Release 1.1.6 SailPoint IdentityNow PowerShell Module
Posted on by Darren Robinson

SailPoint IdentityNow PowerShell Module

Updated Documentation for new cmdlets is here.

Updated 27 Oct 2022 for v1.1.6. New cmdlets, updated 
cmdlets for API changes, documentation updates and 
bugfixes. Full details here. 

Updated 22 June 2021 for v1.1.4. Four new cmdlets and
updates to numerous other cmdlets for API and 
authentication changes. Full details here. 

Updated 11 August 2020 for v1.1.2. New cmdlets, updates
to deprecate v2 auth, documentation and example updates.
Full details here.

Updated 17 June 2020 for v1.1.0 with all cmdlets updated,
new cmdlets, documentation and an example PowerShell
Jupyter Notebook. Full details here.

Updated 25 March 2020 for v1.0.7 with additional cmdlets,
cmdlet updates, a bugfix and PowerShell v7 validation.
Full details here. 

Updated 9 Jan 2020 for v1.0.6 with additional cmdlets 
PowerShell Core compatibility and the removal of a 
dependency on the PSCX Module. Full details here. 

Updated 26 Nov 2019 for v1.0.5 with additional cmdlets to;
Store multiple Org Credentials and switch between them 
(courtesy of Sean McGovern)
Get IdentityNow Activities (via Search) 
Get IdentityNow Identities (via Search)
Update IdentityNow Source 
Generate IdentityNow Source Configuration HTML Report 
Generate IdentityNow Identity Profile Configuration HTML Report 
Create and Delete IdentityNow Sources (courtesy of Sean McGovern)
Test Identity Source Connection (courtesy of Sean McGovern) 
New IdentityNow Source Account Schema Attribute (courtesy of Sean McGovern) 
Get and Update IdentityNow Attributes 
Get the IdentityNow Attribute List
Reset an IdentityNow Source 

Updated 5 Nov 2019 for v1.0.4 with additional cmdlets to;
Search Audit Events (v2 API)
Search Events (BETA Search API)
Get-IdentityNowSourceAccounts now has -attributes switch 
to retrieve account attributes

Updated 22 Oct 2019 for v1.0.3 with additional cmdlets to;
Create / Get / Remove v2 API Clients (Legacy)
Create / Get / Remove v3 oAuth API Clients

Updated 17 Oct 2019 for v1.0.2 with additional cmdlets to;
Create / Get / Update / Remove IdentityNow Transforms
Get IdentityNow Rules
Get / Update Email Templates
Get IdentityNow Profiles
Get / Update IdentityNow Profiles Order

I’ve just published v1 of my SailPoint IdentityNow PowerShell Module. Don’t want to wait or read anymore? You can install it from the PowerShell Gallery

install-module -name SailPointIdentityNow -RequiredVersion 1.1.4
You can also download it from GitHub here and run the install script (in an elevated PowerShell session).
NOTE: This is not an official SailPoint IdentityNow PowerShell Module.

Features

  • Easy command-line use, after setting default configuration options and securely saving them to the current user’s profile.
  • Get an IdentityNow Organisation and Get / Update an Organisation Configuration
  • Search IdentityNow Users
  • Search IdentityNow Users Profiles
  • Search IdentityNow Entitlements
  • Search IdentityNow Identities
  • Create / Get / Update / Remove IdentityNow Access Profiles
  • Create / Get / Start IdentityNow Certification Campaigns
  • Get IdentityNow Certification Campaign Reports (output to file or return as PSObject)
  • Create / Get / Update / Remove IdentityNow Governance Groups
  • Create / Get / Update / Remove IdentityNow Roles
  • Get / Update / Test / Create / Remove IdentityNow Sources
  • Create IdentityNow Source Account Schema Attributes
  • Generate IdentityNow Sources Configuration Report
  • Generate IdentityNow Identity Profiles Configuration Report
  • Get Accounts from an IdentityNow Source
  • Create / Update / Remove IdentityNow Source Account (Flat File / Delimited Sources)
  • Get / Complete IdentityNow Tasks
  • Get IdentityNow Virtual Appliance Clusters (and clients (VA’s))
  • Get / Update IdentityNow Applications
  • Create / Get / Update / Remove IdentityNow Transforms
  • Get IdentityNow Rules
  • Get / Update Email Templates
  • Get IdentityNow Profiles
  • Get / Update IdentityNow Profiles Order
  • Get / Update Identity Attributes
  • Create / Get / Remove v2 API Clients (Legacy)
  • Create / Get / Remove v3 oAuth API Clients
  • Search Audit Events (v2)
  • Search Events (Beta) – Elasticsearch
  • List / Get Account Activities
  • Reset an IdentityNow Source
  • …. and if they don’t fit use Invoke-IdentityNowRequest to make any other API call (examples for Get Source Schema, Get IdentityNow Identity Profiles, Get IdentityNow Identity Attributes)

Here is a quick overview of each of the cmdlets from the SailPoint IdentityNow PowerShell Module. As alluded to above they allow you to retrieve, update, create and remove IdentityNow elements.

Setting up the IdentityNow PowerShell Module Credentials and Organisation Configuration

The following cmdlets (Set-IdentityNowOrg, Set-IdentityNowCredential, Save-IdentityNowConfiguration) securely store the credentials required to operate the cmdlets in your PowerShell Profile. They will autoload each time you import the IdentityNow PowerShell module. If you are only integrating with one environment you only need to do this once per host you are using the module on.

NOTE: This module requires a v3 API ClientID and Secret that can now be generated via the IdentityNow Admin Portal and a v2 API ClientID and Secret generated via API. See this post for details on how to generate them

Update the following example with your credentials and API keys. The credentials shown below aren’t real, but random chars in the indicative format. 

$orgName = "customername-sb"
Set-IdentityNowOrg -orgName $orgName

# IdentityNow Admin User
$adminUSR = "identityNow_admin_User"
$adminPWD = 'idnAdminUserPassword'
$adminCreds = [pscredential]::new($adminUSR, ($adminPWD | ConvertTo-SecureString -AsPlainText -Force))

# Customer IdentityNow Org v3 API Creds generated in IdentityNow Portal   
$clientIDv3 = "badbeef6-5f24-4448-ac0b-abcdefG"
$clientSecretv3 = "770a71abcdef5301848d00000d8760fe0d9f632383775b315aa1234567890"
$v3Creds = [pscredential]::new($clientIDv3, ($clientSecretv3 | ConvertTo-SecureString -AsPlainText -Force))

# Customer IdentityNow v2 API Client ID & Secret generated via API
$clientID = 'zo7ABCDaTHjA0Rwv'
# Your API Client Secret
$clientSecret = '3Zm9Qod4sWhihABCdefgCX9DIfmwAZiP'
$v2Creds = [pscredential]::new($clientID, ($clientSecret | ConvertTo-SecureString -AsPlainText -Force))
Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey $v2Creds -v3APIKey $v3Creds 

Save-IdentityNowConfiguration

Get an IdentityNow Organisation and Get / Update an Organisation Configuration

Display the configured IdentityNow Organisation as set by “Set-IdentityNowOrg
API endpoints for currently configured organisation – Example

Get-IdentityNowOrg

Name Value
---- -----
Organisation Name customer-sb
Organisation URI https://customer-sb.identitynow.com
v1 Base API URI https://customer-sb.identitynow.com/api
v2 Base API URI https://customer-sb.api.identitynow.com/v2
v3 / Private Base API URI https://customer-sb.api.identitynow.com/cc/api

Update an IdentityNow Organisation Setting – Example
[Reference post]

$orgConfig = Get-IdentityNowOrgConfig

$approvalConfig = $orgConfig.approvalConfig
# global reminders and escalation policies for access request approvals
$daysBetweenReminders = 3
$daysTillEscalation = 5
$maxReminders = 10
# SailPoint user name of the identity
$fallbackApprover = "darren.robinson"

