Extending Lifecycle Workflows in Entra ID

If you are implementing a new Identity and Access Management (IAM) solution in Microsoft Entra ID or migrating from an existing solution such as Microsoft Identity Manager (MIM) you are likely to need (if you have the right license) Identity Lifecycle Workflows (LCWs).

LCWs run a series of tasks when certain conditions are met (triggers). For example, a new joiner could be added to groups or assigned access packages based on their job role, and an e-mail sent to their manager.

At the time of writing, Microsoft provides 22 out-of-the-box tasks you could use. This task library is expected to grow in time, but you will probably need to create additional options using ‘Run a Custom Task Extension’.

To explain this further, I’ll use the example of raising a new incident in ServiceNow. We have found this is a common scenario as there are often tasks that need to be done manually, such as ordering and building a laptop, or setting permissions in legacy applications which aren’t possible (or practical) to automate without a custom task.

Creating a new Custom Extension

A custom extension is a Logic App called by an LCW. The easiest way to create the Logic App is through the LCW interface when creating the new custom task.

Screenshot of Lifecycle workflows custom extensions

The ‘Add a custom extension’ wizard asks a few simple questions such as the task name, behaviour (Launch and continue or Launch and wait), the name of the Logic App, and where it will be deployed.

Screenshot of Lifecycle Workflow Task

A Logic App is created with a correctly configured Request action.

Screenshot of Logic App created

Developing the Logic App

In this example, the Logic App needs four additional actions.

Screenshot of Four Actions for Logic App

  1. The Get User Details from Entra ID action is an HTTP GET request to the Microsoft Graph API to retrieve any user attribute values not passed through the workflow – in this example department and job title – to include in the incident. The user attribute values passed to the Logic App are the user’s DisplayName, Email, Id, and userPrincipalName, as well as the user’s manager’s DisplayName, Email, and Id. Authentication is handled through a system-assigned managed identity so there are no credentials to manage.
  2. The Parse Entra ID Response action parses the response for use in a future action.
  3. The credentials needed to connect to ServiceNow are stored in an Azure Key Vault, to which Reader permissions have been granted to the Logic App Managed Identity. The Get secret action obtains these credentials.
  4. The Create Incident action is an HTTP POST request to the ServiceNow API to create the incident.

  Screenshot of ServiceNow create incident

Running the Workflow

The custom task can now be used when adding tasks to any LCW.

Screenshot of Custom Task available

Running the LCW On Demand for a user will result in the incident being raised.

Screenshot of Custom Test Running

Screenshot of results of custom task

Conclusion

Using custom tasks in an LCW allows many more JML (Joiner-Leaver-Mover) processes to be automated consistently, saving time and money, and all actions are logged.

Questions?

Contact us for more information or assistance with Life Cycle Workflows or Logic Apps.

You might also be interested in our article on Transforming data for API-driven inbound provisioning using Azure Data Factory and our recent webinar ‘Transitioning from MIM to Microsoft Entra cloud-first IAM‘.