...
EmpowerID consists of many jobs for that process items in a very granular processing of itemsway, such as inventory information, attribute flow, group membership, account lockout detection, and even license assignment changes. It stores that information in its SQL database or Identity Warehouse. Jobs can run across multiple servers in parallel to support even the largest environments. For Azure License Manager, the relevant jobs include:
...
Once these objects have been added to the Identity Warehouse, populating the tables of the EmpowerID Identity Warehouse will be populated with resource objects like accounts and groups are , which will be handled by specific EmpowerID services and the processes or "EmpowerID Jobs" hosted by those services. For account stores like Azure Active Directory, the relevant services , and jobs are the EmpowerID Worker Role Windows service and the Inventory Job hosted by the EmpowerID Worker Role.
...
The EmpowerID Worker Role schedules and dispatches the Inventory Job for each connected account store based on the schedule and account store settings. When the scheduled time arrives, the EmpowerID Worker Role instructs the Inventory Job to execute the Inventory method for the account store. In the case of an Azure Active Directory account store with an Exchange resource system, the Inventory Job makes an API call to the appropriate endpoint in Azure, retrieving each new user account and the group discovered in the account store. The information is returned to the EmpowerID Worker Role, which processes the accounts and groups, writing each one as a record to the Account and Group table of the Identity Warehouse, respectively. Once this initial inventory is complete, the process repeats itself, discovering any new accounts and groups in the Azure tenant account store and adding them to the appropriate Identity Warehouse tables by the inventory schedule.
...
This job claims and processes all the data in the AzureJSONInbox table in EmpowerID. This table is populated during inventory , and stores inventoried information for all Azure-specific information, such as license subscriptions, RBAC entities such as management groups, and information about license assignments. The job has two steps:
...
This job processes each enabled license pool based on the schedule set for that license pool. It evaluates the assignments and the exclusions and compiles the resultant assignments of for those who should have that license bundle. This creates entries in the license fulfillment queue, also known as the license inbox, to add or remove user accounts from Azure AD license groups mapped to each license bundle. It calculates who should have that license bundle versus who is currently in that license group because of it. It also puts entries in the license fulfillment queue for who should be added to and who should be removed from a particular license bundle.
...
This job claims records from the License Pool Change Inbox Processor that will be revoked and sent for approval. The job claims 100 removal change records in each call that are pending approval. These removal records are passed to the Approval workflow, which sends them for approval to each person with the RBAC delegations to make that decision.
Approval flow
The person making the approval decision deciding to approve selects the licenses that should be removed and the effective date for the removal to occur. These records are marked as approved, and their status is set to open. The License Pool Change Inbox Processor Job claims, and processes all approved records, and those licenses are revoked from users. Any records not selected for approval continue to be claimed by the License Pool Approval Change Inbox Processor Job until acted upon.
...
The Azure AD SCIM Microservice – The Azure AD SCIM microservice is a SCIM-compliant REST API for inventorying your Azure tenant's user, group, group membership, and license information. The application calls the Microsoft Graph API to execute operations in Azure AD, such as updating group memberships, in response to your actions in ALM.
IT IAM Shop Microservices – The IT IAM Shop microservices provide users access to the IT IAM Shop. They can request licenses to any Microsoft service for which they are eligible and view current license subscriptions.
The below image shows what the IT Shop looks like to a user requesting a license for which they are eligible. There is one license available to them, “itshoptest05.”
The Azure License Analytics Microservice –The Azure License Analytics microservice provides visual feedback of Azure data that can be used by your organization can use to quickly gather a real-time synopsis of license usage, which can help make informed business decisions.
The below image shows one of the information panes of the Azure License Analytics microservice. This pane displays a timeline of the status of licensed Azure accounts for the past 12 months. Hovering your mouse over a specific point in the timeline displays data for that moment.
...