# Set Config options to update
$approvalConfig.daysBetweenReminders = $daysBetweenReminders
$approvalConfig.daysTillEscalation = $daysTillEscalation
$approvalConfig.maxReminders = $maxReminders
$approvalConfig.fallbackApprover = $fallbackApprover
$approvalConfigBody = @{"approvalConfig" = $approvalConfig }

Update-IdentityNowOrgConfig -update ($approvalConfigBody | convertto-json)

Search IdentityNow Users

Search for IdentityNow Users – Examples
[Reference post]

Search-IdentityNowUsers -query darrenjrobinson
Search-IdentityNowUsers -query "@accounts(accountId:darren.robinson)"
Search-IdentityNowUsers -query "@source(id:2c91808469110d6a016954d4dad138a3)"
Search-IdentityNowUsers -query "@access(source.name:*Active Directory*) AND attributes.company:Kloud"

Search IdentityNow Users Profiles

Search for a user’s IdentityNow Profile from the IdentityNow Identity List – Example
[Reference post – See Profile Owner Section]

Search-IdentityNowUserProfile -query "darrenjrobinson"

Search IdentityNow Entitlements

Search for Entitlements associated with IdentityNow Sources – Example
[Reference post]

Search-IdentityNowEntitlements -query "File_Share_Sydney"

Create / Get / Update / Remove IdentityNow Access Profiles

Get all IdentityNow Access Profiles – Example
[Reference post]

Get-IdentityNowAccessProfile

Get a specific IdentityNow Access Profile – Example

Get-IdentityNowAccessProfile -profileID 2c91808369a606f00169c756f0a00017

Create an IdentityNow Access Profile – Example 1

New-IdentityNowAccessProfile -profile "{"entitlements": ["2c91808668dcf3970168dd722e7a020d","2c91808468dcf4610168dd78d2e8531e"],"description": "FS-SYDNEY-AUS-ENGINEERING","requestCommentsRequired": true,"sourceId": "39082","approvalSchemes": "manager","ownerId": "1397606","name": "Sydney Engineering","deniedCommentsRequired": true}"

Create an IdentityNow Access Profile – Example 2

# Get Owner for Access Profile
$owner = Search-IdentityNowUserProfile -query "darren.robinson"

# Get Source for Access Profile
$sources = Get-IdentityNowSource
$adSource = $sources | Select-Object | Where-Object {$_.name -like '*Active Directory*'}

# Entitlements
$entitlement = Search-IdentityNowEntitlements -query "FS-SYDNEY-AUS-ENGINEERING"
$e = $entitlement | Select-Object | Where-Object {$_.source.name -eq 'Active Directory'}

# Access Profile Details
$accessProfile = @{}
$accessProfile.add("name", "Sydney Engineering")
$accessProfile.add("description", "FS-SYDNEY-AUS-ENGINEERING")
$accessProfile.add("sourceId", $adSource.id)
$accessProfile.add("ownerId", $owner.id)

# Access Profile Entitlements
$entitlements = @()
ForEach($i in $e) {$entitlements += $i.id}
$entitlementsToAdd = @{"entitlements" = $entitlements}
$accessProfile.add("entitlements", $entitlementsToAdd.entitlements)

# Access Profile Type
$accessProfile.add("approvalSchemes", "manager")
$accessProfile.add("requestCommentsRequired", $true)
$accessProfile.add("deniedCommentsRequired", $true)

New-IdentityNowAccessProfile -profile ($accessProfile | convertto-json)

Update an IdentityNow Access Profile – Example 1

Update-IdentityNowAccessProfile -profileID 2c91808466a64e330112a96902ff1f69 -update "{"deniedCommentsRequired": true,"requestCommentsRequired": true}"

Update an IdentityNow Access Profile – Example 2

$ap = Get-IdentityNowAccessProfile
$accessProfile = $ap | Select-Object | Where-Object {$_.description -like '*Darren*'}

$updateAccessProfile = @{}
$updateAccessProfile.Add("requestCommentsRequired", $true)
$updateAccessProfile.Add("deniedCommentsRequired", $true)

