What are the option for CI/CD Deployment of Entra Governance Lifecycle Workflows

Question

I cannot find a way to automate the deployment or maintenance of the configurations for Entra Governance Lifecycle Workflows. This is essential for CI/CD between multiple environments; especially productions. The available Graph endpoints are superficial at best (displayName, description, enabled, scheduling).

Answer 1

@Michael Liben , there are several options for CI/CD deployment, but since this is relatively new there isn't a lot of documentation for it.

While not recommended for production, you can check out the Graph API beta endoints.

If you'd like to use the MS Graph API, albeit its limited options, you could use PowerShell or custom scripts with HTTP requests to interact with it. For example:

# Install the Microsoft Graph PowerShell module

Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Microsoft Graph

Connect-MgGraph -Scopes "IdentityGovernance.ReadWrite.All"

# Retrieve existing Lifecycle Workflows

$workflows = Get-MgIdentityGovernanceLifecycleWorkflow

# Create or update workflows as needed

$newWorkflow = @{

    displayName = "New Lifecycle Workflow"
    description = "Automated deployment via CI/CD"
    enabled = $true
    scheduling = @{

        recurrence = "Daily"
        time = "00:00"

    }

}

New-MgIdentityGovernanceLifecycleWorkflow -BodyParameter $newWorkflow

Infrastructure as Code (IAC) with ARM templates are another option. You can define custom resources or use existing templates that manage related configurations, and then incorporate ARM template deployments into your CI/CD pipeline using Azure DevOps or GitHub Actions.

Here's an example of an ARM template:

{

  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

  "contentVersion": "1.0.0.0",

  "resources": [

    {

      "type": "Microsoft.Authorization/roleAssignments",

      "apiVersion": "2020-04-01-preview",

      "name": "[guid(parameters('roleName'), parameters('principalId'))]",

      "properties": {

        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",

        "principalId": "[parameters('principalId')]",

        "scope": "[parameters('scope')]"

      }

    }

  ]

}

You can use Azure AD PowerShell modules to script the deployment and maintenance of Lifecycle Workflows as well. Use AzureAD and MSGraph modules to interact with Entra Governance configurations:

# Connect to Azure AD

Connect-AzureAD

# Define workflow parameters

$workflowName = "Onboarding Workflow"

$description = "Handles user onboarding processes"

$enabled = $true

# Create or update the workflow

$workflow = Get-AzureADMSLifecycleWorkflow -Filter "displayName eq '$workflowName'"

if ($null -eq $workflow) {

    New-AzureADMSLifecycleWorkflow -DisplayName $workflowName -Description $description -Enabled $enabled

} else {

    Set-AzureADMSLifecycleWorkflow -Id $workflow.Id -Description $description -Enabled $enabled

}

Azure DevOps Pipelines or GitHub Actions are another popular approach.

You can define pipeline stages that include steps for deploying Entra Governance configurations. Here's a GitHub Actions Workflow example:

name: Deploy Entra Governance Lifecycle Workflow

on:

  push:

    branches:

      - main

jobs:

  deploy:

    runs-on: ubuntu-latest

    steps:

      - name: Checkout Code

        uses: actions/checkout@v2

      - name: Set up PowerShell

        uses: actions/setup-powershell@v2

      - name: Deploy Workflow

        run: |

          Install-Module Microsoft.Graph -Scope CurrentUser -Force

          Connect-MgGraph -ClientId ${{ secrets.CLIENT_ID }} -TenantId ${{ secrets.TENANT_ID }} -ClientSecret ${{ secrets.CLIENT_SECRET }}

          $newWorkflow = @{

              displayName = "Automated Lifecycle Workflow"

              description = "Deployed via GitHub Actions"

              enabled = $true

              scheduling = @{

                  recurrence = "Weekly"

                  time = "02:00"

              }

          }

          New-MgIdentityGovernanceLifecycleWorkflow -BodyParameter $newWorkflow

        shell: pwsh

You can also use Azure Automation with Runbooks to execute deployment scripts. This can be triggered as part of your CI/CD pipeline or scheduled independently.

You would develop PowerShell or Python runbooks that handle the deployment tasks, and then trigger runbooks from CI/CD pipelines using webhooks or Azure DevOps tasks.

In cases where direct automation is limited, manually export configurations from one environment and import them into another as part of your deployment process. This can be partially automated with scripts that handle JSON or other configuration files:

# Export Workflow from Source

$sourceWorkflow = Get-MgIdentityGovernanceLifecycleWorkflow -Id "source-workflow-id"

$exportedConfig = $sourceWorkflow | ConvertTo-Json -Depth 10

Set-Content -Path "./workflow-config.json" -Value $exportedConfig

# Import Workflow to Target

$importedConfig = Get-Content -Path "./workflow-config.json" | ConvertFrom-Json

New-MgIdentityGovernanceLifecycleWorkflow -BodyParameter $importedConfig

These are all pretty high-level overviews of what you can do, but you have several options thankfully. Let me know if you have any questions on specifics. If there's anything that I didn't cover that you'd like to explore, I can reach out to the product group for more solutions.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James