and more in a single search tool across platforms. Read the announcement here. |
02/14/2024 01:27 PM - edited 02/14/2024 01:31 PM
Hey All,
We are trying to find a way to display what Entitlements are eligible for DirectoryRoles. Currently, we have the import working to show what accounts are currently assigned to our DirectoryRoles. In our Azure environment, we currently have it setup to users within specific Entitlements are Eligible to check out DirectoryRoles in Azure. Right now, we are unable to see that correlation in Savinyt.
This is what we have for out AzureAD_Recon Connection:
ENTITLEMENT_ATTRIBUTE:
{
"entitlementAttribute": {
"AADGroup": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"customproperty1": "deletedDateTime~#~char",
"customproperty2": "description~#~char",
"customproperty3": "membershipRule~#~char",
"customproperty5": "onPremisesSyncEnabled~#~char",
"customproperty6": "onPremisesLastSyncDateTime~#~char",
"customproperty7": "mail~#~char",
"customproperty8": "mailEnabled~#~char",
"customproperty9": "onPremisesSecurityIdentifier~#~char",
"customproperty10": "securityEnabled~#~char",
"customproperty11": "groupTypes~#~listAsString",
"customproperty13": "membershipRuleProcessingState~#~char",
"customproperty16": "resourceProvisioningOptions~#~char",
"customproperty17" : "onPremisesSyncEnabled~#~char",
"customproperty18" : "createdDateTime~#~char"
}
},
"Team": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"customproperty1": "internalId~#~char",
"customproperty2": "webUrl~#~char",
"customproperty3": "discoverySettings~#~char",
"customproperty6": "isArchived~#~char"
}
},
"Channel": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"customproperty1": "email~#~char",
"customproperty2": "webUrl~#~char"
}
},
"DirectoryRole": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"customproperty4": "description~#~char",
"customproperty6": "deletedDateTime~#~char",
"customproperty8": "roleTemplateId~#~char"
}
},
"Subscription": {
"colsToPropsMap": {
"entitlementID": "subscriptionId~#~char",
"entitlement_value": "displayName~#~char",
"displayname": "displayName~#~char",
"description": "description~#~char",
"customproperty1": "state~#~char",
"customproperty2": "subscriptionPolicies.locationPlacementId~#~char",
"customproperty4": "subscriptionPolicies.quotaId~#~char",
"customproperty6": "subscriptionPolicies.spendingLimit~#~char",
"customproperty7": "authorizationSource~#~char"
}
},
"Application": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"customproperty1": "id~#~bool",
"customproperty2": "resourceAppId~#~bool",
"customproperty4": "orgRestrictions~#~boolListInverse",
"customproperty5": "oauth2AllowImplicitFlow~#~bool",
"customproperty6": "allowPublicClient~#~bool",
"customproperty7": "createdDateTime~#~char"
}
},
"ApplicationInstance": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"displayname": "appDisplayName~#~char",
"customproperty1": "appId~#~char",
"customproperty2": "servicePrincipalNames~#~char",
"customproperty4": "appOwnerOrganizationId~#~char",
"customproperty5": "appRoleAssignmentRequired~#~char",
"customproperty7": "accountEnabled~#~bool",
"customproperty9": "publisherName~#~char"
}
},
"SKU": {
"colsToPropsMap": {
"entitlementID": "skuId~#~char",
"entitlement_value": "skuPartNumber~#~char",
"customproperty1": "appliesTo~#~char",
"customproperty2": "capabilityStatus~#~char",
"customproperty5": "consumedUnits~#~char",
"customproperty7": "prepaidUnits~#~listAsString"
}
},
"AppRole": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"customproperty1": "isEnabled~#~char",
"customproperty2": "value~#~char",
"customproperty4": "id~#~char",
"customproperty5": "allowedMemberTypes~#~char"
}
},
"Oauth2Permission": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "userConsentDisplayName~#~char",
"description": "userConsentDescription~#~char",
"customproperty1": "isEnabled~#~char",
"customproperty2": "adminConsentDisplayName~#~char",
"customproperty3": "adminConsentDescription~#~char",
"customproperty4": "id~#~char",
"customproperty5": "type~#~char",
"customproperty8": "value~#~char"
}
},
"ApplicationInstanceAppRole": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"customproperty1": "isEnabled~#~char",
"customproperty2": "value~#~char",
"customproperty4": "id~#~char",
"customproperty5": "allowedMemberTypes~#~char"
}
},
"SKUServicePlans": {
"colsToPropsMap": {
"entitlementID": "servicePlanId~#~char",
"entitlement_value": "servicePlanName~#~char",
"customproperty1": "provisioningStatus~#~char",
"customproperty2": "appliesTo~#~char",
"customproperty4": "servicePlanId~#~char"
}
}
}
}
Here are the resources I have been using to avoid redundancy:
https://learn.microsoft.com/en-us/powershell/microsoftgraph/tutorial-pim?view=graph-powershell-1.0
02/15/2024 08:02 PM
Hello @aidanryan,
Could you please elabore more about your use case, where exactly you are trying to display the entitlement?
If this request is for ARS, what identifier on entitlment indicates that the entitlement is eligible for the directory roles?
Thanks.
02/16/2024 09:58 AM
Hey @sudeshjaiswal,
Thank you for your response. Our use case at this time is to just see what entitlements from AzureAD are eligible to check out a DirectoryRole. We are trying to figure out how to assign those eligible Entitlements as a Child Entitlement in Saviynt to those DirectoryRoles. In our Azure Environment, eligibility is decided by what AAD group you are in. Our main issue is trying to figure out how to import from Azure the indicator that an AAD entitlement is eligible for a DirectoryRole.
02/16/2024 10:24 AM
@aidanryan Is this for reporting purpose only or you want to run a certification campaign on the eligibility for roles. I haven't explored it but the eligibility may not be associated directly with the Role and should be retrievable via PIM APIs.
02/16/2024 10:33 AM
The end goal would to have users be able to checkout these DirectoryRoles like they can in Azure. We are in the process of implementing the AAG and CPAM module, so we are trying to get this setup prior to the implementation of these two modules.
02/23/2024 08:03 AM
Do either know if there is a way to accomplish this?