Hi,

As Magnus has already written, it would be possible to provide such an interface via custom forms. To provide a custom form, however, you need an requestable application/authorization, just as Magnus wrote.

Custom workflows allow a certain flexibility here, but you also have to look at how you can call up the custom workflow cleanly. Within the workflows, you also have the option of making REST calls with various authentication options. I can't say right now whether you can "easily" address the Azure API with this.

In my experience, the IG is not able to record master data cleanly, or generally just provide a form for which a workflow is then stored. As far as I know, a form must always be linked to a permission or application.

BR

Tobias

Thank you both for your replies.

If the form needs to be linked to an application, how will IG handle the fact that I as the requester already made an request for this application? Will I be allowed to make another request for this application to be able to create another guest user?

Regards,

Andreas

I'm not sure if it associate the application to the identity through the request or when the collector links the account to the identity.

If it's through the collector then it maybe ok because You would not link the guest account to the requesters identity so the requester should be able to request more than one guest account.

I don't know if it works this way but maybe Tobias or someone else does?

Anyways it should be ez to setup and try.

I'm not sure if it associate the application to the identity through the request or when the collector links the account to the identity.

If it's through the collector then it maybe ok because You would not link the guest account to the requesters identity so the requester should be able to request more than one guest account.

I don't know if it works this way but maybe Tobias or someone else does?

Anyways it should be ez to setup and try.

In this scenario we have both the identity source and AD collector using the same AD... so if the guest account where to be created, wouldn't it be creating it's own identity object in IG and link the newly created guest AD account to that identity?

It's actually both...   

At the time of request if you are using the fulfillment system, as the IG gods intended, it creates a fulfillment item, and then upon subsequent collection, it wants to validate that the fulfillment has been completed, otherwise its sits out there in a not complete state forever, until you mark it ignored.   

Separately during collection when you collect an account, it is matched to an identity based on the collector config, and related.  From that point on when you look at an identity record, you'll see the linked accounts.

So it gets you on both ends.   If you really wanted to, you could just ignore the failed fulfillments regularly, and push forward with modified fulfillment requests.  I'd suggest that's a bad practice though.