Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Azure License Manager (ALM) is an enterprise-scale, high-security product that enables organizations to manage and automate licenses in their Azure AD tenants. ALM can be run either on premise with an on-premise installation of EmpowerID or as a Software-as-a-Service run by EmpoweID EmpowerID as Web and Application Server containers in Kubernetes in the cloud or on-premise. The below image depicts the key components of ALM and how they interface with an Azure tenant. A brief description of these key components follows the image.

...

EmpowerID Azure AD SCIM App Service

In Azure, App Services are HTTP-based services for hosting web applications and REST APIs. They allow you to safely and securely add applications to Azure to interact with it. EmpowerID provides workflows that allow you to provision or to publish an Azure App Service, known as the EmpowerID Azure Active Directory SCIM App Service. The EmpowerID Azure Active Directory SCIM App Service is a SCIM compliant app service, a REST API with which EmpowerID interfaces in order to talk to your tenants and to inventory the data about users, groups and license assignments. The app service is published into your own tenants and leverages a managed identity, which is the most secure option possible to communicate with your graph API to perform actions such as assigning users to license groups and retrieving the license information.As shown below, it is comprised of components common to all EmpowerID connectors with several that are specific to the module. A high-level description of these components follows.

...

EmpowerID Jobs

EmpowerID consists of a large number of jobs for very granular processing of different items such as inventory information, attribute flow, group membership, account lockout detection and even license assignment changes and stores that information in its SQL database or Identity Warehouse. Jobs can run across multiple servers in parallel to support even the largest environments. The key EmpowerID jobs involved in Azure License Manager are described below.

The Inventory Job

The inventory job inventories the users groups, group memberships, attributes and other information in an external system, which in this case is Azure Active Directory. It uses the Azure AD SCIM Microservice App Service mentioned above to retrieve this information.

The Inventory Inbox Job

This Inventory Inbox For Azure License Manager, the relevant jobs include:

  • Inventory

  • Resource System Inbox Inventory

  • License Pool Compiler

  • License Pool Change Inbox Processor

  • License Pool Approval Change Inbox Processor

Inventory Job

When you first connect EmpowerID to an account store like Azure Active Directory, EmpowerID discovers the topology of the account store and registers the EmpowerID equivalents of that topology in the EmpowerID Identity Warehouse. For Azure Active Directory, these EmpowerID equivalents include:

  • Security Boundary object for Azure Active Directory

  • An Account Store object for the Azure tenant

  • Resource System object to represent the account store

Once these objects have been added to the Identity Warehouse, populating the tables of the EmpowerID Identity Warehouse with resource objects like accounts and groups is handled by specific EmpowerID services and the processes or "EmpowerID Jobs" hosted by those services. For account stores like Azure Active Directory, the relevant services and jobs are the EmpowerID Worker Role Windows service and the Inventory Job hosted by the EmpowerID Worker Role.

Job flow

The EmpowerID Worker Role schedules and dispatches the Inventory Job for each connected account store based on the settings for that schedule and account store. When the scheduled time arrives, the EmpowerID Worker Role instructs the Inventory Job to execute the Inventory method for the account store. In the case of an Azure Active Directory account store with an Exchange resource system, the Inventory Job makes an API call to the appropriate endpoint in Azure, retrieving each new user account and group discovered in the account store. The information is returned to the EmpowerID Worker Role, which processes the accounts and groups, writing each one as a record to the Account and Group table of the Identity Warehouse, respectively. Once this initial inventory is complete, the process repeats itself, discovering any new accounts and groups in the Azure tenant account store and adding them to the appropriate Identity Warehouse tables in accordance with the inventory schedule.

Inventory Data

The below image depicts the data inventoried by Azure License Manager.

...


On the right side of the image, we see an Azure tenant with users, groups, subscriptions, and license assignment information. We also see the SCIM App Service. On the left, we see our EmpowerID instance — whether it's on-premise or a SaaS instance. EmpowerID is running as Web and Application Server containers hosting inventory jobs that pulls the data from Azure and stores it in the appropriate tables of the Identity Warehouse. Users from Azure Active Directory are stored in the Accounts table, groups in the Group table, and the products to which the tenant has subscribed in the AZLocalServiceBundle table. Additionally, detailed information about which users or groups are assigned to which of these subscriptions, as well as which product features of the service plans are enabled or disabled on each of these assignments is stored in the AZAssigneeLocalServiceBundleService table. While the image shows just a few of the tables, it allows you to see the overall flow of how EmpowerID could securely communicate to an Azure App service running in your tenant, using a managed identity to talk to the Graph API to retrieve this information and to store it in the identity warehouse.

Resource System Inbox Invnetory Processor

This job claims and processes all the data from contained in the AzureJSONInbox table in EmpowerID. This table is populated during inventory and stores inventoried information for all Azure-specific information such as license subscriptions, RBAC entities such as management groups, and information about license assignments. The job has two steps:

  1. The first step performed by the Inventory Inbox job is to process the JSON documents it received from during inventory and put insert them into a series of tables in EmpowerIDthe Identity Warehouse, prefixed with Azure. There is a table for Azure subscriptions, a table for Azure license assignments, a table for Azure application rolls, global rolls, and well as other tables that will be discussed laterExamples of these tables include Azure_Subscription, Azure_AccountLicense, Azure_GroupLicense, and Azure_ManagedIdentity.

