Solved: Allocating licenses based on Azure AD groups - Qlik Community

tan123qlik · ‎2023-03-08

This question is for Qlik Sense SaaS.

Does anyone have a best practice for how to manage user license allocations based on Azure AD groups. We use Azure AD as IDP and have two groups in AD; one for analyzers and one for professional users. I want to automatically assign the corresponding license to the user. The best would be that the user and license are pre populated in Qlik Sense SaaS before the user logon.
We also want that if the user is removed from the AD group, the license should be removed from the user.

I guess that we need to automate this with a script, for example PowerShell and CLI ,or is it better to use Automations in Qlik Sense to do it?

Thanks in advance.

Qlik Cloud

DaveChannon · ‎2023-03-09

Hey @tan123qlik

I'll assume you're not using the very recently released SCIM capabilities for Azure AD for this first part. You can use application automation or CLI or raw REST API calls to achieve each step:

You can pre-create and pre-assign licenses up-front using the /users and /licenses APIs - although I don't actually recommend this approach as you don't necessarily want to assign licenses to users who may never use them, and without an automated way of removing users who never logged in later (although you can do this too via API)
Instead, you can create a webhook (either in the management console if you have your own script, or in an application automation start block) on the user.created event. The user is automatically created on their first login, and as Qlik Cloud becomes aware of their groups via the claims sent with their login request, you can hit the users endpoint to get the list of groups, check for a professional/ analyzer group, and then assign the relevant license. As this happens post user creation, it might mean a brief delay of a few seconds to a few minutes where they can't access apps the first time they hit the tenant (depends on how it's set up)
For removing/ amending license assignments, you probably want to drive this externally since you can then look up the current live group membership. This is because groups are only refreshed in Qlik Cloud when the user logs in - so if a user hasn't logged in since the change in group membership, we won't have any data to act on. That said - if this is a reasonable limitation, then you can periodically review user license assignments and groups either externally or in application automation

Now, if you were using Azure AD with SCIM, you could then pre-provision most of this, and have group changes sync'd to the tenant, which means you can do everything for the license assignment/ deallocation within Qlik Cloud, as the data will always be (nearly) up to date.

View solution in original post

DaveChannon · ‎2023-03-09

Hey @tan123qlik

I'll assume you're not using the very recently released SCIM capabilities for Azure AD for this first part. You can use application automation or CLI or raw REST API calls to achieve each step:

You can pre-create and pre-assign licenses up-front using the /users and /licenses APIs - although I don't actually recommend this approach as you don't necessarily want to assign licenses to users who may never use them, and without an automated way of removing users who never logged in later (although you can do this too via API)
Instead, you can create a webhook (either in the management console if you have your own script, or in an application automation start block) on the user.created event. The user is automatically created on their first login, and as Qlik Cloud becomes aware of their groups via the claims sent with their login request, you can hit the users endpoint to get the list of groups, check for a professional/ analyzer group, and then assign the relevant license. As this happens post user creation, it might mean a brief delay of a few seconds to a few minutes where they can't access apps the first time they hit the tenant (depends on how it's set up)
For removing/ amending license assignments, you probably want to drive this externally since you can then look up the current live group membership. This is because groups are only refreshed in Qlik Cloud when the user logs in - so if a user hasn't logged in since the change in group membership, we won't have any data to act on. That said - if this is a reasonable limitation, then you can periodically review user license assignments and groups either externally or in application automation

Now, if you were using Azure AD with SCIM, you could then pre-provision most of this, and have group changes sync'd to the tenant, which means you can do everything for the license assignment/ deallocation within Qlik Cloud, as the data will always be (nearly) up to date.

tan123qlik · ‎2023-03-10

Thank you for your detailed answer.

I was not aware of the SCIM possibility when I wrote the question. Now when I have red about it, I can see that this could be used for populating users and groups. However, I don't understand if this could be used for allocating/deallocating licenses?

DaveChannon · ‎2023-03-10

Hey @tan123qlik, not for the licenses. You'll still need to use application automation or an outside script to manage that piece.

Quite often it's acceptable to enable auto assignment of analyzer licenses so that users have immediate access to content on login, then upgrade them to professional if they have a specific group. You then use the IdP to restrict who has access to the app (something you should be able to do under enterprise applications in azure AD).

steeefan · ‎2024-01-05

Excellent - thanks a lot! I was looking for the exact same thing.

"Instead, you can create a webhook..." works for me and is also my first automation.

simonheap_cph · ‎2024-04-09

In response to @DaveChannon and @steeefan

I have been working with the exact same issue. I get the automation up and running (that creates a webhook), I get the filtering on the group done when I want to decide on the license type, but I can't seem to get the api working... I have tried with both the Call URL-block and the Raw API Request-block using the api https://{mytenant}/api/v1/licenses/assignments/actions/add/ with an add-payload, but I can't get it to work.

Do you have some examples of what it takes to make this work? Thank you!

BR, Simon

steeefan · ‎2024-04-09

To add the license I'm using "Raw API Request" with these parameters

Path: licenses/assignments/actions/add
HTTP Method: POST
Body: {"add":[{"type":"V License Type","subject":"Get User > Subject"}]}

V License Type is a variable that is set earlier in the automation flow, Get User > Subject is data fed from the user object in scope.

simonheap_cph · ‎2024-04-10

Ah, @steeefan , so nice! I knew I was missing something stupid - I had the path too long (including) api/v1/... Working with the value for type in the body, for other users I can add that the value (e.g., "analyzer") is case sensitive. Thanks a bunch! /Simon

Laurent_Cornilleau · ‎2024-04-11

You can also use the blocks from Qlik Platform Operations instead of those from Qlik Cloud Services.

You have an "Allocate License To User" block.

Here's a basic example.

(don't forget to create a tenant OAuth client first and configure the connection)

DaveChannon · ‎2024-04-11

And we just added a new "Allocate Or Update User License" block to QPO to make it easier to handle for when users might already have an assignment: https://qlik.dev/changelog/90-platform-ops-connector/