Search code examples
workflowazure-logic-appsazure-automationmicrosoft-entra-id

How can I get the UPN of the person who is activating a EntraID Identity Governance Lifecycle Workflow?

I have written an offboarding Workflow for immediate terminations. The sequence of events is as follows:

  1. Authorized HR user logs into EntraID Identity Governance Lifecycle Workflows and triggers the "immediate termination" Workflow for the user to be terminated.
  2. The Workflow uses a Custom Extension to trigger a Logic App (the built-in Workflow offboarding options were not sufficient for my org, so I elected to use an Automation runbook).
  3. The Logic App triggers an Automation Account Runbook (PowerShell) that does all the work of resetting passwords, disabling the account, revoking sessions, removing licenses, revoking authentication methods, etc, etc.
  4. The Logic App is monitoring the Runbook job for completion. When the job is complete, the Logic App reports back to the Workflow, where the HR user sees the job is complete.

Here is my problem. The HR user only sees that the job is complete; they do not see if there were errors during execution. I have logging configured throughout the script and I want to send an email to the user who triggered the Workflow in step 1 above, but I cannot find a way to get that user's UPN when they triggered the Workflow. How can I get the UPN of the person who is activating a EntraID Identity Governance Lifecycle Workflow?

Solution

  • Initially, I created one sample Entra ID Identity Governance Lifecycle Workflow as below:

    enter image description here

    To know who activated the workflow, you can check Audit logs of Lifecycle Workflows by filtering based on specific activities and categories:

    enter image description here

    To get these details via Graph API, you can run below GET request in Graph Explorer filtering with specific Activity Name based on your need:

    GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=category eq 'WorkflowManagement' and loggedByService eq 'Lifecycle Workflows' and activityDisplayName eq 'Set workflow for on-demand execution' and targetResources/any(tr:tr/displayName eq 'Workflow Name')

    Response:

    enter image description here

    Alternatively, you can make use of below PowerShell script to get the UPN of the person who is activating the Lifecycle workflow:

    # Connect to Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Define the filter query to get audit logs for Lifecycle Workflows with the specific activity name and target resource display name
$targetResourceDisplayName = "Immediate termination" # Replace with your workflow name
$filterQuery = "category eq 'WorkflowManagement' and loggedByService eq 'Lifecycle Workflows' and activityDisplayName eq 'Set workflow for on-demand execution' and targetResources/any(tr:tr/displayName eq '$targetResourceDisplayName')"

# Retrieve the audit logs using the filter query
$auditLogs = Get-MgAuditLogDirectoryAudit -Filter $filterQuery

# Extract and display UPN of the user who initiated each workflow and the target resource display name
foreach ($log in $auditLogs) {
    $initiatorUPN = $log.InitiatedBy.User.UserPrincipalName
    $targetResourceDisplayName = $log.TargetResources[0].DisplayName
    Write-Output "Lifecycle Workflow initiated by: $initiatorUPN on target resource: $targetResourceDisplayName"
}

    Response:

    enter image description here

    Reference:

    Auditing Lifecycle Workflows - Microsoft Entra ID Governance