Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Assigning Azure AD licenses as birthright access

SumathiSomala
All-Star
All-Star

Hi Everyone,

We have the following use case:

We have on-prem AD where Saviynt provisions all new users as target system. This on-prem AD syncs accounts to AzureAD every 30 minutes. Then we reconcile AzureAD to get the synced accounts into Saviynt.

The scenario is that we have to provision SKU as birthright into AzureAD account on any new user creation. But we do not want to create a user in AzureAD but only provision SKU as entitlement to reconciled account once it is synced from On-Prem AD to Azure AD.

How will we accomplish assigning the SKU license as birthright for new users if we have this +- 15 - 20 minutes sync time etc
Operation should perform automatically.

Any ideas will be greatly appreciated.

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.
4 REPLIES 4

armaanzahir
Valued Contributor
Valued Contributor

Hi @SumathiSomala ,

You could create an actionable analytic where the action would be provision access for that entitlement. The analytic would detect if the user has a corresponding Azure AD account without the access that had been reconciled, and if there was a task for AD On Prem that was executed and completed successfully for the user in the last x hours. This analytic can be scheduled to be run every 2 hours or based on whatever your user import frequency is that creates the On Prem AD Account.

 

armaanzahir_0-1691491251072.png

 

Tables that need to be utilized: users, user_accounts, accounts, arstasks

Configuring Allowed Actions (saviyntcloud.com)

 

Regards,
Md Armaan Zahir

Thanks for the quick response @armaanzahir 

Can You help with the sample Query?

and is this report assigned to analytics owner or will it complete automatically? 

How can i assign different entitlements to different users?

 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

SumathiSomala
All-Star
All-Star

Instead of using actionable analytics, We have tried by assigning Azure AD license through AD group as birthright access.

It is working as expected

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

Manu269
All-Star
All-Star

@SumathiSomala we even had a similar case and we implemented in following way :

1. As a birthright we are creating the user AD Account.

2. AD is synced with AAD for account creation.

3. Configured SAV to SAV in saviynt to update the location field based on AD attribute.

4. Configured trigger chain job to reconcile AD, AAD and SAv for SAV system.

5. Configured user update rule to assign the AAD Licnese via this Sav for SAv field update.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.