IBM Security Verify

Hi,
We use ISIM to govern accounts and accesses in different target systems.
We have developers starting to use Azure DevOps and we need to have control of the identities and accesses.
After some investigation it doesn't seem that Azure DevOps is integrated to Azure AD, except reading Azure AD upon creation of the account in Azure DevOps.
Azure DevOps creates its own user account based on what it reads from Azure AD.
Based on this, we cannot govern the accounts and accesses through Azure AD.
Ie when an account is deleted in Azure AD, it doesn't get deleted in Azure DevOps.

My thought is to develop an adapter against Azure DevOps Graph API directly for this.
I'm curious to know if anyone of you have run into the same problem and how you solved it.

------------------------------
Michael Ohgami
------------------------------

I have not heard about anyone doing this - but I continue to be surprised the rather strange way Azure is integrating in the Windows environment - it seems strangely disconnected in some places and especially hybrid environments seems to lack critical parts to be able to 100% automated - although probably a little of topic see this blog post : https://jesperstahle.azurewebsites.net/?p=3512

I suggest you raise an RFE - not because I believe it will solved before you need it - there developing a custom adapter is probably the best option. If you go down that route my advice is to start developing (scripted) SDI connectors to manage the graph API - if you do this right the adapter development is much easier.

I hope you will let the community know how this is proceeding :-)

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Mon August 31, 2020 11:51 AM
From: Michael Ohgami
Subject: ISIM - Azure DevOps identity management

Hi,
We use ISIM to govern accounts and accesses in different target systems.
We have developers starting to use Azure DevOps and we need to have control of the identities and accesses.
After some investigation it doesn't seem that Azure DevOps is integrated to Azure AD, except reading Azure AD upon creation of the account in Azure DevOps.
Azure DevOps creates its own user account based on what it reads from Azure AD.
Based on this, we cannot govern the accounts and accesses through Azure AD.
Ie when an account is deleted in Azure AD, it doesn't get deleted in Azure DevOps.

My thought is to develop an adapter against Azure DevOps Graph API directly for this.
I'm curious to know if anyone of you have run into the same problem and how you solved it.

------------------------------
Michael Ohgami
------------------------------

Original Message:
Sent: 9/1/2020 1:44:00 AM
From: Franz Wolfhagen
Subject: RE: ISIM - Azure DevOps identity management

I have not heard about anyone doing this - but I continue to be surprised the rather strange way Azure is integrating in the Windows environment - it seems strangely disconnected in some places and especially hybrid environments seems to lack critical parts to be able to 100% automated - although probably a little of topic see this blog post : https://jesperstahle.azurewebsites.net/?p=3512

I suggest you raise an RFE - not because I believe it will solved before you need it - there developing a custom adapter is probably the best option. If you go down that route my advice is to start developing (scripted) SDI connectors to manage the graph API - if you do this right the adapter development is much easier.

I hope you will let the community know how this is proceeding :-)

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Mon August 31, 2020 11:51 AM
From: Michael Ohgami
Subject: ISIM - Azure DevOps identity management

Hi,
We use ISIM to govern accounts and accesses in different target systems.
We have developers starting to use Azure DevOps and we need to have control of the identities and accesses.
After some investigation it doesn't seem that Azure DevOps is integrated to Azure AD, except reading Azure AD upon creation of the account in Azure DevOps.
Azure DevOps creates its own user account based on what it reads from Azure AD.
Based on this, we cannot govern the accounts and accesses through Azure AD.
Ie when an account is deleted in Azure AD, it doesn't get deleted in Azure DevOps.

My thought is to develop an adapter against Azure DevOps Graph API directly for this.
I'm curious to know if anyone of you have run into the same problem and how you solved it.

------------------------------
Michael Ohgami
------------------------------