Reputation: 246
Scoping filter for user provisioning based on group membership
We have an enterprise application in our Azure AD tenant where we have enabled automatic user provisioning to provision users in the external service. We have assigned several groups to the application, and the provisioning scope is set to Sync only assigned users and groups. This currently provisions all users in the groups assigned to the enterprise application.
We would like to add an additional scope filter, so that we can provision members of the assigned groups that is also a member of a different group (which is not directly assigned to the enterprise application). I've looked at adding a scope filter, but none of the available attributes seems to be usable for checking group membership. I imagined I would find something like an isMemberOf target attribute, but this does not seem to exist.
Is is possible to achieve such scope filtering?
Upvotes: 1
Views: 5257
Answers (2)
Reputation: 668
You can work around this with Azure AD's extension attributes which you can then set based on group membership and use them for filtering in the scope filter in the Enterprise application.
I have recently published a whole blog post outlining this process and full automation - https://hajekj.net/2023/09/18/entra-id-user-and-group-provisioning-with-bitwarden/
Upvotes: 0
Related Questions
- How do I authorize based on nested Azure AD groups?
- Active directory check if user belongs to a group
- Azure role assignments to a AD group for a subscription
- How to map groups belonging to a User in Azure AD provisioning call
- Get groups of user during provisioning on Enterprise application in Azure AD
- Azure AD Dynamic Group based on Group Membership
- How to do Authorization based on Azure AD groups?
- How to validate if user is part of group in Azure AD?
- Azure AD B2C Put newly signed up user in a group
- Getting users groups when getting a user