Azure License Manager (ALM) is an enterprise-scale, high-security product that enables organizations to manage and automate licenses in their Azure AD tenants. ALM can be run either on premise with an on-premise installation of EmpowerID or as a Software as a Service run by EmpoweID as Web and Application Server containers in Kubernetes in the cloud or on premise. The below image depicts the key components of ALM and how they interface with an Azure tenant. A brief description of these key components follows the image.
EmpowerID Azure AD SCIM App Service
In Azure, App Services are HTTP-based services for hosting web applications and REST APIs. They allow you to safely and securely add applications to Azure to interact with it. EmpowerID provides workflows that allow you to provision or to publish an Azure App Service, known as the EmpowerID Azure Active Directory SCIM App Service. The EmpowerID Azure Active Directory SCIM App Service is a SCIM compliant app service, a REST API with which EmpowerID interfaces in order to talk to your tenants and to inventory the data about users, groups and license assignments. The app service is published into your own tenants and leverages a managed identity, which is the most secure option possible to communicate with your graph API to perform actions such as assigning users to license groups and retrieving the license information.
EmpowerID Jobs
EmpowerID consists of a large number of jobs for very granular processing of different items such as inventory information, attribute flow, group membership, account lockout detection and even license assignment changes and stores that information in its SQL database or Identity Warehouse. Jobs can run across multiple servers in parallel to support even the largest environments. The key EmpowerID jobs involved in Azure License Manager are described below.
The Inventory Job
The inventory job inventories the users groups, group memberships, attributes and other information in an external system, which in this case is Azure Active Directory. It uses the Azure AD SCIM Microservice App Service mentioned above to retrieve this information.
The Inventory Inbox Job
This Inventory Inbox job claims and processes all the data from the AzureJSONInbox table in EmpowerID. This table is populated during inventory and stores inventoried information for all Azure-specific information such as license subscriptions, RBAC entities such as management groups, and information about license assignments. The job has two steps:
The first step is to process the JSON documents it received from inventory and put them into a series of tables in EmpowerID, prefixed with Azure. There is a table for Azure subscriptions, a table for Azure license assignments, a table for Azure application rolls, global rolls, and well as other tables that will be discussed later.
The second step in the process moves this data from these azure tables to their actual destination in EmpowerID tables, which are exposed in the user interface to provide reporting, delegated administration and self-service.
The License Pool Compiler
This job processes each enabled license pool based on the schedule set for that license pool. It evaluates the assignments and the exclusions and compiles the resultant assignments of who should have that license bundle. This then results in creating entries in the license fulfillment queue, also known as the license inbox, to add or remove user accounts from Azure AD license groups that are mapped to each license bundle. It calculates the result of who should have that license bundle versus who is currently in that license group because of the license bundle and puts entries in the license fulfillment queue for who should be added to and who should be removed from a particular license bundle.
The License Pool Change Inbox Processor
This job reads the entries placed in the license fulfillment queue by the License Pool Compiler and connects to the Azure AD SCIM microservice to process those entries in your tenants, adding or removing users to and from license groups.
Identity Warehouse
The EmpowerID Identity Warehouse is comprised of a large number of tables for storing and maintaining information about each connected resource system and the objects in those systems, including those within the EmpowerID system itself. These tables are differentiated by resource type and have records corresponding to both inventoried and non-inventoried objects alike. For Azure AD, some examples of the former include the Azure_AccountLicense, Azure_GroupLicense, and Azure_ManagedIdentity tables, while examples of the latter include the OrgRole, OrgZone, and Person tables (these tables correspond to unique objects created in EmpowerID). When EmpowerID inventories an account store like Azure AD, it writes all resource objects in those systems—and the important attributes of those objects—to the appropriate table in the Identity Warehouse, adding the attributes of those objects as column values. In this way, user accounts are added to the Account table, account stores are added to the AccountStore table, Office 365 subscriptions are written to the Office365Subscription table, accounts belonging to an Office 365 subscription to the Office365SubscriptionAccount table, and so on. Once a record has been added to the Identity Warehouse, and EmpowerID has been configured to fully manage the connected system, the EmpowerID synchronization engine uses this table data to keep the attributes of the object in the Identity Warehouse in sync with the properties of that object across any connected resource systems in which the object lives.