Azure Tables Configuration
This section covers the configuration and data import for Azure Tables, which store the configuration and operational data for the MS Entra Provisioning Accelerator.
Overview
For each Azure Table, use the provided template CSV files and import them into your environment. Some tables require manual configuration after import, while others are read-only and automatically populated during operation.
ROIAMAppSync
This table stores configuration for each application being synchronized between ROI iAM and Microsoft Entra.
Import and Configure
- Import the
ROIAMAppSynctemplate CSV file. - Manually fill in the columns for applications you want to onboard in Entra.
Column Definitions
| Column | Description | How to Obtain |
|---|---|---|
| PartitionKey | default | Fixed value |
| RowKey | Enterprise Application Name (from Entra setup) | Each row references exactly one Entra App |
| EntraAppName | Application name | Same as RowKey |
| EnterpriseAppObjectID | Object ID of the Enterprise Application | Enterprise applications → your app → Overview → Object ID |
| EntraAppID | Application (client) ID | App registrations → your app → Overview → Application (client) ID |
| CatalogID | Catalog Object ID | Entra Admin Center → Identity Governance → Access reviews → Catalogs → your catalog → Overview → Object Id |
| GroupName | Security group name | Should match the Enterprise Application Name |
| GroupID | Security group Object ID | Entra Admin Center → Identity → Groups → your security group → Overview → Object ID |
| ROIAMAppName | Name of the application in ROI iAM | From ROI iAM configuration |
| ROIAM_Hub | Name of the hub | Created in table ROIAMHub |
| TenantID | Entra tenant ID | Entra Admin Center → Identity → Overview → Tenant ID |
| Active [Boolean] | true or false | Determines whether ROI_Scheduler will run for this application |
| Schedule | Numeric value | Schedule for data refresh (e.g., 60) |
| Unit | Minute, Day, or Month | Unit for the schedule value |
| LastRun | Timestamp or empty | Empty for initial load; otherwise stores timestamp for next run calculation |
| CatalogAppResourceID | Resource ID from Graph API | See instructions below |
| CustomExtensionID | Extension ID from Graph API | See instructions below |
Getting CatalogAppResourceID
Use Graph Explorer or Postman to send this GET request:
GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageCatalogs/{YourCatalogID}/accessPackageResourcesReplace {YourCatalogID} with the CatalogID from your table.
Getting CustomExtensionID
Use Graph Explorer or Postman to send this GET request:
GET https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/{YourCatalogID}/customWorkflowExtensions/Replace {YourCatalogID} with the CatalogID from your table.
ROIAMHub
This table stores configuration for the connection to ROI iAM.
Import and Configure
- Import the
ROIAMHubtemplate CSV file. - Manually fill in the attributes.
Column Definitions
| Column | Description | Value |
|---|---|---|
| PartitionKey | default | Fixed value |
| RowKey | Name of the ROIAM Hub | Connected to MS Entra |
| API_URL | API Management URL | URL of your ROIAM instance |
| AzureVaultApiKey | Key Vault secret name | ROIAM API key saved in Azure Key Vault (e.g., ROIAMPRODAPIKEY) |
| AzureVaultApiSecret | Key Vault secret name | ROIAM secret saved in Azure Key Vault (e.g., ROIAMPRODSECRET) |
| AzureVaultName | Key Vault name | Globally unique Azure Key Vault name created earlier |
| Name | Hub name | Used as reference in other tables |
| apiPagingSize | 300 | Number of records per page |
| srcROIAMEntraName | Source system name | Name of MS Entra tenant as created in ROI iAM under source systems |
| apiPagingStartIndex | 1 | Starting index for pagination |
ROIAMPermissions (Read-Only)
Auto-Populated
This table automatically populates during the ROI_Scheduler run.
Setup
- Import the
ROIAMPermissionstemplate CSV file - The table should be initially empty
- It will be automatically populated during the run of the Scheduler app
ROIAMEventLog (Read-Only)
Auto-Populated
This table automatically populates during user and access provisioning.
Setup
- Import the
ROIAMEventLogtemplate CSV file - The table should be initially empty
- It will be automatically populated as part of the user and access provisioning process
ROIAMIdentity (Read-Only)
Auto-Populated
This table automatically populates during user and access provisioning.
Setup
- Import the
ROIAMIdentitytemplate CSV file (note the spelling) - The table should be initially empty
- It will be automatically populated as part of the user and access provisioning process
ROIAMLifecycle
This table defines run intervals for time-based operations related to changes in Entra (e.g., dynamic groups, user attribute modifications).
Import and Configure
- Import the
ROIAMLifecycletemplate CSV file. - Configure the rows.
Column Definitions
| Column | Description | Values |
|---|---|---|
| PartitionKey | default | Fixed value |
| RowKey | Operation name | ROI_Calculate_DynamicGroup_Provisioning or ROI_Calculate_Modify_User |
| LastRun | Timestamp or empty | Empty for initial load; otherwise timestamp for next run calculation |
| Schedule | Numeric value | Schedule for data refresh |
| Unit | Minute, Day, or Month | Unit for the schedule value |
| Active | true or false | Whether the operation is active |
ROIAMSchema
This table defines event schemas used for events sent to ROI iAM.
Import and Configure
- Import the
ROIAMSchematemplate CSV file. - The values come pre-defined for a generic ROIAM Hub.
- Rename values to match the entry in the ROIAMHub table.
- Customize with custom event schemas if needed.
Column Definitions
| Column | Description | Values |
|---|---|---|
| PartitionKey | Application or Hub name | Same as ROIAMAppName or ROIAMHub |
| RowKey | Event name or constant | Same as EventName or constant (e.g., Enrich) |
| ROIAMAppName | Application or Hub name | Name of the onboarded application in ROI iAM or ROIAM Hub name |
| EventName | Event type name | Event type sent to ROI iAM or constant for enrich data schema |
| DataSchema | JSON schema | Schema used in the event to ROI iAM |
Default Event Types
The following are default values for RowKey/EventName:
roiam.Create.IDENTITY- User creation eventsroiam.GrantAccess.IDENTITY- Access grant eventsroiam.RevokeAccess.IDENTITY- Access revocation events
Verification Checklist
After completing the table configuration, verify:
- [ ] All required tables are created in Azure Storage.
- [ ] ROIAMAppSync is configured with at least one application.
- [ ] ROIAMHub is configured with connection details.
- [ ] ROIAMLifecycle has appropriate schedules configured.
- [ ] ROIAMSchema contains the necessary event definitions.
- [ ] Read-only tables (ROIAMPermissions, ROIAMEventLog, ROIAMIdentity) are imported but empty.
Next Steps
Your MS Entra Provisioning Accelerator is now ready for operation.
Final Steps
- Test the Connection: Run the ROI_Scheduler Logic App manually to verify connectivity.
- Monitor Initial Sync: Check the ROIAMEventLog table for successful sync events.
- Verify Data: Ensure applications, roles, and users synchronize correctly.
- Review Logs: Check Azure Function and Logic App logs for any errors.
Troubleshooting
If you encounter issues:
- Verify all Object IDs and GUIDs are correct in ROIAMAppSync.
- Check that all Logic Apps have proper permissions assigned.
- Ensure API connections are properly configured.
- Verify Key Vault secrets are accessible.
- Review Azure Function and Logic App execution history.