Automate User Provisioning


With Adaxes you can reduce the number of onboarding steps by automating group membership management tasks, provisioning of Exchange mailboxes, Office 365 licenses, Skype for Business accounts, home folders, etc. For example, when a new user account is created in Active Directory, Adaxes can automatically add it to groups that correspond to the user's job functions, move the account to the Organizational Unit associated with the user's office, create an Exchange mailbox and assign Office 365 licenses, send a welcome email, execute a PowerShell script, etc.

To automatically perform actions when a certain event takes place, you need to use Business Rules. If you want to automate the processes related to user provisioning, you need to use a Business Rule that gets triggered when a new user account is created in Active Directory.

In this tutorial, you will learn how to configure and activate built-in Business Rule After User Creation.


  1. Launch Adaxes Administration Console.

    Expand Adaxes service \ Configuration \ Business Rules \ Builtin and select After User Creation.


  2. The actions performed by the Business Rule will be displayed on the right.



    Delete the actions you don't need. Review and change the default settings of other actions.



    To add an action, right-click the set of actions, and select Add Action in the context menu.


    For more details, see:


    Approvals

    Actions executed by Business Rules can be submitted for approval. For example, you may want Office 365 licenses to be assigned only after an approval is granted by the manager of the new user or an administrator.

    • Right-click the action for which you want an approval to be requested.
    • Click Edit Action in the context menu.


    • In the Edit Action dialog, check the Get approval for this action checkbox.


    • Specify the approvers and click OK.
  3. To execute an action only if certain conditions are met, you need to add the action to a separate set and assign the necessary conditions to it.

    • Click Add new action set.


    • To assign a condition to the new set, right-click it and select Add Condition in the context menu.


    • To add an action to the set, right-click it and select Add Action.

      In the following example, the account expiration date is set to the current date plus one month on the condition that the Employee Type property of the new user account equals Subcontractor.


    Else If and Else Blocks

    You can use Else If and Else blocks to avoid duplication of conditions for different sets of related but mutually exclusive actions. For example, if you want to perform different actions based on the user's department, in order not to duplicate the If the operation succeeded condition for each set of actions, you can check the operation status only once in the If block.




    The Else block is useful when you need to, for example, perform some specific actions for the IT and Sales departments, and different actions for all other departments.




    To add Else If and Else blocks to a set of actions, right-click it and select Add Else and Add Else If in the context menu.


    To move an Else If block up and down, select it, and use the     buttons. To move the whole block, make sure no actions and conditions are selected.


    Regular Expressions

    You can use regular expressions in conditions to match user account properties against patterns. For example, with the help of regular expressions you can distribute home folders among multiple servers based on the first letter of the user's last name. To do it, you need to use the If <property> <relation> <value> condition. To perform an action only for users, whose last name starts with letters A to F, specify the condition parameters as follows:

     Last Name - matches regexp - ^[a-f]



    The same approach can be used to distribute Exchange mailboxes across different databases.


  4. It is possible to share actions and conditions between different Business Rules and Scheduled Tasks. For example, if users are added to groups based on their department, the same actions and conditions must be used when a new user account is created and when the department of an existing user is changed.

    The sharing can be done by using Custom Commands. You can create a Custom Command that will contain the actions and conditions you need to share, and then execute the Custom Command in different Business Rules and Scheduled Tasks.

    For more details, see:

  5. By default, the After User Creation rule is applied to scope All Objects. It means it will trigger when a user is created in any Organizational Unit in any domain managed by Adaxes.


    You can exclude specific Organizational Units and domains from the activity scope of the Business Rule. For example, if you don't want the Business Rule to trigger when a user account is created in the Organizational Unit dedicated for service accounts, you can exclude the Organizational Unit from the scope.

    • Click Add in the Activity Scope section.


    • Click the object you want to exclude.


    • In the Assignment Options dialog, select the Exclude option.


    • Click OK.

    Alternatively, you can apply the Business Rule to specific Organizational Units and domains only. To do it, you need to delete the All Objects assignment from the activity scope, and then include the Organizational Units and domains you need in the activity scope.

    • Right-click All Objects and select Delete in the context menu.


    • Click Add in the Activity Scope section.


    • Click a domain or Organizational Unit.


    • If you selected an Organizational Unit, select One level in the Assignment Options dialog if you want the Business Rule to trigger only if a user is created directly under the selected Organizational Unit.


    • Click OK.
  6. Click Save changes.

  7. By default, the After User Creation rule is disabled. To enable it, right-click it, point to All Tasks, and click Enable.

Business Rules are triggered only for operations performed via Adaxes. To handle changes made outside of Adaxes, e.g. using Active Directory Users and Computers, you can use Scheduled Tasks.

See Also



Open tutorial filtering

Got questions?
Support Forum