  2. The second step in the process moves this data from these azure performed by the Inventory Inbox job is to move the data from the Azure tables to their actual destination in EmpowerID corresponding EmpowerID tables. These tables, such as the Account and Group tables, which are exposed visible in the user interface to provide reporting, delegated administration, and self-service.

...

License Pool Compiler Job

This job processes each enabled license pool based on the schedule set for that license pool. It evaluates the assignments and the exclusions and compiles the resultant assignments of who should have that license bundle. This then results in creating entries in the license fulfillment queue,  also known as the license inbox, to add or remove user accounts from Azure AD license groups that are mapped to each license bundle. It calculates the result of who should have that license bundle versus who is currently in that license group because of the license bundle and puts entries in the license fulfillment queue for who should be added to and who should be removed from a particular license bundle.

...

License Pool Change Inbox Processor Job

This job reads the entries placed in the license fulfillment queue by the License Pool Compiler and connects to the Azure AD SCIM microservice to process those entries in your tenants, adding or removing users to and from license groups.

License Pool Approval Change Inbox Processor Job

This job claims records from the License Pool Change Inbox Processor that are to be revoked and sent for approval. The job claims 100 removal change records in each call that are pending approval. These removal records are passed to the Approval workflow, which sends them for approval to each person with the RBAC delegations to make that decision.

Approval flow

The person making the approval decision selects the licenses that should be removed and the effective date for the removal to occur. These records are marked as approved and their status is set to open. The License Pool Change Inbox Processor Job claims and processes all approved records and those licenses are revoked from users. Any records not selected for approval continue to be claimed by the License Pool Approval Change Inbox Processor Job until acted upon.

Get License Usage Reports Permanent Workflow

The Get License Usage Reports permanent workflow is responsible for retrieving license usage information from a connected Azure tenant on a scheduled basis. The workflow calls the getOffice365ActiveUserDetail Azure Graph API endpoint to return the following information:

Identity Warehouse

The EmpowerID Identity Warehouse is comprised of contains a large number of tables for storing and maintaining information about each connected resource system and the objects in those systems, including those within the EmpowerID system itself. These tables are differentiated by resource type and have records corresponding to both inventoried and non-inventoried objects alike. For Azure ADLicense Manager, some examples of the former include the Azure_Domain, Azure_AccountLicenseAzure_GroupLicense, and Azure_ManagedIdentity tables, while examples of the latter include the OrgRole, OrgZone, and Personthe AzLicensePool, AzLocalServiceBundle, AccountStore, Account, and Group tables (these tables correspond to unique objects created in EmpowerID). When EmpowerID inventories an account store like an Azure ADtenant, it writes all relevant resource objects in those systems—and the important attributes of those objects—to the appropriate table in the Identity Warehouse, adding the attributes of those objects as column values. In this way, user accounts Azure tenants are added to the Account AccountStore table, account stores user accounts in Azure are added to the AccountStore Account table, Office 365 subscriptions are written groups in Azure are added to the Office365Subscription table, accounts belonging to an Office 365 subscription to the Office365SubscriptionAccount table, and so on. Once a record has been added to the Identity Warehouse, and EmpowerID has been configured to fully manage the connected system, the EmpowerID synchronization engine uses this table data to keep the attributes of the object in the Identity Warehouse in sync with the properties of that object across any connected resource systems in which the object lives.Group table, and so on.

Azure Microservices

EmpowerID provides a workflow, AzPublishMsAppToAppService, that allows you to publish a number of Azure-related microservices to a connected Azure tenant. Azure License Manager uses Azure’s App Service technology to host the microservices, allowing for quick deployment and updates if changes occur in your Azure environment.

For Azure License Manager, these microservices include:

  • The Azure AD SCIM Microservice – The Azure AD SCIM microservice is a SCIM-compliant REST API for inventorying the user, group, group membership, and license information in your Azure tenant. The application calls the Microsoft Graph API to execute operations in Azure AD, such as updating group memberships, in response to your actions in ALM.

  • IT Shop Microservices – The IT Shop microservices provide users access to the IT Shop, where they can request licenses to any Microsoft service for which they are eligible and view current license subscriptions.

    The below image shows what the IT Shop looks like to a user requesting a license for which they are eligible. There is one license available to them, “itshoptest05.”

    IT ShopImage Added


  • The Azure License Analytics Microservice –The Azure License Analytics microservice provides visual feedback of Azure data that can be used by your organization to quickly gather real-time synopsis of license usage, which can be helpful for making informed business decisions.

    The below image shows one of the information panes of the Azure License Analytics microservice. This pane displays a timeline of the status of licensed Azure accounts for the past 12 months. Hovering your mouse over a specific point in the timeline displays data for that moment in time.

    Azure License Analytics DashboardImage Added

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue