License Fulfillment

License fulfillment is the process of taking the policies in EmpowerID that specify who should have which license bundles, making those changes in the Azure tenant and adding the resultant Azure AD users to the license groups matched to those bundles. The below image shows the license fulfillment flow.

 

  1. Based on how the license bundle is configured, EmpowerID determines who should be in the bundle and compares that to everyone who already has the license granted by the bundle. This is processed by the License Pool Compiler job. This job looks at the resultant assignees for each license bundle as well as the inventory data to determine:

    • Which users in the license bundle already have the license via membership in the corresponding Azure license group. This information is contained in the GroupAccountLicensePoolServiceBundle table of the EmpowerID Identity Warehouse.

    • Which users in the license bundle do not yet have a license

  2. The job then calculates the delta between which users need to be granted a license and which users need to have their licenses revoked (because they are no longer eligible for those licenses). These delta entries are added to the License Fulfillment Queue, which is stored in the AZLicensePoolServiceBundlePersonChangeInbox table of the Identity Warehouse.

  3. The License Fulfillment Queue is monitored and processed by the LicensePoolChangeInboxProcessor job. This job claims the records in the queue in batches for high volume processing and makes a call to add or remove users to and from the appropriate Azure license groups.

  4. Certificate authentication verifies the identity of the caller.

  5. The App Service Managed Identity calls the Graph API endpoint to add and remove the users as directed.

  6. Users are added to and removed from the groups in Azure Active Directory.