Update-IdentityNowAccessProfile -profileID $accessProfile.id -update ($updateAccessProfile | convertto-JSON)

Remove an IdentityNow Access Profile – Example 1

Remove-IdentityNowAccessProfile -profileID 2c91808369a606f00169c756f0a00017

Remove an IdentityNow Access Profile – Example 2

$ExistingAPs = Get-IdentityNowAccessProfile
$myAP = $ExistingAPs | Select-Object | Where-Object {$_.name -like "*My Access Profile*"}
Remove-IdentityNowAccessProfile -profileID $myAP.id

Create / Get / Start IdentityNow Certification Campaigns

Get all (active and completed) IdentityNow Certification Campaigns – Example
[Reference post]

Get-IdentityNowCertCampaign -completed $false

Get a specific IdentityNow Certification Campaign – Example

Get-IdentityNowCertCampaign -campaignID 2c9180856708ae38016709f4812345c3

Create an IdentityNow Certification Campaign – Example
[Reference post]

$query = "@apps.name:'Special Application'"
$campaignFilter = Search-IdentityNowUsers -query $query

$entitlements = $null
$e = $campaignFilter.access | where-object { $_.type -eq "ENTITLEMENT" } | Select-Object id
$entitlements = $e | Select-Object -Property id -Unique

$roles = $null
$r = $campaignFilter.access | where-object { $_.type -eq "ROLES" } | Select-Object id
$roles = $r | Select-Object -Property id -Unique

$accessProfiles = $null
$a = $campaignFilter.access | where-object { $_.type -eq "ACCESS_PROFILE" } | Select-Object id
$accessProfiles = $a | Select-Object -Property id -Unique

$inclusionList = @()

$InclusionTemplate = [pscustomobject][ordered]@{
id = $null
type = $null
}

# ROLES
foreach ($role in $roles) {
$incRole = $InclusionTemplate.PsObject.Copy()
$incRole.id = $role.id
$incRole.type = "ROLE"
$inclusionList += $incRole
}

# ENTITLEMENTS
foreach ($entitlement in $entitlements) {
$incEntitlement = $InclusionTemplate.PsObject.Copy()
$incEntitlement.id = $entitlement.id
$incEntitlement.type = "ENTITLEMENT"
$inclusionList += $incEntitlement
}

# ACCESS PROFILES
foreach ($accessProfile in $accessProfiles) {
$incAccessProfile = $InclusionTemplate.PsObject.Copy()
$incAccessProfile.id = $accessProfile.id
$incAccessProfile.type = "ACCESS_PROFILE"
$inclusionList += $incAccessProfile
}

$e = $inclusionList | select-object -Property type | Where-Object { $_.type -eq "ENTITLEMENT" }
$a = $inclusionList | select-object -Property type | Where-Object { $_.type -eq "ACCESS_PROFILE" }
$r = $inclusionList | select-object -Property type | Where-Object { $_.type -eq "ROLE" }

write-host -ForegroundColor Blue "Campaign scope covers $($r.type.count) Role(s), $($e.type.count) Entitlement(s) and $($a.type.count) Access Profile(s)."

# Create Campaign
$campaignOptions = @{ }
$campaignOptions.Add("type", "Identity")
$campaignOptions.Add("timeZone", "GMT+1000")
$campaignOptions.Add("name", "Oct 2019 Special App Campaign")
$campaignOptions.Add("allowAutoRevoke", $false)
$campaignOptions.Add("deadline", "2019-11-1")
$campaignOptions.Add("description", "Special App Oct 2019")
$campaignOptions.Add("disableEmail", $true)
$campaignOptions.Add("identityIdList", @())
$campaignOptions.Add("identityQueryString", $query )
$campaignOptions.Add("accessInclusionList", $inclusionList)
$campaignBody = $campaignOptions | ConvertTo-Json

New-IdentityNowCertCampaign -start $true -campaign $campaignBody

Get IdentityNow Certification Campaign Reports

Get all certification campaign reports from the last year and output them to a local folder – Example
[Reference post]

