Provisioning
21 TopicsAPI-driven provisioning field mapping changes resynchronize all users and groups
We have configured API-driven provisioning for on-premises Active Directory, along with Azure AD Connect, to synchronize on-premises AD users with Azure Entra ID. As part of the provisioning setup, we have used a separate Organizational Unit (OU) in on-premises AD (designated as the default OU for new users) while configuring API-driven provisioning. We are attempting to make some changes to the API field mapping, specifically the ‘UserPrincipalName’ regular expression (custom domain) and the ‘manager’ field, and saving the configuration. Upon attempting to save, a prompt appears (as highlighted below screenshot), indicating that this action will resynchronize all users and groups. Could you please clarify: Will this resynchronization update any existing users outside the default provisioning Organizational Unit (OU)? Specifically, what does the resynchronization operation update? For instance, will it modify the 'UserPrincipalName' and 'manager' attributes for all users including old users outside of provisioning Organizational Unit (OU)? Screen Shot - While Saving Mapping.9Views0likes0CommentsEntra Hybrid Join - Problems with Server 2016 and userCertifiate
Dear Community, I am having some troubles with the hybrid join of a group of servers (Windows Server 2016). The basic problem is that Windows is not creating the required self signed certificate and therefore the AD attribute “userCertificate” is empty. As we now, while it is empty, the objects are not getting synced to EntraID. (A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute) And I don’t find out, why this certificate is not created. As mentioned, it affects only some Server 2016, which are our RDS Terminal Server. All other Windows Server and Clients are successful synced and have a userCertificate (including other Server 2016). All our servers are VM, based on VMWare. Some more words about these RDS Server: They are cloned from a VMWare template The deployment process is as follows: o On a Master VM we install all updates / software It is domain joined and has a userCertificate o Master VM gets converted into a VMWare template o New RDS TS are created from this template With a configuration to reset SID and automatic domain join The have no userCertificate Test lab for troubleshooting I created some new VMs to test and verify the behavior. Here is what I did: Installed a new Windows Server 2016 VM from DVD Installed all latest updates Converted it into a VMWare Template -> Srv2016_Template This should be my new template for Server 2016 Created new VM from this template: Srv2016RDSMaster Used a configuration to generate new SID and automatic domain join This should simulate my Master template for new Terminal Server --> It has a “userCertificate” in its AD Object Converted it into a VMWare Template Created new VM from this template: Srv2016RDS01 Used a configuration to generate new SID and automatic domain join --> It hasno “userCertificate” in its AD Object Troubleshooting steps Networking No proxy, direct Internet No DENY on our firewall -> Internet available Verified that these URLs are accessible https://enterpriseregistration.windows.net https://login.microsoftonline.com https://device.login.microsoftonline.com https://autologon.microsoftazuread-sso.com Active Directory and Infrastructure Service Connection Point (SCP) is set in the forest and has the tenant name and ID (otherwise no computer would be synced) GPOs are not linked to the OU in which the computers are Local troubleshooting on the VM Scheduled Task for “Workplace Join” is enabled and runs dsregcmd /status EventLog – “Application and Service protocols” -> “Microsoft” -> “Windows” -> “user Device Registration” Two errors, each time the Workplace Join task starts: Sysprep Also tried on the VM a sysprep, rebooted, manually joined it to AD --> Still no userCertificate Tried the same again and deleted also the AD object --> Still no userCertificate Activated TLS 1.2 Enable TLS 1.2 on servers - Configuration Manager | Microsoft Learn -> no affect Articles I read and verified Plan your Microsoft Entra hybrid join deployment - Microsoft Entra ID | Microsoft Learn Configure Hybrid Azure AD Join - Everything you need to know A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute Troubleshoot Microsoft Entra hybrid joined devices - Microsoft Entra ID | Microsoft Learn My conclusion I guess it has something to do with Server 2019. Why I am saying this: I have tested the same setup with an old, existing Server 2019 template (created “Master VM” -> converted into template -> created VM from this template) --> all VMs have userCertificates in their AD object So I would be glad if someone has ideas about it. Thanks, Chris61Views0likes0CommentsSCIM provisioning - custom app authentication
Hi, in the documentation for handling endpoint authentication, two methods are given: 1) a "long-lived token" (i.e. a secret key that has to be pasted in-clear by the admin) 2) "Microsoft Entra bearer token" - similar to other services (e.g. callbacks for MS Teams bots), Microsoft sign the outgoing calls, and the app being provisioned can validate them against Microsoft's public keys To me, option (2) is by far the best - each message is signed individually, there is no manual handling of secrets etc. As said in the documentation - "Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token." - great! So why on earth does it then say "The token generated by the Microsoft Entra ID should only be used for testing. It shouldn't be used in production environments."? Why not? The whole system of Entra bearer tokens is only for test? And production should go back to secret keys, with all the problems they have? It doesn't seem right.. What am I missing here?76Views7likes0CommentsFailed authentication with SAML Certificate
When I create a new Enterprise application, and I set up SAML-based SSO. The token signing certificate (Base64) I get fails to login my user into my application. I have to re-upload the certificate for successful login request. This has started happening often.49Views0likes3CommentsAzure AD SCIM Validator is in General Availability (GA) Status
You can now validate the compatibility of your SCIM provisioning endpoint and Azure AD code base using our Azure AD SCIM Validator. This tool can be used by ISVs who want to build SCIM compatible servers either for gallery app or generic app and developers building their line of business SCIM apps.https://learn.microsoft.com/azure/active-directory/app-provisioning/scim-validator-tutorial15KViews1like54CommentsI would like to understand the ease of integration between Entra ID and Atom C2
We are using Atom C2 as our ticketing platform to submit various types of requests, including access request, and would like to keep using C2 while making our transition to Entra ID, I am trying to understand the ease of integration between C2 and Entra ID. How would I go about doing it, could someone point me in the right direction?343Views0likes0CommentsSyncing multi-value Extension Attributes with SCIM - attribute is "undefined"
We have a number of extension attributes that we sync from our on-prem AD to Entra ID. One of these attributes is roomNumber, which is a multi-value attribute. We use SCIM to send Entra ID users into various systems, and we wanted to add roomNumber to these feeds. I can query Entra ID by MS Graph and see that these fields are populated (see screenshot): I can also use the Expression Builder in the SCIM apps to query roomNumber against our users (see screenshot): But, when I then try to send this attribute over to any receiving system, the logs show that Entra ID says the attribute is "undefined" and so sends nothing over. I have done a number of things: 1. Modified the app schema to ensure that roomNumber is multi-value 2. Used expressions such as Item(attribute,index) in case there was some issue with retrieving an array. What do I need to do for user provisioning to pickup the roomNumber value?Solved1.2KViews0likes2CommentsIssue with API-driven provisioning and Supervisor ID
I am trying to use API-driven provisioning to create new user accounts from my HR system. One of the fields that you should be able to map is the Manager ID to assign the manager. Up until now, we have created Entra users manually so I have added employee IDs to some accounts. When I run the provisioning I use something like "manager": { "value": "12345" } If I use the employee ID of a user that I created manually I receive an entry in the logs like: We were unable to assign 12345 as the manager of 12346. In order to ensure that the references are updated properly, you have two options. First, ensure that 100001 is in scope for provisioning. Provision 12345 on-demand and then provision 12346 on-demand. Alternatively, you can restart provisioning after ensuring that 12345 is in scope for provisioning. If, however, I provision a user with the API and then try to assign that user as a manager - then that userdoes get assigned. Is there727Views0likes1CommentUser provisioning (not SCIM)
Hi I am trying to find a way to provision users to an API enabled SaaSapplication when the accountgets synchronized toAzure. Unfortunately the SaaS app is not really SCIM compliant and runs basic auth. I am looking todo something serverless like Automation Runbooks.I have tried Graph and PowerShell but am not finding a good way to Filter users based on createdDateTime for all users in last x amount of time. In fact, it seems Ican only read createdDateTime for a user if I specify their objectID and not their UPN which seems odd to me. PowerShell seems to have problems with the same type offilteringwith extensionproperty.createddatetime I have lots of examples that don't work such as: https://graph.microsoft.com/beta/users?$filter=createdDateTime gt datetime '2019-01-01' or $When = ((Get-Date).AddDays(-30)).Date Get-AzureADUser -Filter datetime 'extensionproperty.CreatedDateTime -ge $When' But these queries works: ((get-azureaduser -objectID <objectid> ).extensionproperty).createdDateTime and https://graph.microsoft.com/beta/users/(objectid)?select=createdDateTime It's totally likely that I don't understand the odata query syntax or have been looking at this too long LOL Has anyone tried this? Another angle I thoughtofmight be to watch the Azure Audit logs for Add User but that seems pretty far down the rabbit hole and might involve an event hub. Thanks in advance for any help, other ideas, concerns, commiseration, etc. Charlie2KViews0likes2CommentsSAP application roles in Entra ID and user provisioning
Hello Team, Since SAP IDM is going to retire, can Entra ID be a possible replacement for it ? In some blog post from SAP they recommend themselves to use Entra ID instead of SAP IDM. Entra ID using its identity governance lifecycle workflow can cater to Joiner , Mover , Leaver scenarios and also since it has out of the box integration with SAP HR . But the main question is, since SAP 's applications are mainly Role driven, how can we map SAP application specific roles to users via Azure AD. Eg : User A has joined a company and using SAP HR its record and data is created in Entra ID , but now User A also needs access to SAP app 1, app 2 and app 1 ,app 2 have their own Role sets . How these roles can be made available in Entra ID and even if we some how make it available as a part of Entra ID group , once users becomes part of these group in Entra ID, how will the user provisioning to SAP app 1 and app2 work . Ideally in SAP, provisioning works via SAP IPS service but in Entra ID docs, all we have is just a way to provision the users to SAP IPS using SCIM . There are other SAP components namely SAP IAG and GRC which are the governing authority to provide access to the users to SAP applications to its requested role and provisions the users once the access request is approved in IAG or GRC . How can these systems be integrated with Entra ID. There are no connectors from Entra ID for such event based user provisioning.639Views0likes0Comments