Skip to content

Isuruvh/entra-graph-python-samples2

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

26 Commits
api
api
Β 
Β 
exports
exports
Β 
Β 
groups
groups
Β 
Β 
hr
hr
Β 
Β 
licenses
licenses
Β 
Β 
scim
scim
Β 
Β 
users
users
Β 
Β 
webui
webui
Β 
Β 
.gitignore
.gitignore
Β 
Β 
New Text Document.txt
New Text Document.txt
Β 
Β 
README.md
README.md
Β 
Β 
__init__.py
__init__.py
Β 
Β 
auth.py
auth.py
Β 
Β 
config.json
config.json
Β 
Β 
config.py
config.py
Β 
Β 
graph_groups.py
graph_groups.py
Β 
Β 
graph_license.py
graph_license.py
Β 
Β 
graph_licenses.py
graph_licenses.py
Β 
Β 
graph_roles.py
graph_roles.py
Β 
Β 
graph_users.py
graph_users.py
Β 
Β 
import logging.py
import logging.py
Β 
Β 
logger.py
logger.py
Β 
Β 
main.py
main.py
Β 
Β 
main_color.py
main_color.py
Β 
Β 
main_logging.py
main_logging.py
Β 
Β 
orchestrator.py
orchestrator.py
Β 
Β 
requirements.txt
requirements.txt
Β 
Β 
run_api.py
run_api.py
Β 
Β 
run_demo.py
run_demo.py
Β 
Β 
scim_storage.json
scim_storage.json
Β 
Β 
settings.json
settings.json
Β 
Β 
test.py
test.py
Β 
Β 
test_groups.py
test_groups.py
Β 
Β 
user_wizard.py
user_wizard.py
Β 
Β 
utils.py
utils.py
Β 
Β 
workday_feed.json
workday_feed.json
Β 
Β 

Repository files navigation

πŸ“˜ IAM Automation Platform β€” Architecture Overview

The IAM Automation Platform is a modular, event‑driven system that integrates:

  • Workday (HR events)
  • SCIM provisioning
  • Microsoft Graph (identity + M365)
  • Azure Resource Manager (ARM)
  • FastAPI backend
  • Streamlit Web UI
  • Entra ID authentication

The platform automates Joiner–Mover–Leaver (JML) lifecycle events and provides a secure, web‑based interface for identity operations.

🧠 High‑Level Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                     Streamlit Web UI                         β”‚
β”‚     (New Hire, Update, Termination, CSV Upload, Admin Tools) β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                              β”‚
                              β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                       FastAPI Backend                        β”‚
β”‚  /hr/*   /scim/*   /graph/*   (REST API for all operations)  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                              β”‚
                              β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                     IAM Orchestrator                         β”‚
β”‚  - Workday event parsing                                      β”‚
β”‚  - SCIM provisioning                                           β”‚
β”‚  - Graph automation                                            β”‚
β”‚  - License + group assignment                                  β”‚
β”‚  - Termination workflows                                       β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                              β”‚
         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
         β–Ό                                           β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚     Microsoft Graph      β”‚            β”‚ Azure Resource Manager   β”‚
β”‚ Identity + M365 Control  β”‚            β”‚ Azure Infrastructure API β”‚
β”‚ Users, Groups, Roles     β”‚            β”‚ VMs, Storage, VNets      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜            β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         β”‚                                           β”‚
         β–Ό                                           β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚         SCIM API         β”‚            β”‚      Azure Resources     β”‚
β”‚ Workday β†’ Entra ID Sync  β”‚            β”‚ (Optional automation)    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜            β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ” Authentication & Authorization

The platform uses Entra ID for:

  • User login (OIDC)
  • MFA
  • Conditional Access
  • Token issuance (Graph + ARM)
  • Role‑based access control (RBAC)

Token Types

Token Type Used For API
Graph Token Identity + M365 graph.microsoft.com
ARM Token Azure resources management.azure.com

πŸ”„ Lifecycle Automation (JML)

The IAM Orchestrator handles:

  • Joiner β†’ SCIM create β†’ Graph sync β†’ license + group assignment
  • Mover β†’ attribute updates β†’ group/role re‑evaluation
  • Leaver β†’ disable β†’ license removal β†’ group cleanup

🧩 Technology Stack

Layer Technology
UI Streamlit
Backend FastAPI
Identity Entra ID (OIDC)
Provisioning SCIM 2.0
Directory Microsoft Graph
Infra Azure ARM
Auth Library MSAL
Language Python

πŸš€ Key Features

  • Automated provisioning (Workday β†’ SCIM β†’ Entra ID)
  • Graph‑based identity automation
  • Azure ARM integration (optional)
  • Secure login with Entra ID
  • CSV bulk provisioning
  • Admin tools for identity operations
  • Modular, extensible architecture

🧩 JML Lifecycle Flow

JOINER (New Hire)

  1. Workday Event: Hire or Pre‑Hire
  2. Workday sends SCIM β†’ Entra ID (user created in provisioning state)
  3. IAM Orchestrator receives event via /hr/new-hire
  4. Orchestrator performs:
    • SCIM Create (if needed)
    • Graph user creation (if SCIM not authoritative)
    • Attribute population (title, department, manager)
    • Group assignment (dynamic + static)
    • License assignment (M365, Teams, SharePoint, Intune)
    • Role assignment
  5. Notifications / logging
  6. User becomes Active in Entra ID
  7. User signs in (MFA + Conditional Access)

MOVER (Update)

  1. Workday Event: Job Change, Department Change, Manager Change
  2. Workday sends SCIM β†’ Entra ID (user updated)
  3. IAM Orchestrator receives event via /hr/update
  4. Orchestrator performs:
    • Attribute updates
    • Group re‑evaluation
    • License re‑evaluation
    • Role re‑evaluation
    • Manager‑based access updates
  5. Notifications / logging
  6. User continues with updated access

LEAVER (Termination)

  1. Workday Event: Termination or End Employment
  2. Workday sends SCIM β†’ Entra ID (user disabled in provisioning)
  3. IAM Orchestrator receives event via /hr/termination
  4. Orchestrator performs:
    • Disable account in Entra ID
    • Remove all licenses
    • Remove all group memberships
    • Remove all roles
    • Reset password / block sign‑in
    • Archive mailbox / OneDrive (optional)
    • Notify manager / HR (optional)
  5. Notifications / logging
  6. User becomes Disabled / Deleted (based on retention policy)

🧩 Supporting Systems

  • Streamlit Web UI (manual overrides, admin tools)
  • FastAPI Backend (API gateway)
  • IAM Orchestrator (business logic)
  • Microsoft Graph (identity + M365)
  • SCIM (Workday β†’ Entra ID provisioning)
  • Azure ARM (optional infra automation)
  • Entra ID (authentication, MFA, CA)

πŸ” Token Flow Architecture

USER β†’ STREAMLIT UI LOGIN

  1. User opens Streamlit UI
  2. Streamlit redirects to Entra ID (OIDC Authorization Code Flow)
  3. User completes:
    • Password
    • MFA
    • Conditional Access
  4. Entra ID returns:
    • ID Token
    • Authorization Code
  5. Streamlit exchanges code for:
    • ID Token
    • Access Token (optional)
    • Refresh Token (optional)

STREAMLIT β†’ FASTAPI BACKEND

  1. Streamlit sends API requests to FastAPI
  2. FastAPI validates the token
  3. FastAPI does not use the user’s token for automation
    • It uses its own service principal

FASTAPI β†’ ENTRA ID (MSAL)

  1. FastAPI requests:

A. Graph Access Token

Scope: https://graph.microsoft.com/.default

B. ARM Access Token

Scope: https://management.azure.com/.default

  1. Entra ID returns:
  • Access Token (Graph)
  • Access Token (ARM)
  • Refresh Token (service principal)

IAM ORCHESTRATOR β†’ GRAPH / ARM / SCIM

Graph Token used for:

  • Create / update / disable user
  • Assign licenses
  • Assign groups
  • Assign roles

ARM Token used for:

  • Azure resource automation
  • RBAC assignments
  • Key Vault operations
  • Storage operations

SCIM used for:

  • Workday β†’ Entra ID provisioning

πŸ”‘ Token Types Summary

ID Token

  • Used by Streamlit UI
  • Identifies the logged‑in user

Access Token (Graph)

  • Used by backend to call Microsoft Graph

Access Token (ARM)

  • Used by backend to call Azure Resource Manager

Refresh Token

  • Used by backend service principal to silently renew tokens

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages