0 votes

How to deal with approval requests in a AD and AAD environment?

I have recently created a workflow where I log on as a AD user and request to be a member of a AAD group, the workflow works and sends a approval request.

The problem however is that the AAD user (manager of AAD group) receive the approval request. If I log on with that user it logs me on as the AD user and not AAD user. Adaxes makes no effort in "combining" the user accounts to my knowledge.

How do I deal with this?

I might as well note that if I as a admin approves the request, the adding of member works despite the initial request was based on a AD user and not a AAD user.

by (100 points)

1 Answer

0 votes
by (274k points)

Hello Daniel,

This behaviour is by design. Also, you should know that for now, Azure AD users cannot log in to Adaxes. As such, you should only specify on-premises AD users as approvers.

0

I think I might have been unclear.

The initiator/requestor is a synchronized user, has both AD and AAD user accounts. Both are in Adaxes.

The approver is a synchronized user, has both AD and AAD user accounts. Both are in Adaxes.

The security group is purely AAD based, has the approver as manager.

When logging on as the approver the approval is nowhere to be seen because Adaxes treats the AD and AAD as two different user accounts.

Is this still impossible?

0

Hello Daniel,

Yes, that is correct. The accounts are treated as separate ones. The Azure AD account is specified as the approver, but you log in with the credentials of the on-premises AD account. As such, the logged on user is not the approver and does not see the request.

0

I understand from your answer that you understand the dilemma but what is the answer to the problem?

Is there a workaround?

Is it simply not supported right now?

0

Hello Daniel,

As we mentioned in the initial reply, you can specify Azure AD users as approvers for requests in Adaxes and it will work just fine. The thing is that they will never be able to process the requests as they are not allowed to log in to Adaxes. There is currently no workaround for the behavior.

Related questions

0 votes
1 answer

I'd like to create a a custom report to show any approval requests (Approved, Pending, and Rejected) for membership in certain AD groups within our domain. These groups grant users ... " (Just In Time) in the name of the group. Is something like this possible?

asked Mar 30, 2020 by sirslimjim (480 points)
0 votes
0 answers

We have a multiforest set up. One of the domains is a non hybrid. Whenever a user is created in that domain it gives an error saying- 'Property 'ms-exch-target- ... active Directory schema'. How can we write an exception while adding to that non-hybrid domain?

asked Oct 31, 2022 by Aishwarya Gavali (40 points)
0 votes
1 answer

We use DirSync/AAD Connect (without write-back) and we have some users that use email in the cloud and never authenticate to the on-prem domain controllers. Therefore, we ... has found which one might work the best in an Adaxes scheduled task for example.

asked Jan 31, 2018 by yourpp (540 points)
0 votes
1 answer

I am wanting to export a list of users including the properties of a specific custom attribute. Ideally, I would be able to run a get-admuser and filter on a custom attribute, but even an excel report with the custom attributes would work. Is this possible?

asked Sep 9, 2021 by ggallaway (300 points)
0 votes
1 answer

Hi When reading the REST API documentation it does not mention working directly against Azure AD and Exchange Online. Will this be added? Thanks /Peter Sonander

asked Jan 26, 2023 by Sonander (40 points)
3,383 questions
3,082 answers
7,832 comments
545,482 users