...
The EmpowerID Worker Role schedules and dispatches the Inventory Job for each connected account store based on the settings for that schedule and account store. When the scheduled time arrives, the EmpowerID Worker Role instructs the Inventory Job to execute the Inventory method for the account store. In the case of an Azure Active Directory account store with an Exchange resource system, the Inventory Job makes an API call to the appropriate endpoint in Azure, retrieving each new user account and group discovered in the account store. The information is returned to the EmpowerID Worker Role, which processes the accounts and groups, writing each one as a record to the Account and Group table of the Identity Warehouse, respectively. Once this initial inventory is complete, the process repeats itself, discovering any new accounts and groups in the Azure tenant account store and adding them to the appropriate Identity Warehouse tables in accordance with the inventory schedule.
Inventory Data
The below image depicts the data inventoried by Azure License Manager.
...
On the right side of the image, we see an Azure tenant with users, groups, subscriptions and license assignment information. We also see the SCIM App Service. On the left, we see our EmpowerID instance — whether it's on premise or a SaaS instance. EmpowerID is running as Web and Application Server containers hosting inventory jobs that pull the data from Azure and stores it in the appropriate tables of the Identity Warehouse. Users from Azure Active Directory are stored in the Accounts table, groups in the Group table, and the products to which the tenant has subscribed in the AZLocalServiceBundle table. Additionally, detailed information about which users or groups are assigned to which of these subscriptions, as well as which of product features of the service plans are enabled or disabled on each of these assignments is stored in the AZAssigneeLocalServiceBundleService table. While the image shows just a few of the tables, it allows you to see the overall flow of how EmpowerID could securely communicate to an Azure App service running in your tenant, using a managed identity to talk to the Graph API to retrieve this information and to store it in the identity warehouse.
Inventory Inbox Job
This job claims and processes all the data contained in the AzureJSONInbox table in EmpowerID. This table is populated during inventory and stores inventoried information for all Azure-specific information such as license subscriptions, RBAC entities such as management groups, and information about license assignments. The job has two steps:
...