member has joined the team. By creating a simple Azure Logic App that invokes Outlook Web for Office 365 and triggering that when a user is approved for the Sales Team Access Package, they’re able to automate this part of their process in a seamless manner.  

 

Example of creating a custom email in Logic Apps.

 

Resources and feedback 

These are just a couple of the scenarios for how you can now address even more use cases with entitlement management by linking your access packages to custom workflows written with Azure Logic Apps. We encourage you to try it out and let us know what you think.

 

For more information, please view the documentation and video walkthrough 

We want to hear from you! Feel free to leave comments down below or reach out to us on aka.ms/AzureADFeedback.  

 

Learn more about Microsoft identity:

Updated Feb 21, 2022
Version 1.0
No CommentsBe the first to comment