Get-IdentityNowCertCampaignReport -period "365" -outputPath "C:\Reports"

Get certification campaign reports for a specific campaign and return as PSObject – Example

Get-IdentityNowCertCampaign -campaignID '2c918085694a507f01694b9fcce6002f'

Create / Get / Update / Remove IdentityNow Governance Groups

Get IdentityNow Governance Groups – Example
[Reference post]

Get-IdentityNowGovernanceGroup

Get a specific IdentityNow Governance Group – Example

Get-IdentityNowGovernanceGroup -groupID 4fc249bd-46ff-405a-93b9-21372f97c352

Update an IdentityNow Governance Group to remove one member and add two members – Example

# Get Group
$govGroups = Get-IdentityNowGovernanceGroup
$myGroup = $govGroups | Select-Object | Where-Object { $_.description -like "*My IDN Governance Group*" }

# Add
$user1 = Search-IdentityNowUsers -query "@accounts(accountId:darren.robinson)"
$user2 = Search-IdentityNowUsers -query "@accounts(accountId:rick.sanchez)"
$user3 = Search-IdentityNowUsers -query "@accounts(accountId:morty.smith)"

$add = @()
$remove = @()
$add += $user3.id
$add += $user2.id
$remove += $user1.id

$update = (@{
add = $add
remove = $remove
})

Update-IdentityNowGovernanceGroup -groupID $myGroup.id -update ($update | convertto-json)

Create an IdentityNow Governance Group and assign an owner – Example

$GovGroupOwner = Search-IdentityNowUsers -query "@accounts(accountId:darren.robinson)"

$body = @{"name" = "New IDN Module Gov Group";
"displayName" = "New Module Gov Group";
"description" = "New Module Gov Group";
"owner" = @{"displayName" = $GovGroupOwner.displayName;
"emailAddress" = $GovGroupOwner.email;
"id" = $GovGroupOwner.id;
"name" = $GovGroupOwner.name
}
}
New-IdentityNowGovernanceGroup -group ($body | convertto-json)

Delete an IdentityNow Governance Group – Example

Remove-IdentityNowGovernanceGroup -groupID 4fc249bd-46ff-405a-93b9-21372f97c352

Create / Get / Update / Remove IdentityNow Roles

Get IdentityNow Roles – Example
[Reference post]

Get-IdentityNowRole

Get a specific IdentityNow Role – Example

Get-IdentityNowRole -roleID 2c918084691653af01695182a78b05ec

Update an IdentityNow Role – Example
[Reference post]

$body = @{
"id" = "2c9180886cd58059016d1a4757d709a4"
"name" = "Role - Special Admins";
"displayName" = "Special Admins";
"description" = "Special Admins Role";
"disabled" = $false;
"owner" = "darrenjrobinson"
}
Update-IdentityNowRole -update ($body | convertto-json)

Create an IdentityNow Role – Example

$body = @{
"name" = "Role - Special Administrators";
"displayName" = "Special Administrators";
"description" = "Special Administrators Role";
"disabled" = $true;
"owner" = "darrenjrobinson"
}

New-IdentityNowRole -role ($body | convertto-json)

Delete an IdentityNow Role – Example

Remove-IdentityNowRole -roleID 2c9180886cd58059016d1a5a23f609a8

Get / IdentityNow Sources

Get all IdentityNow Sources – Example
[Reference post]

Get-IdentityNowSource

Get a specific IdentityNow Source – Example

Get-IdentityNowSource -sourceID 12345

Get Accounts from an IdentityNow Source

Get accounts from an IdentityNow Source – Example
[Reference post]

Get-IdentityNowSourceAccounts -sourceID 40113

Create / Update / Remove IdentityNow Source Account (Flat File / Delimited Sources)

Create an account on an indirect IdentityNow Source – Example
[Reference post]

$account = @{"id" = 'darrenjrobinson';
"name" = 'darrenjrobinson';
"givenName" = 'Darren';
"familyName" = 'Robinson';
"displayName" = 'Darren Robinson';
"email" = 'darren.robinson@customer.com.au'
}

