Use workflow script to modify Azure attribute of removed member (disabling)

Question

Good morning 
 I am a beginner in ARS Workflows.... 
 I have a use case where an account which is synched from AD on-Premise to Azure is disabled on premise and must be immediately disabled on Azure without waiting for next the AAD synch run. 
 i know how to script this with Ms.Graph but i don't know how to retrieve the DN of the removed member and transfer it to this script as parameter. 
 
 can you please recommend me a way to achieve this? 
 
 thanks

JohnnyQuest · Accepted Answer

Ah OK - I would create a Change Workflow that detects the disabling of the on-premise user. For the start condition , you want to detect where edsaUserEnabled is FALSE from Requested Changes 
 (In the start conditions for the workflow, you may also want to select which OU's to "watch" in case you don't want the workflow to react to ALL account disables) Attribute change trigger Selection of changed attribute in transaction 
 Full workflow start condition including sample OU filter 
 Here's a snippet of code to determine UPN of the user being disabled: (You can just add the additional code to disable the Azure user. Then add this as a script module (Policy Script type) into Active Roles and reference it in a Script Activity that is added to the above mentioned Change Workflow) 
 Function TrapDisableAndDisableAzureUser ($Request)
{

# $DirObj gives you access to the Active Roles in-process AD user object

$DisabledUserUPN = $DirObj.get("userprincipalname")

# Add code below to disable this user in Azure

}

Use workflow script to modify Azure attribute of removed member (disabling)

Top Replies