Azure Account and Group Sync

Overview

The purpose of this Project is to Sync Group and Account information from Azure AD via Microsoft Graph integration and update Account and Group relationship within the Decisions platform.

Configuration

REST Integration

For this Project, we need a REST Integration configured with Microsoft Graph as an endpoint. This integration will use an OAuth Token and the input for the Custom Tag will be "Bearer." 

Rest Methods

Two REST Methods will be used for this Project: AzureGroupInformation and AzureGroupMembership.

• AzureGroupInformation details:
  
  
• AzureGroupMembership details:
  

JSON Data Structures

For this project we are using two JSON Data Structures: AzureGroupInformation and AzureGroupMembershipInfo.

Main Flow

The purpose of this Project is to update Account and Group Membership information for Decisions Accounts based on information pulled from Azure. The following section will outline the various Subflows within the following Main Flow:

Get Azure Group Subflow

This Subflow makes a call to Microsoft Graph and pulls a filtered list of Groups. The filter is "Displayname starts with". The results are then deserialized into a JSON Data Structure called AzureGroupinformation that is to be used in the flow process.

Back in the main Flow, we have a Create Data step that is holding a CurrentAccoutnsOnAzure list. This list will be updated later in the flow and will be used for the Deactivating Accounts process. We are using the For Each step to go through each Azure Group (which is the output of the Get Azure Group Subflow).

Get Azure Group Members Subflow

This Flow will make a call to the Microsoft Graph endpoint and fetch the accounts in the Azure Group. The REST step will take in a GroupId as the input. The result of the REST Call is then deserialized into a JSON Data Structure called AzureGroupMembershipinfo.

Update Account and Group Information Subflow

This Flow first processes every Account and then updates or creates them. The Flow will then add the updated Decisions Accounts to the appropriate Decisions Groups. Note: information in the logic needs to be updated based on your account and group requirements. Please review each step individually for modification.

Run Flow For List Step

This step will loop through each Azure Account. The step will then fetch the Account in Decisions based on the Mail attribute.

• Update Existing Account Subflow: If we have a result, we will update the account. We are updating the following fields: FirstName, LastName, IsActive, and JobTitle.

• Create SSO Account Subflow: If we don't have a result, we will make a new Account. For this example we are making an OpenId Account using Email as the user identifier. If you need SAML accounts or other user identifier values, you will need to update this Flow.

Add Account to Group Subflow

This Flow evaluates the Group Assignment for the updated Accounts List output from the Run Flow for List step.

The Truth Table is configured to add users in specific Azure Groups to specific Decisions Groups (Admin, Designer, All Users, etc.). The Truth Table will need to be updated for each individual requirement and needs. This completes the Update Account and Group Information Subflow. This Flow will output the updated list of Accounts.

Back in the main Flow we are using the Add Items to List step to add the list of updated Accounts to the CurrentAzureAccounts list. Once All Azure Account and Groups information is updated, the last part is to clean up deactivated or removed Accounts.

Deactivate Accounts Subflow

This Flow intakes the CurrentAzureAccount list. We are filtering out duplicate accounts and then fetching current SSO Accounts in Decisions. In this example we are using OpenId. Fetch criteria needs to be updated if you are using SAML.

The Rule Filter will evaluate if the current Decisions Account is in the list for CurrentAzureAccounts. This will output a list of Accounts that will get removed from all Groups and then the account is set to Deactivate in Decisions. This way only the accounts pulled from the specified Groups will remain active in Decisions.

Project Download