You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/governance/lifecycle-workflow-extensibility.md
+19-23Lines changed: 19 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,40 +21,49 @@ Lifecycle Workflows allow you to create workflows that can be triggered based on
21
21
22
22
## Prerequisite Logic App roles required for integration with the custom task extension
23
23
24
-
When linking your Azure Logic App with the custom task extension task, there are certain permissions that must be completed before the link can be established.
24
+
When you link your Azure Logic App with the custom task extension task, there are certain prerequisites that must be completed before the link can be established.
25
25
26
-
The roles on the Azure Logic App, which allows it to be compatible with the custom task extension, are as follows:
26
+
To create a Logic App, you must have:
27
+
28
+
- A valid Azure subscription
29
+
- A compatible resource group where the Logic App is located
30
+
31
+
> [!NOTE]
32
+
> The resource group needs permissions to create, update, and read the Logic App while the custom extension is being created.
33
+
34
+
The roles on the Azure Logic App required with the custom task extension, are as follows:
27
35
28
36
-**Logic App contributor**
29
37
-**Contributor**
30
38
-**Owner**
31
39
32
40
> [!NOTE]
33
-
> The **Logic App Operator** role alone will not make an Azure Logic App compatible with the custom task extension. For more information on the required **Logic App contributor** role, see: [Logic App Contributor](../../role-based-access-control/built-in-roles.md#logic-app-contributor).
41
+
> The **Logic App Operator** role alone will not work with the custom task extension. For more information on the required **Logic App contributor** role, see: [Logic App Contributor](../../role-based-access-control/built-in-roles.md#logic-app-contributor).
34
42
35
43
## Custom task extension deployment scenarios
36
44
37
45
When creating custom task extensions, the scenarios for how it interacts with Lifecycle Workflows can be one of two ways:
38
46
39
47
:::image type="content" source="media/lifecycle-workflow-extensibility/task-extension-deployment-scenarios.png" alt-text="Screenshot of custom task deployment scenarios.":::
40
48
41
-
-**Launch and continue** - The Azure Logic App is started, and the following task execution immediately continues with no response expected from the Azure Logic App. This scenario is best suited if the Lifecycle workflow doesn't require any feedback (including status) from the Azure Logic App. With this scenario, as long as the workflow is started successfully, the workflow is viewed as a success.
49
+
-**Launch and continue** - The Azure Logic App is started, and the following task execution immediately continues with no response expected from the Azure Logic App. This scenario is best suited if the Lifecycle workflow doesn't require any feedback (including status) from the Azure Logic App. If the Logic App is started successfully, the Lifecycle Workflow task is considered a success.
42
50
-**Launch and wait** - The Azure Logic App is started, and the following task's execution waits on the response from the Logic App. You enter a time duration for how long the custom task extension should wait for a response from the Azure Logic App. If no response is received within a customer defined duration window, the task is considered failed.
43
51
:::image type="content" source="media/lifecycle-workflow-extensibility/custom-task-launch-wait.png" alt-text="Screenshot of custom task launch and wait task choice." lightbox="media/lifecycle-workflow-extensibility/custom-task-launch-wait.png":::
44
52
53
+
> [!NOTE]
54
+
> You can also deploy a custom task that calls to a third party system. To learn more about this call, see: [taskProcessingResult: resume](/graph/api/identitygovernance-taskprocessingresult-resume).
55
+
45
56
## Response authorization
46
57
47
-
When creating a custom task extension that waits for a response from the Logic App, you're able to define which applications can send a response
58
+
When you create a custom task extension that waits for a response from the Logic App, you're able to define which applications can send a response
48
59
49
60
:::image type="content" source="media/lifecycle-workflow-extensibility/launch-wait-options.png" alt-text="Screenshot of custom task extension launch and wait options.":::
50
61
51
62
Response authorization can be utilized in one of the following ways:
52
63
53
-
-**System-assigned managed identity (Default)** - Enables and utilizes the Logic Apps system-assigned managed identity. For more information on this, see: [Authenticate access to Azure resources with managed identities in Azure Logic Apps](/azure/logic-apps/create-managed-service-identity)
54
-
-**No authorization** - Grants no authorization to the Logic App. You're responsible for assigning an application permission, or role assignment.
55
-
-**Existing application** - You can choose an existing application to respond.
56
-
57
-
64
+
-**System-assigned managed identity (Default)** - With this choice you Enable and utilize the Logic Apps system-assigned managed identity. For more information, see: [Authenticate access to Azure resources with managed identities in Azure Logic Apps](/azure/logic-apps/create-managed-service-identity)
65
+
-**No authorization** - With this choice you assign a Logic App or third party application an application permission (LifecycleWorkflows.ReadWrite.All), or role assignment (Lifecycle Workflows Administrator). This choice doesn't follow least privilege access as outlined in Azure Active Directory best practices. For more information on best practices for roles, see: [Best Practices for Azure AD roles](/azure/active-directory/roles/best-practices).
66
+
-**Existing application** - With this choice you're able to choose an existing application to respond. You are able to choose applications that are user-assigned or regular applications. For more information on managed identity types, see: [Managed identity types](../managed-identities-azure-resources/overview.md#managed-identity-types).
@@ -69,19 +78,6 @@ The high-level steps for the Azure Logic Apps integration are as follows:
69
78
-**Create a lifecycle workflow customTaskExtension which holds necessary information about the Azure Logic App**: Creating a custom task extension that references the configured Azure Logic App.
70
79
-**Update or create a Lifecycle workflow with the “Run a custom task extension” task, referencing your created customTaskExtension**: Adding the newly created custom task extension to a new workflow, or updating the information to an existing workflow.
71
80
72
-
## Logic App parameters used by the custom task
73
-
74
-
When creating a custom task extension from the Azure portal, you're able to create a Logic App, or link it to an existing one.
75
-
:::image type="content" source="media/lifecycle-workflow-extensibility/custom-task-logic-app.png" alt-text="Screenshot of a custom task create logic app selection screen.":::
76
-
77
-
The following information is supplied to the custom task from the Logic App:
78
-
79
-
- Subscription
80
-
- Resource group
81
-
- Logic App name
82
-
83
-
84
-
For a guide on supplying this information to a custom task extension via Microsoft Graph, see: [Configure a Logic App for Lifecycle Workflow use](configure-logic-app-lifecycle-workflows.md).
0 commit comments