Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Creating Account / Service Account in Azure AD with Sponsors and Manager

AMavurapu
New Contributor III
New Contributor III

Hello Everyone,

1. Did anybody populated manager or Sponsors in Azure AD while creating an account in Azure AD?

2. How do we update Sponsor during the create JSON into Azure AD ?

3. How do we need to populate or import in Saviynt once we have the Sponsor ?

Could you please provide these details of how to achieve above points that I mentioned. Thanks in Advance.....

Thanks

Anitha Mavurapu

12 REPLIES 12

rushikeshvartak
All-Star
All-Star

You need to make two calls 

  • create service account
  • update manager as sponsor

PUT https://graph.microsoft.com/v1.0/users/10f17b99-784c-4526-8747-aec8a3159d6a/manager/$ref
Content-type: application/json

{
"@odata.id": "https://graph.microsoft.com/v1.0/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0"
}

 

https://learn.microsoft.com/en-us/graph/api/user-post-manager?view=graph-rest-1.0&tabs=http

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Thank You @rushikeshvartak for providing above details. Will update this post once after validating.

AMavurapu
New Contributor III
New Contributor III

Hi @rushikeshvartak ,

We understand to call 2 API's in the same create account JSON however the second call requires the Users ID (GUID). Wondering How do we populate ID in the second call where we create user account in the first call.

Thanks

Anitha Mavurapu

{ 
			"name": "call2", 
			"connection": "userAuth",
			"url": "https://graph.microsoft.com/v1.0/users/${response.call1.message.id}/manager/\\$ref", 
			"httpMethod": "PUT", 
			"httpContentType": "application/json",
			"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/users/${ServiceAccountOwnerMap.USEROWNERS.get('1').collect{it.siteid}.join(',')}\"}",
			"httpHeaders": { 
				"Authorization": "${access_token}" 
			}, 
			"successResponses": { 
				"statusCode": [
					204 
				] 
			}, 
			"unsuccessResponses": { 
				"odata~dot#error.code": "Request_BadRequest,Authentication_MissingOrMalformed,Request_ResourceNotFound,Authorization_RequestDenied,Authentication_Unauthoriz" 
			}
		} 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi @rushikeshvartak,

It worked and thanks for your help. However we had to take/read the account ID on the account level for the owner and had to populate the site ID at user level to get working. Is their any approaches to populate guid/accountid at user level or how do we need to bring in account ID from AzureAD security system to populate the site ID at user level.

Note: It is working fine when we populated manually the site Id.

Thanks in advance.....

Anitha Mavurapu

You need to sav4sav connector to populate account attribute to user


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Thanks for your above response @rushikeshvartak.

How can we populate Sponsor in Azure AD while creating an service account in Azure AD?. Below is the CreateAccountJSON that we tried to populate sponsor but its not working.

{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"responseColsToPropsMap": {
"comments": "call1.message.displayName~#~char",
"displayName": "call1.message.displayName~#~char",
"accountID": "call1.message.id~#~char"
},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users",
"httpMethod": "Post",
"httpParams": "{\"accountEnabled\":true,\"userPrincipalName\":\"${accountName}@bmgfdev.onmicrosoft.com\",\"displayName\":\"${requestAccessAttributes?.AccountDisplayName}\", \"surname\": \"${requestAccessAttributes?.AccountLastName}\",\"givenName\": \"${requestAccessAttributes?.AccountFirstName}\",\"userType\":\"Member\",\"employeetype\":\"Service Account\",\"mailNickname\":\"${requestAccessAttributes?.AccountFirstName+'.'+requestAccessAttributes?.AccountLastName}\",\"passwordPolicies\": \"DisablePasswordExpiration\",\"passwordProfile\":{\"forceChangePasswordNextSignIn\":false,\"password\":\"288d71ee-ba79-feb8-238d-55b7ffd4b64d\"}}",
"httpHeaders": {
"Authorization": "${access_token}",
"Content-Type": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "call2",
"connection": "userAuth",
"url": "https://graph.microsoft.com/beta/users/${response.call1.message.id}/sponsors/\\$ref",
"httpMethod": "PUT",
"httpContentType": "application/json",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/beta/users/${ServiceAccountOwnerMap.USEROWNERS.get('1').collect{it.sitei..."}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}

Thanks

Anitha Mavurapu

  • Does it working from postman
  • What is error from saviynt?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Thank you @rushikeshvartak for all your responses. Successfully created Account / service Account in AzureAD endpoint with sponsor and manager.

Here is the CreateAccountJSON that worked:

{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"responseColsToPropsMap": {
"comments": "call1.message.displayName~#~char",
"displayName": "call1.message.displayName~#~char",
"accountID": "call1.message.id~#~char"
},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users",
"httpMethod": "Post",
"httpParams": "{\"accountEnabled\":true,\"userPrincipalName\":\"${accountName}@dev.com\",\"displayName\":\"${requestAccessAttributes?.AccountDisplayName}\", \"surname\": \"${requestAccessAttributes?.AccountLastName}\",\"givenName\": \"${requestAccessAttributes?.AccountFirstName}\",\"userType\":\"Member\",\"employeetype\":\"Service Account\",\"mailNickname\":\"${requestAccessAttributes?.AccountFirstName+'.'+requestAccessAttributes?.AccountLastName}\",\"passwordPolicies\": \"DisablePasswordExpiration\",\"passwordProfile\":{\"forceChangePasswordNextSignIn\":false,\"password\":\"************\"}}",
"httpHeaders": {
"Authorization": "${access_token}",
"Content-Type": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "call2",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users/${response.call1.message.id}/manager/\\$ref",
"httpMethod": "PUT",
"httpContentType": "application/json",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/users/${ServiceAccountOwnerMap.USEROWNERS.get('1').collect{it.sitei..."}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "call3",
"connection": "userAuth",
"url": "https://graph.microsoft.com/beta/users/${response.call1.message.id}/sponsors/\\$ref",
"httpMethod": "POST",
"httpContentType": "application/json",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/beta/users/${ServiceAccountOwnerMap.USEROWNERS.get('1').collect{it.sitei..."}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}

Are you able to map owner back to saviynt under account owner via import ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi @rushikeshvartakWe are not importing owner from azure to Saviynt, that is not our requirement. We are assigning owner during AzureAD Account creation in Saviynt.

Thanks

Anitha Mavurapu

 

Can you share configs

@JK 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.