Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Azure DirectoryRole Eligibility

aidanryan
New Contributor III
New Contributor III

‎02/14/2024 01:27 PM - edited ‎02/14/2024 01:31 PM

Hey All,

We are trying to find a way to display what Entitlements are eligible for DirectoryRoles. Currently, we have the import working to show what accounts are currently assigned to our DirectoryRoles. In our Azure environment, we currently have it setup to users within specific Entitlements are Eligible to check out DirectoryRoles in Azure. Right now, we are unable to see that correlation in Savinyt. 

This is what we have for out AzureAD_Recon Connection:
 ENTITLEMENT_ATTRIBUTE:

 

{
"entitlementAttribute": {
"AADGroup": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"customproperty1": "deletedDateTime~#~char",
"customproperty2": "description~#~char",
"customproperty3": "membershipRule~#~char",
"customproperty5": "onPremisesSyncEnabled~#~char",
"customproperty6": "onPremisesLastSyncDateTime~#~char",
"customproperty7": "mail~#~char",
"customproperty8": "mailEnabled~#~char",
"customproperty9": "onPremisesSecurityIdentifier~#~char",
"customproperty10": "securityEnabled~#~char",
"customproperty11": "groupTypes~#~listAsString",
"customproperty13": "membershipRuleProcessingState~#~char",
"customproperty16": "resourceProvisioningOptions~#~char",
"customproperty17" : "onPremisesSyncEnabled~#~char",
"customproperty18" : "createdDateTime~#~char"
}
},
"Team": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"customproperty1": "internalId~#~char",
"customproperty2": "webUrl~#~char",
"customproperty3": "discoverySettings~#~char",
"customproperty6": "isArchived~#~char"
}
},
"Channel": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"customproperty1": "email~#~char",
"customproperty2": "webUrl~#~char"
}
},
"DirectoryRole": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"customproperty4": "description~#~char",
"customproperty6": "deletedDateTime~#~char",
"customproperty8": "roleTemplateId~#~char"
}
},
"Subscription": {
"colsToPropsMap": {
"entitlementID": "subscriptionId~#~char",
"entitlement_value": "displayName~#~char",
"displayname": "displayName~#~char",
"description": "description~#~char",
"customproperty1": "state~#~char",
"customproperty2": "subscriptionPolicies.locationPlacementId~#~char",
"customproperty4": "subscriptionPolicies.quotaId~#~char",
"customproperty6": "subscriptionPolicies.spendingLimit~#~char",
"customproperty7": "authorizationSource~#~char"
}
},
"Application": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"customproperty1": "id~#~bool",
"customproperty2": "resourceAppId~#~bool",
"customproperty4": "orgRestrictions~#~boolListInverse",
"customproperty5": "oauth2AllowImplicitFlow~#~bool",
"customproperty6": "allowPublicClient~#~bool",
"customproperty7": "createdDateTime~#~char"
}
},
"ApplicationInstance": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"displayname": "appDisplayName~#~char",
"customproperty1": "appId~#~char",
"customproperty2": "servicePrincipalNames~#~char",
"customproperty4": "appOwnerOrganizationId~#~char",
"customproperty5": "appRoleAssignmentRequired~#~char",
"customproperty7": "accountEnabled~#~bool",
"customproperty9": "publisherName~#~char"
}
},
"SKU": {
"colsToPropsMap": {
"entitlementID": "skuId~#~char",
"entitlement_value": "skuPartNumber~#~char",
"customproperty1": "appliesTo~#~char",
"customproperty2": "capabilityStatus~#~char",
"customproperty5": "consumedUnits~#~char",
"customproperty7": "prepaidUnits~#~listAsString"
}
},
"AppRole": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"customproperty1": "isEnabled~#~char",
"customproperty2": "value~#~char",
"customproperty4": "id~#~char",
"customproperty5": "allowedMemberTypes~#~char"
}
},
"Oauth2Permission": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "userConsentDisplayName~#~char",
"description": "userConsentDescription~#~char",
"customproperty1": "isEnabled~#~char",
"customproperty2": "adminConsentDisplayName~#~char",
"customproperty3": "adminConsentDescription~#~char",
"customproperty4": "id~#~char",
"customproperty5": "type~#~char",
"customproperty8": "value~#~char"
}
},
"ApplicationInstanceAppRole": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"customproperty1": "isEnabled~#~char",
"customproperty2": "value~#~char",
"customproperty4": "id~#~char",
"customproperty5": "allowedMemberTypes~#~char"
}
},
"SKUServicePlans": {
"colsToPropsMap": {
"entitlementID": "servicePlanId~#~char",
"entitlement_value": "servicePlanName~#~char",
"customproperty1": "provisioningStatus~#~char",
"customproperty2": "appliesTo~#~char",
"customproperty4": "servicePlanId~#~char"
}
}
}
}

 

 Here are the resources I have been using to avoid redundancy:
https://learn.microsoft.com/en-us/powershell/microsoftgraph/tutorial-pim?view=graph-powershell-1.0

https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityschedulerequests?vie...

https://docs.saviyntcloud.com/bundle/AzureAD-v24x/page/Content/Configuring-the-Integration-for-Accou... 

0 Kudos
5 REPLIES 5

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎02/15/2024 08:02 PM

Hello @aidanryan,

Could you please elabore more about your use case, where exactly you are trying to display the entitlement?
If this request is for ARS, what identifier on entitlment indicates that the entitlement is eligible for the directory roles?

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

aidanryan
New Contributor III
New Contributor III
In response to sudeshjaiswal

‎02/16/2024 09:58 AM

Hey @sudeshjaiswal,

Thank you for your response. Our use case at this time is to just see what entitlements from AzureAD are eligible to check out a DirectoryRole. We are trying to figure out how to assign those eligible Entitlements as a Child Entitlement in Saviynt to those DirectoryRoles. In our Azure Environment, eligibility is decided by what AAD group you are in. Our main issue is trying to figure out how to import from Azure the indicator that an AAD entitlement is eligible for a DirectoryRole.

0 Kudos

Falcon
Saviynt Employee
Saviynt Employee
In response to aidanryan

‎02/16/2024 10:24 AM

@aidanryan Is this for reporting purpose only or you want to run a certification campaign on the eligibility for roles. I haven't explored it but the eligibility may not be associated directly with the Role and should be retrievable via PIM APIs.

0 Kudos

aidanryan
New Contributor III
New Contributor III
In response to Falcon

‎02/16/2024 10:33 AM

@Falcon 

The end goal would to have users be able to checkout these DirectoryRoles like they can in Azure. We are in the process of implementing the AAG and CPAM module, so we are trying to get this setup prior to the implementation of these two modules.  

0 Kudos

aidanryan
New Contributor III
New Contributor III

‎02/23/2024 08:03 AM

@Falcon @sudeshjaiswal 

Do either know if there is a way to accomplish this?

0 Kudos
Copyright © 2024 Khoros, LLC