Skip to main content

EmpowerID Admin Lab 11: Create an Entra ID Provisioning Policy

Purpose

This lab guides you through creating a provisioning policy for an Azure Entra ID account store to provision accounts and manage entitlements effectively.

Prerequisites

  1. Access to the EmpowerID training environment.
  2. An Azure Entra ID account store already connected.

Steps

1. Disable Resource Entitlement Processing

  1. Navigate to Infrastructure Admin > EmpowerID Servers > Server Roles.
  2. Locate the All-In-One Server Role.
  3. Search for the Resource Entitlement Inbox Processor Job and remove it from the server role.
    • This ensures that when the policy is created, records are calculated but not processed immediately.
  4. Navigate to IM Shop > Self-Service Workflows > Recycle Service Environment and execute it to recycle the services and stop the job.

2. Create a Provisioning Policy

  1. Navigate to Identity Lifecycle > Provisioning Policies.
  2. Click the + button to create a new policy.
  3. Configure the policy:
    • Object Type: Azure AD User
    • Name: Entra ID Account
    • Tenant: Select the connected Entra ID tenant.
    • Email Suffix: Auto-populated based on tenant settings.
    • Leave the throttling settings as default.
    • On Claim Action: Do Nothing.
    • On Revoke Action: Disable.
  4. Save the provisioning policy.

3. Scope the Provisioning Policy

  1. Return to the Provisioning Policies page and open the created policy.
  2. In the Assignees section at the bottom of the page, assign the scope:
    • Scope Type: Business Role and Location
    • Select All Employee Roles under HR flat file locations.
    • Select All Business Locations for locations.
    • Leave the priority as 100.
  3. Save the scope settings.

4. Monitor Resource Entitlement Evaluation

  1. Navigate to Provisioning Inbox > RET Inbox.
  2. Wait for the resource entitlement recalculation job to populate records.
  3. Verify the job status in Admin > Account Stores and Systems > Job History:
    • Search for Resource Entitlement Recalculation Job.
    • Confirm it runs successfully.
  4. Once records appear in the inbox, verify that policies are assigned correctly.

5. Enable Resource Entitlement Processing

  1. Navigate back to Infrastructure Admin > EmpowerID Servers > Server Roles.
  2. Add the Resource Entitlement Inbox Processor Job back to the All-In-One Server Role.
    • Note: No need to recycle the environment when adding jobs.
  3. Allow the job to process the records automatically.

6. Verify Results

  1. Navigate to Provisioning Inbox and confirm records are processed.
  2. Validate account creations:
    • Check System Logs > New Objects to confirm new EntraID accounts, if applicable.
  3. Ensure existing records are processed correctly, with no unnecessary new accounts created.

Notes

  • Disabling the Resource Entitlement Inbox Processor Job before creating the policy ensures calculations occur without immediate processing.
  • Ensure email suffix settings are configured correctly for the tenant.
  • Monitor job statuses and logs to ensure smooth processing.

Completion

Once all provisioning records are processed and accounts are created or updated correctly, this lab is complete. Proceed to the next lab for additional EmpowerID configurations and features.

Video Walk-thru

View a video walk-thru of this lab exercise.