Ring in the New Year with automated user provisioning from SAP SuccessFactors to Azure AD

Alex Simons (AZURE) · ‎Dec 16 2019

Howdy folks,

Today, I’m very excited to announce the public preview of automated inbound user provisioning from SAP SuccessFactors to Azure AD and on-premises AD.

This builds on the momentum we have already established in simplifying how identities are managed in Azure AD. Early this year, we delivered inbound user provisioning from Workday to Azure AD. We also added more pre-built provisioning capabilities to your favorite SaaS apps including the ability to manage users in bulk. And last week, we announced the public preview of Azure AD Connect cloud provisioning.

The public preview of inbound user provisioning from SuccessFactors allows customers to easily orchestrate users from SuccessFactors into Azure AD.

SuccessFactors HR to Azure AD 1.png

With this built-in cloud-based integration of Azure AD with SuccessFactors, you can:

Securely tap into the rich workforce identity and organization data present in SuccessFactors.
Implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios.
Eliminate error prone custom scripts to sync employee and contractor data.

Give this a try today

There are five simple steps for you to get started on this capability.

Step 1—Select the right provisioning app from the gallery

In the Enterprise App gallery, there are three new pre-integrated applications designed to meet your requirements around SuccessFactors integration.

SuccessFactors to Active Directory User Provisioning—Use this app if you have a hybrid identity setup and would like to provision users directly from SuccessFactors to on-premises Active Directory.
SuccessFactors to Azure AD User Provisioning—Use this app if you have cloud only users and would like to provision users directly from SuccessFactors to Azure AD.
SuccessFactors Writeback—Use this app to writeback email address from Azure AD to SuccessFactors.

SuccessFactors HR to Azure AD 2.png

For more information, refer to the decision flowchart in the Cloud HR deployment plan.

Step 2—Configure connectivity to SuccessFactors ODATA API server

Azure AD needs to be configured with the account that has permissions to read data from SuccessFactors.

SuccessFactors HR to Azure AD 3.png

If you’re configuring integration with on-premises AD, there is an additional step of installing and configuring Azure AD Connect provisioning agent that is capable of provisioning to multiple AD domains. Refer to the integration tutorial for detailed steps.

Step 3—Configure scoping to define identities that will be managed with this integration

Identify which users should be provisioned from SuccessFactors to Azure AD or on-premises AD. If you want to rollout SuccessFactors HR integration gradually based on location, department or division, then you can use the scoping filters to determine which users should be provisioned.

The example below uses a scoping filter based on the department attribute:

SuccessFactors HR to Azure AD 4.png

Step 4—Configure attribute mappings

The pre-built SuccessFactors provisioning connector supports mapping 70+ different attributes from SuccessFactors. With expression mapping functions, you can apply attribute transformations such as replacing strings, concatenating values and generating unique identifiers.

SuccessFactors HR to Azure AD 5.png

Step 5—Turn on the provisioning cycle

Start the provisioning cycle and use the progress bar and provisioning logs to track the provisioning process.

SuccessFactors HR to Azure AD 6 v2.png

The SuccessFactors-driven inbound user provisioning feature requires Azure AD Premium P1 subscription. To help you plan your deployment, we have published a comprehensive cloud HR deployment plan as well as a tutorial for configuring SuccessFactors for Inbound User Provisioning

Let us know what you think in the comments below. You can also post your feedback or suggestions for new capabilities that you would like to see in our Azure AD UserVoice feedback forum.

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

MuellerMartin · ‎Dec 16 2019

Looks very promising, I will have to spend some time reading more about deployment options. I like the idea of provisioning users to multiple on-prem domains!

I can see that Users are imported from EmployeeCentral. Does this include or are you planning to expand this to Contingent Workforce Management? https://blogs.sap.com/2016/06/06/faq-managing-contingent-workers-in-sap-successfactors-employee-cent...

Chetan Desai · ‎Dec 17 2019

Thank you @MuellerMartin for your feedback! The integration supports Contingent Workforce management and you can import contingent worker info from SuccessFactors Employee Central. Please do give it a try and let us know your feedback. For integrating with multiple on-prem AD domains, register all target AD domains when configuring the provisioning agent and you will see the domains show-up when you configure the provisioning app in the Azure AD portal.

juliankuenzel · ‎Dec 17 2019

Hello!

if a users is synced to an on premises AD, what kind of user type are they in azure active directory? Synced or Cloud Users?

Thank you!

MuellerMartin · ‎Dec 18 2019

@juliankuenzel The way I understand it, you will have to use AAD Connect Cloud Provisioning to bring the users from AD to AAD. This will result in Synced Users.

BertDeSmedt · ‎Dec 18 2019

Hello, We mainly have issues to sync confidential attributes. Is there already a way to protect certain attributes in AAD so not everybody in your tenant can read them? In this case: There will be some confidential data in sap too I suppose?

MuellerMartin · ‎Jan 22 2020

Hi, I am trying to write email back to successfactors. Unfortunately, our setup is not as simple as the solution expects. We have more than just the "email" attribute in Successfactors. There are private and business mail addresses. So I will have to write 2 Attributes: "emailAddress" and "emailType", both of type string.

Is there any way i could achieve this? Or is something more dynamic on the roadmap? I'm happy to provide more details if this is helpful.

Chetan Desai · ‎Jan 22 2020

@MuellerMartin by default the connector writes back the email attribute of type work. I would like to understand more about your writeback scenario. Can you send me a DM and I'll setup a call for us to discuss this requirement.

Rufat_Alizada · ‎May 12 2020

Hi @Chetan Desai,

Is it supported to install provisioning agent to the same server where existing AzureADConnect works? Will these two service work indendeptenly?

We'd like to setup only synchronization part of SuccessFactor attributes to on-premises whilst keep AzureADConnect configuration untouched.

Thanks.

Chetan Desai · ‎May 12 2020

@BertDeSmedt Looks like I missed responding to your question. My apologies. Regarding sync of confidential attributes and controlling its visibility, it is not supported in Azure AD. Please add this feedback in our UserVoice channel so it stays on our radar.

@Rufat_Alizada Yes, you can install the provisioning agent on the same server running Azure AD Connect sync. Both services work independently of each other. Feel free to DM me if you have any other questions as you start setting up SuccessFactors HR inbound provisioning.

Allstar147 · ‎May 21 2020

Hi Team,

Do you have any ETA when this will be GA? SuccessFactors to AD

At this moment only Okta and DellBoomi have this implemented , but they are middle men between SF and AD, so a direct sync agent between these 2 will be awesome

Chetan Desai · ‎Jun 11 2020

@Allstar147 Thank you for your feedback. We are planning to announce GA by end of July 2020.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs