The IAM Automation Platform is a modular, event‑driven system that integrates:
- Workday (HR events)
- SCIM provisioning
- Microsoft Graph (identity + M365)
- Azure Resource Manager (ARM)
- FastAPI backend
- Streamlit Web UI
- Entra ID authentication
The platform automates Joiner–Mover–Leaver (JML) lifecycle events and provides a secure, web‑based interface for identity operations.
┌──────────────────────────────────────────────────────────────┐
│ Streamlit Web UI │
│ (New Hire, Update, Termination, CSV Upload, Admin Tools) │
└──────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────┐
│ FastAPI Backend │
│ /hr/* /scim/* /graph/* (REST API for all operations) │
└──────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────┐
│ IAM Orchestrator │
│ - Workday event parsing │
│ - SCIM provisioning │
│ - Graph automation │
│ - License + group assignment │
│ - Termination workflows │
└──────────────────────────────────────────────────────────────┘
│
┌────────────────────┴────────────────────┐
▼ ▼
┌──────────────────────────┐ ┌──────────────────────────┐
│ Microsoft Graph │ │ Azure Resource Manager │
│ Identity + M365 Control │ │ Azure Infrastructure API │
│ Users, Groups, Roles │ │ VMs, Storage, VNets │
└──────────────────────────┘ └──────────────────────────┘
│ │
▼ ▼
┌──────────────────────────┐ ┌──────────────────────────┐
│ SCIM API │ │ Azure Resources │
│ Workday → Entra ID Sync │ │ (Optional automation) │
└──────────────────────────┘ └──────────────────────────┘
The platform uses Entra ID for:
- User login (OIDC)
- MFA
- Conditional Access
- Token issuance (Graph + ARM)
- Role‑based access control (RBAC)
| Token Type | Used For | API |
|---|---|---|
| Graph Token | Identity + M365 | graph.microsoft.com |
| ARM Token | Azure resources | management.azure.com |
The IAM Orchestrator handles:
- Joiner → SCIM create → Graph sync → license + group assignment
- Mover → attribute updates → group/role re‑evaluation
- Leaver → disable → license removal → group cleanup
| Layer | Technology |
|---|---|
| UI | Streamlit |
| Backend | FastAPI |
| Identity | Entra ID (OIDC) |
| Provisioning | SCIM 2.0 |
| Directory | Microsoft Graph |
| Infra | Azure ARM |
| Auth Library | MSAL |
| Language | Python |
- Automated provisioning (Workday → SCIM → Entra ID)
- Graph‑based identity automation
- Azure ARM integration (optional)
- Secure login with Entra ID
- CSV bulk provisioning
- Admin tools for identity operations
- Modular, extensible architecture
- Workday Event: Hire or Pre‑Hire
- Workday sends SCIM → Entra ID (user created in provisioning state)
- IAM Orchestrator receives event via
/hr/new-hire - Orchestrator performs:
- SCIM Create (if needed)
- Graph user creation (if SCIM not authoritative)
- Attribute population (title, department, manager)
- Group assignment (dynamic + static)
- License assignment (M365, Teams, SharePoint, Intune)
- Role assignment
- Notifications / logging
- User becomes Active in Entra ID
- User signs in (MFA + Conditional Access)
- Workday Event: Job Change, Department Change, Manager Change
- Workday sends SCIM → Entra ID (user updated)
- IAM Orchestrator receives event via
/hr/update - Orchestrator performs:
- Attribute updates
- Group re‑evaluation
- License re‑evaluation
- Role re‑evaluation
- Manager‑based access updates
- Notifications / logging
- User continues with updated access
- Workday Event: Termination or End Employment
- Workday sends SCIM → Entra ID (user disabled in provisioning)
- IAM Orchestrator receives event via
/hr/termination - Orchestrator performs:
- Disable account in Entra ID
- Remove all licenses
- Remove all group memberships
- Remove all roles
- Reset password / block sign‑in
- Archive mailbox / OneDrive (optional)
- Notify manager / HR (optional)
- Notifications / logging
- User becomes Disabled / Deleted (based on retention policy)
- Streamlit Web UI (manual overrides, admin tools)
- FastAPI Backend (API gateway)
- IAM Orchestrator (business logic)
- Microsoft Graph (identity + M365)
- SCIM (Workday → Entra ID provisioning)
- Azure ARM (optional infra automation)
- Entra ID (authentication, MFA, CA)
- User opens Streamlit UI
- Streamlit redirects to Entra ID (OIDC Authorization Code Flow)
- User completes:
- Password
- MFA
- Conditional Access
- Entra ID returns:
- ID Token
- Authorization Code
- Streamlit exchanges code for:
- ID Token
- Access Token (optional)
- Refresh Token (optional)
- Streamlit sends API requests to FastAPI
- FastAPI validates the token
- FastAPI does not use the user’s token for automation
- It uses its own service principal
- FastAPI requests:
Scope: https://graph.microsoft.com/.default
Scope: https://management.azure.com/.default
- Entra ID returns:
- Access Token (Graph)
- Access Token (ARM)
- Refresh Token (service principal)
- Create / update / disable user
- Assign licenses
- Assign groups
- Assign roles
- Azure resource automation
- RBAC assignments
- Key Vault operations
- Storage operations
- Workday → Entra ID provisioning
- Used by Streamlit UI
- Identifies the logged‑in user
- Used by backend to call Microsoft Graph
- Used by backend to call Azure Resource Manager
- Used by backend service principal to silently renew tokens