Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure Active Directory

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and efficiency. When a new employee joins the organization or an existing employee change the job role, if they do not have access to relevant services/tools to start their job, it is just a waste of resource. Also when someone leaves the company, their access permission to data/services should revoke and accounts should be disabled. If not it creates a security risk. As we can see it’s quite important to make sure organizations have robust, practical JML processes in place. If the process has a lot of manual tasks and people dependencies it may not deliver the expected results.

Microsoft Entra lifecycle workflows allow an organization to automate JML process and reduce human errors and people dependencies. Workflow is built upon two pillars – Tasks & Execution conditions.

Task – List of actions that run automatically when a workflow is “triggered”
Execution conditions – Defines the trigger scope of a workflow (impacted users, “what” executes the workflow, and when)

There are many benefits of using lifecycle workflows. Such as,

  • Reduce/remove manual tasks of JML process.
  • Centralize identity lifecycle tasks/process management. In one portal we can create and manage workflows.
  • Measure the success of workflows or identify issues in workflows by using workflow history and audit logs.
  • Allows using pre-built templates which cover most common identity management tasks.
  • integrate workflows with logic apps to address more complex scenarios.

In this article, I am going to demonstrate how we can create a “joiner” workflow based on a pre-built template. This includes,

1. Create lifecycle workflow using the “Onboard pre-hire employee” pre-built template to automate onboarding tasks of new employees before their first day.
2. Create a new user in Azure AD
3. Assign Manager to user
4. Validate the completed workflow tasks

Pre-requisites

Before we start, we need to make sure the following prerequisites are in place.

1. Azure AD Premium P2 Licences
2. Global Administrator Account
3. Users with employeeHireDate attribute value – This attribute value will use as a trigger condition for the workflow. At the moment this value cannot be set using UI and can only update using MS Graph. In this blog post, I will show how to set up a new user with this attribute. Also, note that a workflow will not trigger when the employee hire date value is prior to the workflow creation date.
4. Office 365 Licences – If the workflow includes tasks to send email notifications to users, make sure the recipients have a valid mailbox in place (prior to the workflow execution)
Once we have the above prerequisites in place, we can go ahead with the configuration tasks.

Create a life cycle workflow

To create this workflow I am going to use the “Onboard pre-hire employee” pre-built template as the baseline. It comes with one automation task (Generate TAP and Send Email) but I will add an additional automation task to the workflow. The list of tasks are as follows,

1. Enable Account – I like to enable the new user account as part of the workflow.
2. Add user to Group – The new user account will be added to an already existing security group called “New Hire”
3. Generate TAP and Send Email – Generate Temporary Access Pass and send it via email to the new user’s manager. Microsoft encourages organizations to use passwordless authentication as traditional authentication methods are weak in security. Temporary Access Pass is a time-limited passcode that can be used by users to log in to https://aka.ms/mysecurityinfo and onboard authentication methods. This code can be single-use or multi-use. Before using this feature, we need to enable Temporary Access Pass policy. For configuration details please follow https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass . In this demo environment, I already have this policy configured.
4. Send Welcome Email – Send a welcome email to new user

To set up the workflow,

1. Log in to MS Entra portal https://entra.microsoft.com/

2. Go to Identity Governance | Lifecycle workflows

MS entra lifecycle workflow feature

3. Next click on + Create workflow

Create new lifecycle workflow

4. In the new window, we can see the pre-built templates. For this demo, I am selecting “Onboard pre-hire employee

Onboard pre-hire employee pre-built lifecycle workflow template

5. This will open the template settings. Provides a name for the workflow first and then change the event timing settings for onboarding. This workflow will depend on the employeeHireDate attribute value and we can decide how many days we should run the workflow. To keep it simple I am going to use the default value which is 7 days. Once settings are in place, click on Next: Configure scope to continue.

Microsoft Entra lifecycle workflow trigger details

6. In the next window, we can use expressions to define the user scope for the workflow. Here I am going to run this workflow for new users in “Sales” department.

Microsoft Entra lifecycle workflow conndtion

7. In the workflow task window, we can see “Generate TAP and Send Email” task is already in the list. We can add new tasks by clicking + Add tasks

Adding Microsoft Entra lifecycle workflow tasks

8. From the list I have added, Enable Account, Add user to Group, and Send Welcome Email tasks. For the groups, I have selected the already existing security group called “New Hire”. I also change the logical order of the tasks.

Microsoft Entra lifecycle workflow custom task list

9. In the final window, select Schedule workflow to run the workflow every 3 hours. Then review the settings and click on Create.

Microsoft Entra lifecycle workflow configuration review

Active Microsoft Entra lifecycle workflow [Read more…] about Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

Azure AD Entitlement Management – three-stage approval process for access packages

In an organization, users are required access to many different groups, applications, and sites to do their day-to-day tasks. Sometimes there can be external organizations that also required access to these various resources. As access requirements change frequently, it is quite challenging for IT administrators to manage access. As a solution to this problem, we can use Azure AD access packages to govern access for internal users as well as external users. Each Access package can contain applications, and permissions required to perform specific tasks. In one of my previous blog posts, I explained how we can set up access packages. You can access it by using the following link https://www.rebeladmin.com/2020/02/step-step-guide-azure-ad-access-package/#more-4735

With the access package, we also can define the approval process. When the user request access to the package, the approver will get a notification, and then he/she can approve or deny the access request. This approver can be an internal or external user/group. So far, we were able to use a two-stage approval process but now access packages can have a three-stage approval process. This is quite important especially if you required a review from security personnel. In this blog post, I am going to demonstrate how to set up a three-stage approval process for the existing Azure AD Access package. To start the configuration process,

1) Log in to the Azure portal as a Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager.

2) Then click on Azure Active Directory | Identity Governance

Azure AD Identity Governance

3) Next, click on Access packages and then the access package we need to edit.

Selecting already existing access package

4) On new page click on Policies and then click on the existing policy

existing access policy

5) Then in policy details, click on Edit

edit access policy settings

6) It will open the policy settings, click on Requests, and then set the Require approval toggle to Yes

enable approval process for access package

7) To enable three-stage approval process, Set the How many stages to the number three.

enable three-stage approval processfor access package
[Read more…] about Azure AD Entitlement Management – three-stage approval process for access packages

Step-by-Step Guide: How to use Azure AD custom attributes with user flows ?

Attributes can explain an object more precisely. Active Directory object types have predefined attributes which can use to store values and use later (query) when required. Active Directory schema also accepts custom attributes. Based on business requirements some time organizations will have to introduce custom attributes to object classes. On most occasions, it is related to application integration requirements with Active Directory. If it’s a hybrid environment, it may also require syncing these custom attributes values with Azure AD. In one of my previous blog posts, I explained how we can sync custom Active Directory attributes with Azure AD – Step-by-Step Guide: How to sync Custom Active Directory Attributes to Azure AD?
But this is for corporate users. In certain situations, we may also need to collect attributes values for guest users. As an example, let’s assume we have an application that is open for guest access. We enable self-signup process for the guest users. Each guest user is issued with an organization id and unique user token value. We need to collect this information during sign-up so we can identify the users based on the organization. However, there are no such attributes available in Azure AD. Then how we can do this? We can create custom attributes in the Azure portal and use them with user flows now. This will allow collecting these custom attributes values during the guest user sign-up process and storing data in Azure AD. Then later we can use Microsoft Graph API to read/update these values as necessary. In this blog post, I am going to demonstrate how we can add custom attributes to user flow.

Create Custom Attributes

In my demo environment, I have an enterprise app(rebeladminapp01) which is allowed for guest user access. This is already configured as an enterprise app in Azure AD. During the guest user sign-up for the first time, I like to collect values for two attributes called, “Organization ID” and “User Token“. These will help later for the user identification process.
Before we use these custom attributes first, we need to add those to Azure AD. To do that,

1) Login into Azure as Azure AD Administrator
2) Go to Azure Active Directory | External Identities

Azure Active Directory External Identities

3) Then click on Custom user attributes

Azure AD Custom user attributes

4) This will list down the list of built-in attributes. Click on + Add to create a new attribute.

Option to add new Azure AD custom attribute

5) In the new window, type the name of the attribute and provide the data type. It is also recommended to a provided brief description of the attribute for future references.

Azure AD custom attribute settings

After the settings are in place, click on Create.

6) Using the same method, I created the second custom attribute I needed.

List of newly added Azure AD Custom attibutes [Read more…] about Step-by-Step Guide: How to use Azure AD custom attributes with user flows ?

Step-by-Step Guide: How to sync Custom Active Directory Attributes to Azure AD?

Active Directory schema accepts custom attributes. Based on business requirements some time organizations will have to introduce custom attributes to object classes. On most occasions, it is related to application integration requirements with Active Directory. In one of my previous blog posts, I explained how we can add a custom attribute to Active Directory. You can access it using https://www.rebeladmin.com/2017/11/step-step-guide-create-custom-active-directory-attributes/

In a hybrid setup, Azure AD Connect can sync attribute values from on-premise Active Directory to Azure AD (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized). Apart from default attributes, sometimes there can be business requirements to sync custom Active Directory attributes to Azure AD. We can sync these custom attributes to Azure AD by using the Azure AD Connect “Directory extension attribute sync” feature.

In this demo, I am going to demonstrate how to sync the custom Active Directory attribute to Azure AD. To simplify the process, I already installed Azure AD Connect and configure it to sync. I also created a custom AD attribute called “nINumber” and added it to the user class.

Custom Attribute Values

Figure 1 : Custom Attribute Values

Add attribute to user class

Figure 2 : Add attribute to user class

Custom Attribute under user account

Figure 3 : Custom Attribute under user account

Let’s go ahead and see how we can configure Azure AD Connect to sync custom attributes. [Read more…] about Step-by-Step Guide: How to sync Custom Active Directory Attributes to Azure AD?