Case 1: The Multi-Tenant API Orchestrator

The Challenge: One JSM, Many Entra Tenants

In a managed services environment, we need to handle requests for multiple clients from a single Jira instance. Our solution uses Jira’s automation engine to dynamically route requests based on the reporter’s organization.

The Workflow & API Chain

When a user raises a “Request an access package IGA” ticket, the automation follows this sequence:

1. Tenant Identification: The rule checks the reporter’s Organization and sets a tenantID variable. This allows the same automation to scale across diverse customer environments.
2. Access Package Lookup: GET /identityGovernance/entitlementManagement/accessPackages
3. Policy Retrieval & The Encoding Fix: To get the assignment policy, we call: https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/{{AccessPackageID.urlEncode.replace(“+”,”%20″)}}?$expand=accessPackageAssignmentPolicies

Technical Note

We discovered that Jira’s .urlEncode function converts spaces to +. However, the Microsoft Graph API expects %20 for OData filters. By chaining .replace(“+”,”%20″), we ensured our URIs were compliant, preventing 400 Bad Request errors.

1. Identity Resolution: GET https://graph.microsoft.com/v1.0/users/{{reporter.emailAddress}} We resolve the reporter’s email to their unique Entra User ID.
2. Final Provisioning: POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/assignmentRequests

The Outcome

Once the final API call is validated, the workflow completes. Within seconds, the user has a live Access Package Assignment in Entra ID, granting them all the associated permissions and resources without a single manual click from the IT department.

Case 2: Hybrid Governance via Custom Extensions

Automating Tickets for “Offline” Applications

What happens when an access request is for a legacy or “offline” application that Entra ID cannot provision automatically? At Resilient Security, we bridge this gap using a logic app.

The Logic App Architecture

We integrated a Logic App directly into the Entra ID Access Package workflow.

• The Integration Point: Under the Rules tab of the Access Package, we configured a Custom Extension.
• The Stages: We specifically target two critical lifecycle stages:
  1. Request is approved: This triggers the Logic App to call the Jira API (secured via a Jira API Token) to create a ticket. The ticket instructs the local IT team to manually assign permissions in the offline app.
  2. Request is removed: When access expires or a manager revokes it, a second trigger creates a high-priority ticket to ensure permissions are stripped immediately.
• The Security Layer: The Logic App includes logic to verify the request origin, ensuring that only legitimate Entra ID events can trigger ticket creation in your Jira instance.