New-IdentityNowUserSourceAccount -source 36702 -account ($account | convertto-json)

Update an account on an indirect IdentityNow Source – Example
[Reference post]

$update = @{
"country" = "Australia"
"department" = "Identity Architects"
"organization" = "Kloud"
}

Update-IdentityNowUserSourceAccount -account 2c91808469110d6a016954d4dad138a3 -update ($update | ConvertTo-Json)

Delete an IdentityNow account from an indirect IdentityNow Source – Example (assumes user only has a single account on an indirect source)
[Reference post]

$user = Search-IdentityNowUsers -query "@accounts(accountId:darrenjrobinson)"
$userIndirectAccounts = $user.accounts | select-object | where-object { ($_.source.type.contains("DelimitedFile")) }
$account = $userIndirectAccounts.id

Remove-IdentityNowUserSourceAccount -account $account

Get / Complete IdentityNow Tasks

Get IdentityNow Tasks – Example
[Reference post]

Get-IdentityNowTask

Get a specific IdentityNow Task – Example

Get-IdentityNowTask -taskID 2c918084691120d0016926a6a94251d6

Mark and IdentityNow Task as complete – Example

Complete-IdentityNowTask -taskID 2c918084691120d0016926a6a94251d6

Get IdentityNow Virtual Appliances & Clusters

Get IdentityNow Virtual Appliance Clusters – Example
[Reference post]

Get-IdentityNowVACluster

Get IdentityNow Virtual Appliances from a cluster – Example

$clusters = Get-IdentityNowVACluster
foreach($va in $clusters){
"Cluster: $($va.description) VA ID: $($va.clients.id) VA Description: $($va.client.description)"
}

Get / Update IdentityNow Applications

Get IdentityNow Customer Created and Managed Applications – Example
[Reference post]

Get-IdentityNowApplication

Get IdentityNow Customer default configured SailPoint Applications – Example

Get-IdentityNowApplication -org $true

Get a specific IdentityNow Applications – Example

Get-IdentityNowApplication -appID 32128

Update an IdentityNow Application – Example

$appBody = @{
"launchpadEnabled" = $false
"provisionRequestEnabled" = $false
"appCenterEnabled" = $false
}
Update-IdentityNowApplication -appID 24188 -update ($appBody | ConvertTo-Json)

Initiate Aggregation of an IdentityNow Source

Aggregate an IdentityNow Source – Example
[Reference post]

Invoke-IdentityNowAggregateSource -sourceID 12345

Aggregate an IdentityNow Source without optimization – Example
[Reference post]

Invoke-IdentityNowAggregateSource -sourceID 12345 -disableOptimization $true

Create / Get / Update / Remove IdentityNow Transforms

Get IdentityNow Transforms – Example

Get-IdentityNowTransform

Get an IdentityNow Transform – Example

Get-IdentityNowTransform -ID ToUpper

Update an IdentityNow Transform – Example

$attributes = @{value = '$firstName.$lastname@$company.com.au'}
$transform = @{type = "static"; attributes = $attributes}
Update-IdentityNowTransform -transform ($transform | convertto-json) -ID "Firstname.LastName"

Create an IdentityNow Transform – Example

$attributes = @{value = '$firstName.$lastname'}
$transform = @{type = "static"; id = "FirstName.LastName"; attributes = $attributes}
New-IdentityNowTransform -transform ($transform | convertto-json)

Delete an IdentityNow Transform – Example

Remove-IdentityNowTransform -ID "Firstname.LastName"

Get IdentityNow Rules

Get IdentityNow Rules – Example

Get-IdentityNowRule

Get an IdentityNow Rule – Example

Get-IdentityNowRule -ID 2c9170826219ab41014275b47fc40b0a

Get / Update Email Templates

Get Email Templates – Example

Get-IdentityNowEmailTemplate

Get an Email Template – Example

Get-IdentityNowEmailTemplate -ID 2c91601362431b32016275b4241b08f0

Update Email Template – Example

$templateChanges = @{}
$templateChanges.add("id","2c91601362431b32016275b4241b08f0")
$templateChanges.add("subject",'Access Request requires completion of Work Item ID : $workItemName')
Update-IdentityNowEmailTemplate -template ($templateChanges | ConvertTo-Json)

Get IdentityNow Profiles

Get IdentityNow Identity Profiles – Example

Get-IdentityNowProfile

Get an IdentityNow Profile – Example

Get-IdentityNowProfile -ID 1033

Get / Update IdentityNow Profiles Order

Get IdentityNow Profiles Order – Example

Get-IdentityNowProfileOrder


ProfileName           Priority   ID
-----------           --------   --
IdentityNow Admins          10 1066
Cloud Identities            30 1285
Guest Identities            40 1286
Special Identities          60 1372
Non Employee Identities     70 1380
Employee Identities         80 1387

Update IdentityNow Profile Order – Example

Update-IdentityNowProfileOrder -id 1285 -priority 20

Create / Get / Remove API Management Clients (Legacy v2)

Get all v2 API Clients (listed as Legacy in the IdentityNow portal under API Management ) – Example

Get-IdentityNowAPIClient

Get a single v2 API Client – Example

Get-IdentityNowAPIClient -ID 123

Create a v2 API Client – Example

New-IdentityNowAPIClient

Remove a v2 API Client – Example

Remove-IdentityNowAPIClient -ID 123

Create / Get / Remove oAuth API Clients

Get oAuth API (v3) Clients – Example

Get-IdentityNowOAuthAPIClient

Get an oAuth API (v3) Client – Example

Get-IdentityNowOAuthAPIClient -ID '8432e57d-5f8f-dead-beef-a7bf123456a1'

Create an oAuth API Client (v3) – Example

New-IdentityNowOAuthAPIClient -description 'oAuth Client' -grantTypes 'AUTHORIZATION_CODE,CLIENT_CREDENTIALS,REFRESH_TOKEN,PASSWORD' -redirectUris 'https://localhost,https://myapp.com.au'

Remove an oAuth API Client (v3) – Example

Remove-IdentityNowOAuthAPIClient -ID '9e23deaf-48aa-dead-beef-ab6821a12ab2'

Search Audit Events (v2)

Search IdentityNow Audit Events using the v2 API Search options (except Filter) as per the v2/Audit documentation For Filter (JSON) Audit Event queries use the Search-IdentityNowEvents cmdlet

  • actn (Exact match of the “action” property. Eg: -actn USER_STEP_UP_AUTH)
    application (Case insensitive name of the source you’re querying for Eg: -application “Corporate AD”)
  • type (the audit category. Valid values are “AUTH”, “SSO”, “PROVISIONING”, “PASSWORD_CHANGE” or “SOURCE” Eg: -type AUTH)
  • user (Case insensitive exact match of the UID of an identity contained in either “source” or “target” properties in the logs where source indicates the person who took the action and target indicates the person who was affected by the action. Eg: -user darren.robinson)
  • days (Only return results whose timestamp is within this previous number of days; defaults to 7. Eg: -days 3)
  • searchLimit (Maximum number of items to return, used for paging; defaults to 200. Maximum value of 2500. Eg. -searchlimit 50)
  • since (Returns only results from days since the entered date, or date and time combination, in ISO-8601 format.) Eg. -since ‘2019-09-30T12:30:50.450Z’

