Sample Workflow Triggers

Azure AD

New User

New user added to MSOnline cloud tenant

There are three conditions here, joined by AND operators. Respectively they:

  1. Make sure the object being saved is in the MSOnline silo (not Exchange). We already know it's a Cloud Record from the Context Type.
  2. Make sure it's a User object (as opposed to AccountSku or Group)
  3. Check the most recent Change (which is always at index 0), and make sure that the ModificationType contains the "Add" flag.

Context Type: Cloud Record

// object silo is Office 365: MSOnline
(context.SearchIndex == special.Search Silo.Office 365: MSOnline)
(context.ObjectType == "User")
// most recent change was an add operation
(BitAnd(context.Changes.0.ModificationType, special.Object Change Type.Add) > 0)

Scan Error

Azure Scan Record finishes with result other than "success"

Context Type: Azure Scan Record

context.Result != "success"

Health Check

Health Check failed, with at most one workflow being triggered per hour.

Because the && (and) operator supports short-circuit evaluation, the Once() function only returns true the first time a health check fails. The Once counter expires after an hour.

Context Type: Health Check

Not(context.Passed) &&
Once(true, "health check failed", "01:00:00")

Error Detail

New previously unseen Error.

Context Type: Error Detail


Sync Engine

Run History

MA has too many events of a particular type

There are two conditions:

  1. Make sure that the run history was for the AD MA
  2. check if the Import updates counter was over 200

Context Type: MA Run Record

// limit to AD MA
(context.RecordOf == special.Search Silo.FIM: Active Directory)
// counter for import update
(context.Counters.special.Sync Counters.Import Update > 200)

Note: links to run history records can easily be embedded in an email message or event log entry.

One example would be to email a report of objects that are pending synchronization or export (depending on the counter involved), long with a link to the run history that triggered the workflow.


Password History

More than (n) password source syncs since the last password history scan

Context Type: Password Scan Record

context.Counters.special.Sync Counters.Password Source > 50

More than (n) password set errors

Context Type: Password Scan Record

context.Counters.special.Sync Counters.Password Error > 1

Object Changes

More than (n) sAMAccountName changes on a single import run from Active Directory.

This trigger is made of 5 separate expressions changed together with AND operators. Each expression is only evaluated if the previous expressions were true.

  1. Make sure that the sAMAccountName changed on the most recent modification
  2. Lookup the Run History that was the most recent Change Source, and verify that it was an Active Directory run
  3. Use the same Run History lookup, and verify that the Run Profile name contains "Import"
  4. Count how many times all three of the previous clauses are true. If it happened more than 5 times then proceed.
  5. Make sure we only trigger the workflow once for this particular run.

Note: Due to the way scans are buffered, If this run modified more than 2,000 CS and MV objects, then the object save and processing might be happening before the Run Record was saved, in which case we would be unable to lookup the Run History to determine the MA and Run profile.

Context Type: CS Record

(HistoryRef(context.Changes.0.ChangeSource).RecordOf == special.Search Silo.FIM: Active Directory)
(Count(true, context.Changes.0.ChangeSource, "1.00:00:00") > 5)
Once(true, context.Changes.0.ChangeSource, "1.00:00:00")

Copyright © SoftwareIDM

Table of Contents