Skip to content

IdLE.Provider.EntraID MVP (delegated + app-only) #45

New issue
New issue
Open
Open
IdLE.Provider.EntraID MVP (delegated + app-only)#45
Assignees
blindzero
Labels
enhancementNew feature or requestprio:mediumtype:provider
Milestone
v0.8.0 - Real Providers I (AD + EntraID + EntraID-Sync)
@blindzero

Description

@blindzero
blindzero
opened on Jan 2, 2026

Goal

  • Provide a production-usable Microsoft Entra ID provider so IdLE can run real Joiner/Mover/Leaver workflows out of the box.

Scope

  • Create new provider module: IdLE.Provider.EntraID
  • Use Microsoft Graph as backend (implementation may use Graph PowerShell SDK or REST; must be documented).
  • Authentication (MVP must support both):
    • Delegated (individual admin accounts for audit trail)
    • App-only (client credentials for headless automation)
  • Capabilities (MVP):
    • IdLE.Identity.Read
    • IdLE.Identity.List
    • IdLE.Identity.Create
    • IdLE.Identity.Delete
    • IdLE.Identity.EnsureAttribute
    • IdLE.Identity.Disable
    • IdLE.Identity.Enable
    • IdLE.Entitlement.List (Groups)
    • IdLE.Entitlement.Grant (Groups)
    • IdLE.Entitlement.Revoke (Groups)
  • Identity addressing:
    • Support lookup by UPN and objectId; document defaults and behavior.
  • Group entitlement model:
    • Entitlement kind identifies groups by objectId and/or displayName (document canonical identifier).
  • Paging and throttling:
    • List/Search operations must handle paging.
    • Provider must classify transient failures for retry policies (429/5xx/timeouts) as transient.
  • Idempotency guarantees (required for retries and re-runs):
    • Create: if user already exists (by UPN/objectId), treat as success with no-op semantics.
    • Delete: if user is already gone, treat as success.
    • Group Grant/Revoke: membership already in desired state must be a no-op success.
  • Provider must publish its capability list consistently (capabilities are announced, not assumed).

Docs / Examples (part of DoD)

  • Document configuration and permissions for both auth modes:
    • Delegated: required admin roles/scopes, login flow
    • App-only: app registration, permissions, admin consent, secret/cert handling
  • Provide at least one example workflow per LifecycleEvent:
    • Joiner: Create + EnsureAttribute + Group grants
    • Mover: EnsureAttribute changes + Group delta
    • Leaver: Disable + Delete (Delete must require explicit opt-in)
  • Integrate with the single demo runner via -Provider EntraID.

Acceptance Criteria

  • Provider module loads and advertises capabilities.
  • MVP capabilities are implemented and covered by unit tests (mocked).
  • Idempotency rules above are enforced and test-covered.
  • Example workflows run via the demo runner using -Provider EntraID (documented commands).

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestprio:mediumtype:provider

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions