Automate user provisioning

With Adaxes you can reduce the number of onboarding steps by automating the tasks that must be performed after creating a new user. For example, Adaxes can automatically add a new user to groups that correspond to the user's job functions, move the user to the organizational unit associated with their office, create an Exchange mailbox, assign Microsoft 365 licenses, send a welcome email, execute a PowerShell script, etc.

To automatically perform actions when a certain event takes place, you need to use business rules. If you want to automate the processes related to user provisioning, use a business rule triggered when a new user is created.

Out of the box, Adaxes provides a built-in business rule, After user creation. In this tutorial, you will learn how to configure and activate the rule.

  1. Launch Adaxes Administration console.

     How {id=collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Business Rules \ Builtin and select After user creation.

  3. Delete the actions you don't need. Review and change the settings of other actions.

    To add an action, right-click an action set, and then click Add Action in the context menu.

    For more details, see:

    Approvals

    Actions executed by business rules can be submitted for approval. For example, you may want Microsoft 365 licenses to be assigned only after an approval is granted by the manager of the new user or an administrator.

     How {id=request_approval}
    • Right-click the action you want approval to be requested for.

    • In the context menu, click Edit Action.

    • In the Edit Action dialog, select the Get approval for this action checkbox.

    • Specify the approvers and click OK.

  4. To execute particular actions only if certain conditions are met, you need to place those actions in a separate action set, and specify the conditions within that set.

    • Click Add new action set.

    • To add a condition to the new set, right-click it, and then click Add Condition in the context menu.

    • To add an action to the set, right-click it and then click Add Action in the context menu.

      In the following example, the account expiration date is set to the current date plus one month if the Employee Type property of the new user account equals Subcontractor.

    Else If and Else blocks

    You can use Else If and Else blocks to avoid duplication of conditions for different sets of related but mutually exclusive actions. For example, if you want to perform different actions based on the user department, in order not to duplicate the If the operation succeeded condition for each set of actions, you can check the operation status only once in the If block.

    It is recommended to never get rid of a condition that checks the user creation status. Otherwise, Adaxes will attempt to execute actions in a business rule even if user creation fails.

    The Else block is useful when you need to, for example, perform some specific actions for the IT and Sales departments, and different actions for all other departments.

    To add Else If and Else blocks to a set of actions, right-click it and then click the corresponding option in the context menu.

    To move an Else If block up and down, select it, and use the buttons. To move the whole block, make sure no actions and conditions are selected.

    Regular expressions

    You can use regular expressions in conditions to match user account properties against patterns. For example, with the help of regular expressions you can distribute home folders among multiple servers based on the first letter of the user's last name.

    To do it, use the If <property> <relation> <value> condition. To perform an action only for users, whose last name starts with letters A to F, specify the condition parameters as follows:

    In the business rule:

    The same approach can be used to distribute on-premises Exchange mailboxes across different databases.

  5. It is possible to share actions and conditions between different business rules and scheduled tasks. For example, if users are added to groups based on their department, the same actions and conditions must be used when a new user account is created and when the department of an existing user is changed.

    You can share such workflows with the help of custom commands. For instance, you can create a command that will contain the logic i.e. actions and conditions you need to share, and then execute the command in different business rules and scheduled tasks.

    For more details, see:

  6. By default, the After user creation rule is applied to scope All Objects. It means the rule will trigger when a user is created in any organizational unit in any domain managed by Adaxes.

    You can exclude specific organizational units and domains from the activity scope of the business rule. For example, if you don't want the rule to trigger when a user account is created in the organizational unit dedicated for service accounts, exclude the organizational unit from the scope.

     Step by step {id=exclude_scope}
    • In the Activity Scope section, click Add.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

    Alternatively, you can apply the business rule to specific organizational units and domains only. To do it, delete the All Objects assignment from the activity scope, and then include the organizational units and domains you need.

     Step by step {id=alternative_assignment}
    • Right-click All Objects and then click Delete in the context menu.

    • In the Activity Scope section, click Add.

    • Select a domain or organizational unit.

    • If you selected an organizational unit, select One level in the Assignment Options dialog if you want the business rule to trigger only if a user is created directly in the selected organizational unit.

    • Click OK.

  7. Click Save changes.

  8. By default, the After user creation rule is disabled. To enable the rule, right-click it, point to All Tasks, and click Enable.

Business rules trigger only for operations performed via Adaxes. To handle changes made outside of Adaxes, e.g. using Active Directory Users and Computers or Microsoft Entra portal, you can use scheduled tasks.

See also