Search-IdentityNowAuditEvents – Examples

Search-IdentityNowAuditEvents 
Search-IdentityNowAuditEvents -action USER_STEP_UP_AUTH
Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z'
Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z' -searchLimit 10  
Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z' -searchLimit 2501
Search-IdentityNowAuditEvents -days 1 
Search-IdentityNowAuditEvents -days 1 -searchLimit 5000 
Search-IdentityNowAuditEvents -days 1 -action 'AUTHENTICATION-103'
Search-IdentityNowAuditEvents -type AUTH
Search-IdentityNowAuditEvents -type AUTH -days 1 
Search-IdentityNowAuditEvents -type AUTH -days 1 -searchLimit 5000
Search-IdentityNowAuditEvents -type AUTH -days 1 -action 'AUTHENTICATION-103'
Search-IdentityNowAuditEvents -user 'customer_admin'
Search-IdentityNowAuditEvents -user 'customer_admin' -searchLimit 10
Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z'
Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 
Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -searchLimit 2510
Search-IdentityNowAuditEvents -user 'customer_admin' -action 'AUTHENTICATION-103'
Search-IdentityNowAuditEvents -user 'customer_admin' -type 'AUTH'
Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -action 'AUTHENTICATION-103'
Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH'
Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH' -action 'AUTHENTICATION-103' 
Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH' -action 'AUTHENTICATION-103' -searchLimit 50
Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z' -action 'AUTHENTICATION-103'
Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z'  -type 'AUTH' -action 'AUTHENTICATION-103'
Search-IdentityNowAuditEvents -application 'Workday (Dev)'
Search-IdentityNowAuditEvents -application 'Workday (Dev)' -days 2
Search-IdentityNowAuditEvents -application 'Workday (Dev)' -action 'SOURCE_ACCOUNT_AGGREGATION'
Search-IdentityNowAuditEvents -application 'Workday (Dev)' -action 'SOURCE_ACCOUNT_AGGREGATION' -days 2
Search-IdentityNowAuditEvents -application 'Workday (Dev)' -type 'PROVISIONING'
Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z'
Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z' -action 'SOURCE_ACCOUNT_AGGREGATION'
Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z' -action 'SOURCE_ACCOUNT_AGGREGATION' -type 'PROVISIONING'

Search Events (Beta) – Elasticsearch

Search IdentityNow Events using the new IdentityNow Search (Elasticsearch) Results defaults to 2500. If you want more or less use the -searchLimit option

Search Events – Example

$query = @{query = 'technicalName:USER_AUTHENTICATION_STEP_UP_SETUP_*'; type = 'USER_MANAGEMENT'}
$queryFilter = @{query = $query}
Search-IdentityNowEvents -filter ($queryFilter | convertto-json)

Search Events (Search Limit) – Example

$query = @{query = 'technicalName:USER_AUTHENTICATION_*'; type = 'USER_MANAGEMENT'}
$queryFilter = @{query = $query}
Search-IdentityNowEvents -filter ($queryFilter | convertto-json) -searchLimit 5500

And the ultimate flexible cmdlet Invoke-IdentityNowRequest

The cmdlet that lets you do your thing, with a little help. This cmdlet has options for v2 and v3 authentication and will provide the web request headers (with and without content-type = application/json set). You supply the URI for the request, the method (POST, GET, DELETE, PATCH) and the request will be sent, and the results sent back.

Request Methods are;

  • Get
  • Put
  • Patch
  • Delete
  • Post

Header options are;

  • HeadersV2 – Headersv2 Digest Auth with no Content-Type set
  • HeadersV3 – Headersv3 is JWT oAuth with no Content-Type set
  • Headersv2_JSON – Headersv2_JSON is Digest Auth with Content-Type set for application/json
  • Headersv3_JSON – Headersv3_JSON is JWT oAuth with Content-Type set for application/json

Example 1 – Get the Schema of a Source
[Reference post]

$orgName = "customer-sb"
$sourceID = "12345"
Invoke-IdentityNowRequest -Method Get -Uri "https://$($orgName).api.identitynow.com/cc/api/source/getAccountSchema/$($sourceID)" -headers HeadersV3

Example 2 – List Identity Profiles
[Reference post]

$orgName = "customer-sb"
Invoke-IdentityNowRequest -Method Get -Uri "https://$($orgName).identitynow.com/api/profile/list" -headers Headersv2_JSON

Example 3 – Get IdentityNow Identity Attributes
[Reference post]

$orgName = "customer-sb"
Invoke-IdentityNowRequest -Method Get -Uri "https://$($orgName).api.identitynow.com/cc/api/identityAttribute/list" -headers HeadersV3

Enjoy.