Cross-Provision User Across Entra and Google Workspace

arazzo: 1.0.1
info:
  title: Cross-Provision User Across Entra and Google Workspace
  summary: Create a single identity in both Microsoft Entra ID and Google Workspace.
  description: >-
    A dual-directory provisioning workflow that establishes the same new hire
    identity in two corporate directories at once. Creates the user in Microsoft
    Entra ID, then mirrors the account into Google Workspace so the employee has
    sign-in across both ecosystems from day one.
  version: 1.0.0
sourceDescriptions:
  - name: entraApi
    url: https://raw.githubusercontent.com/api-evangelist/microsoft-entra/refs/heads/main/openapi/microsoft-entra-graph-identity-openapi.yml
    type: openapi
  - name: googleWorkspaceApi
    url: https://raw.githubusercontent.com/api-evangelist/google-workspace/refs/heads/main/openapi/admin-sdk-directory-api.yml
    type: openapi
workflows:
  - workflowId: dual-directory-provision
    summary: Provision the same user in Entra ID and Google Workspace.
    description: >-
      Creates a user account in Microsoft Entra ID and then provisions a matching
      account in Google Workspace, carrying the display name into both directories.
    inputs:
      type: object
      properties:
        displayName:
          type: string
        userPrincipalName:
          type: string
        mailNickname:
          type: string
        entraPassword:
          type: string
        googlePrimaryEmail:
          type: string
        givenName:
          type: string
        familyName:
          type: string
        googlePassword:
          type: string
    steps:
      - stepId: create-entra-user
        description: Provision the new user in Microsoft Entra ID.
        operationId: $sourceDescriptions.entraApi.createUser
        requestBody:
          contentType: application/json
          payload:
            accountEnabled: true
            displayName: $inputs.displayName
            userPrincipalName: $inputs.userPrincipalName
            mailNickname: $inputs.mailNickname
            passwordProfile:
              forceChangePasswordNextSignIn: true
              password: $inputs.entraPassword
        successCriteria:
          - condition: $statusCode == 201
        outputs:
          entraUserId: $response.body#/id
      - stepId: create-google-user
        description: Mirror the identity into Google Workspace.
        operationId: $sourceDescriptions.googleWorkspaceApi.insertUser
        requestBody:
          contentType: application/json
          payload:
            primaryEmail: $inputs.googlePrimaryEmail
            name:
              givenName: $inputs.givenName
              familyName: $inputs.familyName
            password: $inputs.googlePassword
            changePasswordAtNextLogin: true
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          googleUserId: $response.body#/id
          googleEmail: $response.body#/primaryEmail
    outputs:
      entraUserId: $steps.create-entra-user.outputs.entraUserId
      googleUserId: $steps.create-google-user.outputs.googleUserId
      googleEmail: $steps.create-google-user.outputs.googleEmail