4.2 Azure AD MS Graph Fulfillment

OpenText Identity Governance uses the Azure AD MS Graph fulfiller to automatically assign or remove permissions from user accounts and add or remove members from Microsoft 365 and Security groups. OpenText Identity Governance does not support adding or removing members from the Distribution List and Mail-enabled Security type of groups because Mail-enabled and distribution groups cannot be managed by Microsoft Graph group APIs.

The template supports the following fulfillment change requests:

ADD_APPLICATION_TO_USER
ADD_PERMISSION_TO_USER
REMOVE_ACCOUNT_PERMISSION
REMOVE_PERMISSION_ASSIGNMENT
REMOVE_ACCOUNT
REMOVE_APPLICATION_FROM_USER
REMOVE_ACCOUNT_ASSIGNMENT

To fulfill these change requests, you need the following API permissions, ranging from least to the most privileged.

Change request	Permission class	Permission type	Permissions
Add application to user		Application and Delegated	User.ReadWrite.All Directory.ReadWrite.All
Add permission to user Remove permission assignment Remove account permission	Directory Roles	Application and Delegated	RoleManagement.ReadWrite.Directory
	Groups	Application and Delegated	GroupMember.ReadWrite.All
	Service plan	Application and Delegated	LicenseAssignment.ReadWrite.All Directory.ReadWrite.All User.ReadWrite.All
Remove application from user Remove account Remove account permission		Delegated	User.ReadWrite User.ManageIdentities.All User.EnableDisableAccount.All User.ReadWrite.All Directory.ReadWrite.All
		Application	User.ManageIdentities.All User.EnableDisableAccount.All User.ReadWrite.All Directory.ReadWrite.All

The Azure MS Graph fulfiller has default mapping for some mandatory attributes. The Azure application requires these mandatory attributes to create an account. For the fulfillment to process successfully, you must add these mandatory attributes to the Fulfillment Context attribute. The following table provides the list of attributes.

Fulfillment Context Attributes	Attributes
Recipient	User ID from Source Last Name First Name Full Name Email Employee Status
Account	Account ID from Source Account Disabled
Permission	Permission Type Permission ID from Source

NOTE:We recommend that while adding users to the Azure application, you provide a unique mailNickName for each user. The purpose of this is to prevent the error that can occur when you try to add users with the same first and last name. The ECMA script includes the logic for creating the unique mailNickName, but you can customize it to meet your requirements.

In addition to this list of attributes, you can configure other attributes in the collector template such as department, title, job codes, or workforce ID to match the requirements of your application. However, you must add them to the Fulfillment Context attribute. In addition, while configuring the fulfiller, go to Fulfillment item configuration and mapping, click {..}, then edit the transform script for User Profile.

In the transform script, you must add the native application key as outUserProfile and add the corresponding fulfillment context attribute key in the outUserProfile value. For example, for the attribute Workforce ID, edit the transform script to:

if(inUserProfile.workforceId) outUserProfile["employeeId"] = inUserProfile.workforceId

NOTE:If you want to specify Workforce ID as the attribute for matching identities to accounts and permissions, then while configuring the collector template you must map Workforce ID to the native ID value, for example, employeeId, and set it as the matching rule.

OpenText Identity Governance uses the Azure AD MS Graph fulfiller to provision and deprovision users as a group from the SharePoint Team site. The following change requests are supported when provisioning and deprovisioning users as a group from the SharePoint Team site:

ADD_PERMISSION_TO_USER
REMOVE_ACCOUNT_PERMISSION
REMOVE_ PERMISSION_ASSIGNMENT