Please could you help me on a scenario?
We have on-prem AD where Saviynt provisions all new users as target system. This on-prem AD syncs accounts to AzureAD every 30 minutes. Then we reconcile AzureAD to get the synced accounts into Saviynt.
The scenario is that we have to provision SKU as birthright into AzureAD account on any new user creation. But we do not want to create a user in AzureAD but only provision SKU as entitlement to reconciled account once it is synced from On-Prem AD to Azure AD.
Is there a way that we can wait for account to be reconciled before running birthright?
If we trigger birthright before recon then AzureAD connector will try to create a new account, which we don't want.
We can delay the task creation from the User Update Rule but we may not be able to delay the provisioning to Azure AD.
In the User Update rule you can select the option to delay triggering the tech rule from the below option, though this value is only in days.
I was thinking it like this... tell me what you think..
Write a custom query to find AzureAD accounts reconciled "Today" which doesn't have entitlement that we want to add. Take owner of that account and update a customproperty in Users table with say "Today()" date.
Then use UserUpdate rule to check that User customproperty for change and also maybe today's date and provision entitlement against the AzureAD account of that user.
It will be like detective rule.
Could you please elaborate how would that go? I do have Saviynt4Saviynt enabled and it does show as account in each user.
How do I use it to check which AzureAD account was reconciled today for the users?
I personally would just make an actionable analytics that runs every 30 mins, finds all azure accounts without the said entitlement and creates add access task for that entitlement. So this automatically just works on those accounts which are already reconciled to Saviynt.
That way all your logic is in one place, you don't need a birthright rule, or a custom query job, or a Saviynt4Saviynt connection.