Blog Post

Microsoft Entra Blog
3 MIN READ

Ring in the New Year with automated user provisioning from SAP SuccessFactors to Azure AD

Alex Simons (AZURE)'s avatar
Alex Simons (AZURE)
Icon for Microsoft rankMicrosoft
Dec 16, 2019

Howdy folks,

 

Today, I’m very excited to announce the public preview of automated inbound user provisioning from SAP SuccessFactors to Azure AD and on-premises AD.

 

This builds on the momentum we have already established in simplifying how identities are managed in Azure AD. Early this year, we delivered inbound user provisioning from Workday to Azure AD. We also added more pre-built provisioning capabilities to your favorite SaaS apps including the ability to manage users in bulk. And last week, we announced the public preview of Azure AD Connect cloud provisioning.

 

The public preview of inbound user provisioning from SuccessFactors allows customers to easily orchestrate users from SuccessFactors into Azure AD.

 

 

With this built-in cloud-based integration of Azure AD with SuccessFactors, you can:

  • Securely tap into the rich workforce identity and organization data present in SuccessFactors.
  • Implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios.
  • Eliminate error prone custom scripts to sync employee and contractor data.

Give this a try today

There are five simple steps for you to get started on this capability.

 

Step 1—Select the right provisioning app from the gallery

In the Enterprise App gallery, there are three new pre-integrated applications designed to meet your requirements around SuccessFactors integration.

  • SuccessFactors to Active Directory User Provisioning—Use this app if you have a hybrid identity setup and would like to provision users directly from SuccessFactors to on-premises Active Directory.
  • SuccessFactors to Azure AD User Provisioning—Use this app if you have cloud only users and would like to provision users directly from SuccessFactors to Azure AD.
  • SuccessFactors Writeback—Use this app to writeback email address from Azure AD to SuccessFactors.

 

For more information, refer to the decision flowchart in the Cloud HR deployment plan.

 

Step 2—Configure connectivity to SuccessFactors ODATA API server

Azure AD needs to be configured with the account that has permissions to read data from SuccessFactors.

 

 

If you’re configuring integration with on-premises AD, there is an additional step of installing and configuring Azure AD Connect provisioning agent that is capable of provisioning to multiple AD domains. Refer to the integration tutorial for detailed steps.

 

Step 3—Configure scoping to define identities that will be managed with this integration

Identify which users should be provisioned from SuccessFactors to Azure AD or on-premises AD. If you want to rollout SuccessFactors HR integration gradually based on location, department or division, then you can use the scoping filters to determine which users should be provisioned.

 

The example below uses a scoping filter based on the department attribute:

 

 

Step 4—Configure attribute mappings

The pre-built SuccessFactors provisioning connector supports mapping 70+ different attributes from SuccessFactors. With expression mapping functions, you can apply attribute transformations such as replacing strings, concatenating values and generating unique identifiers.

 

 

Step 5—Turn on the provisioning cycle

Start the provisioning cycle and use the progress bar and provisioning logs to track the provisioning process.

 

 

The SuccessFactors-driven inbound user provisioning feature requires Azure AD Premium P1 subscription. To help you plan your deployment, we have published a comprehensive cloud HR deployment plan as well as a tutorial for configuring SuccessFactors for Inbound User Provisioning

 

Let us know what you think in the comments below. You can also post your feedback or suggestions for new capabilities that you would like to see in our Azure AD UserVoice feedback forum.

 

Best regards,

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

Updated Dec 16, 2019
Version 2.0
  • MuellerMartin's avatar
    MuellerMartin
    Copper Contributor
    Dec 18, 2019

    juliankuenzel The way I understand it, you will have to use AAD Connect Cloud Provisioning to bring the users from AD to AAD. This will result in Synced Users.

  • BertDeSmedt's avatar
    BertDeSmedt
    Copper Contributor
    Dec 18, 2019
    Hello, We mainly have issues to sync confidential attributes. Is there already a way to protect certain attributes in AAD so not everybody in your tenant can read them? In this case: There will be some confidential data in sap too I suppose?
  • Allstar147's avatar
    Allstar147
    Copper Contributor
    May 21, 2020

    Hi Team,

     

    Do you have any ETA when this will be GA? SuccessFactors to AD

     

    At this moment only Okta and DellBoomi have this implemented , but they are middle men between SF and AD, so a direct sync agent between these 2 will be awesome 

  • ChetanDesai's avatar
    ChetanDesai
    Icon for Microsoft rankMicrosoft
    Dec 17, 2019

    Thank you MuellerMartin for your feedback! The integration supports Contingent Workforce management and you can import contingent worker info from SuccessFactors Employee Central. Please do give it a try and let us know your feedback. For integrating with multiple on-prem AD domains, register all target AD domains when configuring the provisioning agent and you will see the domains show-up when you configure the provisioning app in the Azure AD portal. 

  • juliankuenzel's avatar
    juliankuenzel
    Copper Contributor
    Dec 18, 2019

    Hello!

     

    if a users is synced to an on premises AD, what kind of user type are they in azure active directory? Synced or Cloud Users?

     

    Thank you!

  • MuellerMartin's avatar
    MuellerMartin
    Copper Contributor
    Jan 22, 2020

    Hi, I am trying to write email back to successfactors. Unfortunately, our setup is not as simple as the solution expects. We have more than just the "email" attribute in Successfactors. There are private and business mail addresses. So I will have to write 2 Attributes: "emailAddress" and "emailType", both of type string.

     

    Is there any way i could achieve this? Or is something more dynamic on the roadmap? I'm happy to provide more details if this is helpful.

  • ChetanDesai's avatar
    ChetanDesai
    Icon for Microsoft rankMicrosoft
    Jan 22, 2020

    MuellerMartin by default the connector writes back the email attribute of type work. I would like to understand more about your writeback scenario. Can you send me a DM and I'll setup a call for us to discuss this requirement. 

  • Rufat_Alizada's avatar
    Rufat_Alizada
    Copper Contributor
    May 12, 2020

    Hi ChetanDesai

     

    Is it supported to install provisioning agent to the same server where existing AzureADConnect works? Will these two service work indendeptenly?

     

    We'd like to setup only synchronization part of SuccessFactor attributes to on-premises whilst keep AzureADConnect configuration untouched. 

     

    Thanks.

  • ChetanDesai's avatar
    ChetanDesai
    Icon for Microsoft rankMicrosoft
    May 12, 2020

    BertDeSmedt Looks like I missed responding to your question. My apologies. Regarding sync of confidential attributes and controlling its visibility, it is not supported in Azure AD. Please add this feedback in our UserVoice channel so it stays on our radar.

     

    Rufat_Alizada Yes, you can install the provisioning agent on the same server running Azure AD Connect sync. Both services work independently of each other. Feel free to DM me if you have any other questions as you start setting up SuccessFactors HR inbound provisioning.