Introduction Of Safe Provisioning Flow

A role with two Access Profiles needs to be provisioned from ISC. Of the two access profiles, one is for the Active Directory source, and the other is for the Entra ID source.

Problem Statement

1. Duplicate accounts are created in Entra ID when the CREATE operation is provisioned for two sources.

   1. The reason for duplicate accounts is that since AD and Entra ID are in sync, when an account is created in AD, it also syncs to Entra ID and an account is created.

2. Consequently, duplicate accounts are generated anytime Entra ID provisioning via Sailpoint occurs; that is, two accounts are created in Entra ID, one from AD and the other from Sailpoint.

Findings

• We must only let the creation of AD and not Entra ID.

• Since AD and Entra ID are in sync, the account will be synchronized from AD to Entra ID.

• Depending on traffic, the entire syncing procedure could take an hour or longer.

• Aggregation from Entra ID to Sailpoint will require a few more minutes.

• Therefore, the entire operation might take two hours.

Solution

1. Roles Need to be split

1. Present Situation: One role contains access profiles from two distinct sources.

2. To stop the provisioning process to Entra ID, we need to split those access profiles into two distinct roles.

3. The CREATE account operation to be executed only in AD and not in Entra ID.

4. Since the account has already been created via AD, we must initiate a MODIFY procedure provisioning to Entra ID after an hour in order to stop duplicate accounts from being created in AD.

   Dimension:

5. We must first set up the role that has access to AD. Thus, an AD account will be created.

6. Second, the role that has the Entra ID needs to be configured. Entra Entitlement that is licensing need to be assigned.

7. Add the Entra ID entitlement in role:

   1. Set the criteria as Entitlement – AD Source – Equals – Name of the entitlement

8. When we set like this Provisioning will be happened to Entra ID whenever the user is assigned to the specific entitlement.

Drawbacks:

1. Chance of Duplicate account creation in Entra ID.

   1. Because SailPoint doesn’t know whether the account is there or not in Entra ID until the next aggregation.

2.Workflow creation for Entra Provisioning with time delay-For Entra tenants with only AD accounts synced.

1. Workflow is the second step.

2. For this we have to create the workflow using the following trigger and operations:

   1. AD provisioning success- trigger

   2. Get accounts

   3. Wait operation for 1hr.

   4. Aggregate the Entra source.

   5. Check whether the user has account in Entra ID or not

   6. If No account was there move to End Step.

      1. Use another wait operation for One hour

   7. Aggregate the Entra source.

   8. If Account was thereà  Manage Access – for Entra ID – Get Access (Modify)

   9. End Step

3.Triggering Task Scheduler with script

1. We may automate and ensure that the AD-Entra ID sync happens immediately when an AD account is created. For this we use a task scheduler and a powershell script.

2. We may control the synchronization in Entra by running a powershell script upon a trigger of a new AD user created in  the task scheduler

   1. We start with the following  scripts:

      1. Launch -ADSyncSyncCycle - Initiate à Launch the sync immediately in accordance with the events.

   2. By using this script, we are specifying that, rather than using scheduled triggering, the account will sync to Entra ID whenever it is  created in AD.

Steps to Configure

Step 1: Open a task scheduler in the Active Directory Server, the Domain Controller

Step 2: Create Basic Task:

1. This opens a wizard that helps schedule tasks easily.

Step 3: On the trigger, create the new trigger and enter the event ID 4720 – new user created to run the specific task.

Step 4: Under Actions, choose the powershell script file that will automate the syncing process from AD to Entra ID.

Step 5: Powershell commands

• Start -ADSyncSyncCycle – Initiate à Start the sync now based on the specific events.

Event Viewer for reference- This will display the name of the event and task category.

a. Event Viewer is a logging system where all synchronization processes are recorded.

b. It includes event IDs, the accounts that were synced, and detailed logs related to those events.

Entra ID Console

a. Here, you can see the duplicate accounts that were created from AD and other applications.

b. This is like how it works in SailPoint—one account gets created from AD due to the sync process.

c. The other account is created through the SailPoint provisioning process.

Conclusion

1. Understanding the synchronization link between Active Directory (AD) and Entra ID is crucial to avoiding the creation of duplicate accounts in Entra ID when provisioning using SailPoint ISC.

2. Allowing SailPoint to provision directly to Entra ID also results in redundant accounts because Entra ID already receives user objects from AD.

3. Using a conditional provisioning approach and dividing responsibilities allows us to:

   1. Make sure that only AD performs the CREATE operation.

   2. To create the user in Entra ID, rely on the native AD → Entra ID sync.

   3. Only when the AD-to-Entra sync is finished may access entitlements be provisioned in Entra ID using a delayed MODIFY operation or workflow logic.

4. This method guarantees.

   1. Entra ID has no duplicate accounts.

   2. More streamlined and consistent provisioning processes.

   3. Improved governance alignment and quicker troubleshooting.