Azure Logic Apps: Workday app post provision and deprovision AD tasks via PowerShell

We want to do post provisioning and deprovision activities in AD based on Workday events using PowerShell. We have setup the Azure Workday App to sync to AD from Workday. We have turned on provisioning logs for the Workday app. Key events like create, Termination, updates are recorded in the logs. What is very important is that we want to be able to pass the EmployeeID from the event logs when Workday events happen (Joiner/Mover/Leaver) to the PowerShell app that will do operations in AD and elsewhere.

Solution

1. Create a resource group called MyWorkdayRG
   
2. Create a log analytics workspace in MyWorkdayRG called MyWorkdayLogWorkspace
   
3. Create an Automation account
   
4. In the Automation account, create a PowerShell Runbook for post term activities. In the PowerShell take the Webhookdata as input parameter. It will contain the empoyeeid.
   
5. Setup an on-premise AD account with rights to do the AD tasks
   
6. Setup Azure Hybrid Worker. This enables you to run runbooks in Azure as scripts on-premise. Follow steps here– https://practical365.com/how-to-manage-on-premises-infrastructure-using-azure-automation-hybrid-worker/
   
7. Go to AAD blade, diagnostic settings, pipe the provisioning logs to the MyLogWorkspace
   
8. Wait for new the provisioning logs to feed into the workspace
   
9. Go to Alerts and query the MyWorkdayLogWorkspace to find the Workday events you want. E.g “Create” for new employee or “Disable” for Termination. Parse the sourceidentity and get the id. The id is the EmployeeID. Then Project the id as output. Write down the query.
   
10. Create a app reg called MyWorkdayAppReg. Generate a secret.
    
11. Give the app reg the following roles –1/Log reader to MyWorkdayLogWorkspace 2/ Automation Operator to the Automation account you created
    
12. Go to Logic Apps and create a new app called WorkdayTermPost
    
13. Start with a common trigger, select Recurrence, specify interval and frequency
    
14. Add a new step to add an action that runs after the re occurrence action.
    
15. Under Choose an action, type azure monitor and then select Azure Monitor Log, choose Run query and list results
    
16. For connection use the App Reg credentials.
    
17. Add the appropriate log query in the Query window, which you wrote down
    
18. Choose Runbook parameter
    
19. Add Action -> Create Job Azure Automation, select the above azure automation resource. Enter
    
    1. HybriAutomation Workgroup
       
    2. Runbook name
       
    3. Runbook Parameter Webhookdata, select the sourceidentity id
       
20. Save and run it.