For some time, I have been thinking about the possibility of creating something that allows me or my colleagues to run Custom extensions in Entra ID Governance manually without the need to navigate to the automation account where the code that gets executed with the Custom extension is hosted or create a Lifecycle workflow to only execute that one task.
I found myself – like I think many others – bundling tasks into a Lifecycle workflow in Entra ID Governance. Say a “Mover” Lifecycle workflow that contains something like “Update user in AD,” “Update user’s AD groups,” “Update user’s distribution list,” “Set Exchange default company settings,” “Add/remove user from shared mailboxes,” etc.
But then I found that if a colleague (or myself) needed to run only one of these tasks, one would need to navigate to where the Custom extension code is handled and then trigger it from there. For me, that was no problem since I have built most of it and know my way around my IAM setup.
I wanted to create an easy way for me to just run one of these tasks instead of running the whole Lifecycle workflow where the task is added.
The PowerShell Script Solution
I started this project by creating a PowerShell script that lets you select a user and then presents you with all custom extensions the PowerShell script can find in your Azure subscriptions based on the tags: Purpose: Azure AD Lifecycle Workflows and Purpose: Azure AD Entitlement Management, and then lets you select the Custom Extensions you want to run.
The following permissions are required for the PowerShell script:
- User.Read.All
- Logic App Operator on subscription/resource group where the Custom extensions are created
Here is the PowerShell script: Custom-Extension-Runner/PowerShell/Custom-Extension-Runner.ps1 at main ยท ChrFrohn/Custom-Extension-Runner
Please note that if your Azure Logic App includes the callback HTTP action (the one that reports status back to Lifecycle Workflows), this step will show as failed when triggered outside of a Lifecycle workflow. This happens because there’s no Lifecycle workflow running to report back to, so the callbackUriPath is empty. Don’t worry though – this doesn’t affect the actual work your Logic App does, only the callback step fails.
Moving to a Web Interface
It was always on my mind to not just create a PowerShell script to solve this. I wanted to create a web interface for this to really enable colleagues and others to run Custom extensions on demand. I then decided to give it a try by using GitHub Copilot and here it is
Introducing: Custom Extension Runner
The Entra ID Governance Custom extension Runner is built on the same logic as the PowerShell script I mentioned in the beginning. The app has been designed to run as an Azure App Service and uses the App Service managed identity to authenticate, so there are no hardcoded credentials for a service principal or similar.
The managed identity requires the following permissions:
Microsoft Graph application and Azure RBAC permissions:
- LifecycleWorkflows.Read.All
- EntitlementManagement.Read.All
- User.Read.All
- Logic App Operator on the resource group(s) containing your Custom Extension Logic Apps
The Entra ID Governance Custom extension Runner is very simple. You select the Custom extension task that you want to run, and then select the user. This is pretty straightforward. However, you need to be mindful of the following:
The app passes user information including Object ID, UserPrincipalName, DisplayName, and Mail in a payload structure that matches the Microsoft Lifecycle Workflows custom extension schema. This means your Custom extension code receives the same data format it would get from a real Lifecycle Workflow.
It’s currently only possible to pass user identity attributes, not other attributes like HireDate or Phone number etc.
Wrapping up
I hope this tool can be useful for you and your colleagues when you need to run Custom Extensions on demand without having to navigate to your automation infrastructure or trigger entire Lifecycle Workflows. If you have any feedback or suggestions, feel free to reach out.
You can find the code and instructions to deploy the app here on my GitHub: ChrFrohn/Custom-Extension-Runner: Web application for running individual Custom Extensions in Entra ID Governance on-demand