Saviynt Forums

AMavurapu · ‎12/21/2023

Hello Everyone,

1. Did anybody populated manager or Sponsors in Azure AD while creating an account in Azure AD?

2. How do we update Sponsor during the create JSON into Azure AD ?

3. How do we need to populate or import in Saviynt once we have the Sponsor ?

Could you please provide these details of how to achieve above points that I mentioned. Thanks in Advance.....

Thanks

Anitha Mavurapu

rushikeshvartak · ‎12/21/2023

You need to make two calls

create service account
update manager as sponsor

PUT https://graph.microsoft.com/v1.0/users/10f17b99-784c-4526-8747-aec8a3159d6a/manager/$ref
Content-type: application/json

{
"@odata.id": "https://graph.microsoft.com/v1.0/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0"
}

https://learn.microsoft.com/en-us/graph/api/user-post-manager?view=graph-rest-1.0&tabs=http

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AMavurapu · ‎12/21/2023

Thank You @rushikeshvartak for providing above details. Will update this post once after validating.

AMavurapu · ‎12/21/2023

Hi @rushikeshvartak ,

We understand to call 2 API's in the same create account JSON however the second call requires the Users ID (GUID). Wondering How do we populate ID in the second call where we create user account in the first call.

Thanks

Anitha Mavurapu

rushikeshvartak · ‎12/21/2023

{ 
			"name": "call2", 
			"connection": "userAuth",
			"url": "https://graph.microsoft.com/v1.0/users/${response.call1.message.id}/manager/\\$ref", 
			"httpMethod": "PUT", 
			"httpContentType": "application/json",
			"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/users/${ServiceAccountOwnerMap.USEROWNERS.get('1').collect{it.siteid}.join(',')}\"}",
			"httpHeaders": { 
				"Authorization": "${access_token}" 
			}, 
			"successResponses": { 
				"statusCode": [
					204 
				] 
			}, 
			"unsuccessResponses": { 
				"odata~dot#error.code": "Request_BadRequest,Authentication_MissingOrMalformed,Request_ResourceNotFound,Authorization_RequestDenied,Authentication_Unauthoriz" 
			}
		}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AMavurapu · ‎01/17/2024

Hi @rushikeshvartak,

It worked and thanks for your help. However we had to take/read the account ID on the account level for the owner and had to populate the site ID at user level to get working. Is their any approaches to populate guid/accountid at user level or how do we need to bring in account ID from AzureAD security system to populate the site ID at user level.

Note: It is working fine when we populated manually the site Id.

Thanks in advance.....

Anitha Mavurapu

rushikeshvartak · ‎01/17/2024

You need to sav4sav connector to populate account attribute to user

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AMavurapu · ‎01/18/2024

Thanks for your above response @rushikeshvartak.

How can we populate Sponsor in Azure AD while creating an service account in Azure AD?. Below is the CreateAccountJSON that we tried to populate sponsor but its not working.

{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"responseColsToPropsMap": {
"comments": "call1.message.displayName~#~char",
"displayName": "call1.message.displayName~#~char",
"accountID": "call1.message.id~#~char"
},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users",
"httpMethod": "Post",
"httpParams": "{\"accountEnabled\":true,\"userPrincipalName\":\"${accountName}@bmgfdev.onmicrosoft.com\",\"displayName\":\"${requestAccessAttributes?.AccountDisplayName}\", \"surname\": \"${requestAccessAttributes?.AccountLastName}\",\"givenName\": \"${requestAccessAttributes?.AccountFirstName}\",\"userType\":\"Member\",\"employeetype\":\"Service Account\",\"mailNickname\":\"${requestAccessAttributes?.AccountFirstName+'.'+requestAccessAttributes?.AccountLastName}\",\"passwordPolicies\": \"DisablePasswordExpiration\",\"passwordProfile\":{\"forceChangePasswordNextSignIn\":false,\"password\":\"288d71ee-ba79-feb8-238d-55b7ffd4b64d\"}}",
"httpHeaders": {
"Authorization": "${access_token}",
"Content-Type": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "call2",
"connection": "userAuth",
"url": "https://graph.microsoft.com/beta/users/${response.call1.message.id}/sponsors/\\$ref",
"httpMethod": "PUT",
"httpContentType": "application/json",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/beta/users/${ServiceAccountOwnerMap.USEROWNERS.get('1').collect{it.sitei..."}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}

Thanks

Anitha Mavurapu

rushikeshvartak · ‎01/18/2024

Does it working from postman
What is error from saviynt?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AMavurapu · ‎01/23/2024

Thank you @rushikeshvartak for all your responses. Successfully created Account / service Account in AzureAD endpoint with sponsor and manager.

Here is the CreateAccountJSON that worked:

{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"responseColsToPropsMap": {
"comments": "call1.message.displayName~#~char",
"displayName": "call1.message.displayName~#~char",
"accountID": "call1.message.id~#~char"
},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users",
"httpMethod": "Post",
"httpParams": "{\"accountEnabled\":true,\"userPrincipalName\":\"${accountName}@dev.com\",\"displayName\":\"${requestAccessAttributes?.AccountDisplayName}\", \"surname\": \"${requestAccessAttributes?.AccountLastName}\",\"givenName\": \"${requestAccessAttributes?.AccountFirstName}\",\"userType\":\"Member\",\"employeetype\":\"Service Account\",\"mailNickname\":\"${requestAccessAttributes?.AccountFirstName+'.'+requestAccessAttributes?.AccountLastName}\",\"passwordPolicies\": \"DisablePasswordExpiration\",\"passwordProfile\":{\"forceChangePasswordNextSignIn\":false,\"password\":\"************\"}}",
"httpHeaders": {
"Authorization": "${access_token}",
"Content-Type": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "call2",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users/${response.call1.message.id}/manager/\\$ref",
"httpMethod": "PUT",
"httpContentType": "application/json",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/users/${ServiceAccountOwnerMap.USEROWNERS.get('1').collect{it.sitei..."}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "call3",
"connection": "userAuth",
"url": "https://graph.microsoft.com/beta/users/${response.call1.message.id}/sponsors/\\$ref",
"httpMethod": "POST",
"httpContentType": "application/json",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/beta/users/${ServiceAccountOwnerMap.USEROWNERS.get('1').collect{it.sitei..."}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}

rushikeshvartak · ‎01/23/2024

Are you able to map owner back to saviynt under account owner via import ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AMavurapu · ‎01/23/2024

Hi @rushikeshvartak, We are not importing owner from azure to Saviynt, that is not our requirement. We are assigning owner during AzureAD Account creation in Saviynt.

Thanks

Anitha Mavurapu

rushikeshvartak · ‎01/23/2024

Can you share configs

@JK

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saviynt Forums

Creating Account / Service Account in Azure AD with Sponsors and Manager