For anyone using Power Automate, one big thing not mentioned is that by default, Power Automate a HTTP request will not return a 202, only 200. This will not give you a location to query the log, so you can programmatically adjust for errors. The solution is to go into the settings of the HTTP node, and uncheck "Asynchronous pattern". This will give you the 202, with the location in the header. From there you can loop-wait a GET request until the value populates to let you know if it was successful or not.
Hey. Awesome work by the way! Just a quick question here: Is there a way to send the users via API to be a part of certain AD Groups if I am using API Driven Inbound provisioning for on-premises AD while provisioning. We can do for Entra Only Groups via Workflows but what if there is a requirement for adding the users on-premises AD Groups. Thanks
Nick, you say it’s free for MSPs but you’re using a premium action. Also why create service account as a registered app when you can simply use the Azure AD action to create a new user? I don’t understand why you chose to do it this way.
Hey Nick, I did the test and I got error format, to fix this: For the graph-explorer, It miss in the video the portion: Request headers "Key": Content-type "Value": Application/scim+json excellent video, very helpful for all of us, thank you very much.. I waiting the portion of OAUTH that you told is sound scary
One question, how to handle passwords with user provisioning? This would create accounts without password? Not looking for identity workflow related licenses
This is the best video on the platform so far, thank you . Now I'm wondering if it is possible to send user data to an API endpoint in our web application after creating, deleting or updating a user in Entra ID/Azure AD. So both parties remain in sync.
nice, this would have been much more easier if would have not talked about employeeid.. so starting anything with basic works fine and then keep adding layers and complexity. it is completely new concept but at least i got how this provisioning work....
BambooHR has a nice API you could use, probably a Powershell or a logic app. We do this at AutoIDM if you don't want to setup, and maintain this all yourself.
Great stuff. Much appreciated. But will it be feasible to run in a trustless, disconnected multi-forest setup? So we would somehow have to distinguish if a user should go to AD1, AD2 or even AAD only... 🤔
Since you can create multiple instances of the service this would definitely be possible and you would map each one 1:1 with where you wanted to route. Would just be pretty complex logic most likely to determine the routing from there like you are saying. Each one would have to hit a specific endpoint.
@@t-minus365 So I would need e.g. 3 different services - for AD1, AD2, AAD and then prefilter hiring CSVs to only contain relevant data for the specific location's service? Yeah that way should work I guess. :) But there is no conditional logic to only import a user if locations matches AD1 or something similar?
For anyone using Power Automate, one big thing not mentioned is that by default, Power Automate a HTTP request will not return a 202, only 200. This will not give you a location to query the log, so you can programmatically adjust for errors.
The solution is to go into the settings of the HTTP node, and uncheck "Asynchronous pattern". This will give you the 202, with the location in the header. From there you can loop-wait a GET request until the value populates to let you know if it was successful or not.
Hey.
Awesome work by the way!
Just a quick question here: Is there a way to send the users via API to be a part of certain AD Groups if I am using API Driven Inbound provisioning for on-premises AD while provisioning.
We can do for Entra Only Groups via Workflows but what if there is a requirement for adding the users on-premises AD Groups.
Thanks
How do you deconflict UPNs - for example, John Doe is already an employee, and you hire another employee with the same name...
Great Work Nick
Nick, you say it’s free for MSPs but you’re using a premium action. Also why create service account as a registered app when you can simply use the Azure AD action to create a new user? I don’t understand why you chose to do it this way.
constantly getting error 400 :(
{
"error": {
"code": "UnknownError",
"message": "Invalid Data Format",
"innerError": {
"date": "2024-02-25T10:17:05",
"request-id": "###",
"client-request-id": "###"
}
}
}
Hey Nick,
I did the test and I got error format, to fix this:
For the graph-explorer, It miss in the video the portion:
Request headers
"Key": Content-type
"Value": Application/scim+json
excellent video, very helpful for all of us,
thank you very much..
I waiting the portion of OAUTH that you told is sound scary
One question, how to handle passwords with user provisioning? This would create accounts without password? Not looking for identity workflow related licenses
This is the best video on the platform so far, thank you . Now I'm wondering if it is possible to send user data to an API endpoint in our web application after creating, deleting or updating a user in Entra ID/Azure AD. So both parties remain in sync.
nice, this would have been much more easier if would have not talked about employeeid.. so starting anything with basic works fine and then keep adding layers and complexity. it is completely new concept but at least i got how this provisioning work....
Awesome overview, thanks Nick.
Glad you liked it!
What’s the best method to send data from BambooHR to the provisioning app?
BambooHR has a nice API you could use, probably a Powershell or a logic app. We do this at AutoIDM if you don't want to setup, and maintain this all yourself.
Great stuff. Much appreciated.
But will it be feasible to run in a trustless, disconnected multi-forest setup?
So we would somehow have to distinguish if a user should go to AD1, AD2 or even AAD only... 🤔
Since you can create multiple instances of the service this would definitely be possible and you would map each one 1:1 with where you wanted to route. Would just be pretty complex logic most likely to determine the routing from there like you are saying. Each one would have to hit a specific endpoint.
@@t-minus365 So I would need e.g. 3 different services - for AD1, AD2, AAD and then prefilter hiring CSVs to only contain relevant data for the specific location's service? Yeah that way should work I guess. :)
But there is no conditional logic to only import a user if locations matches AD1 or something similar?