Reputation: 97
Provision functional/delegated/group accounts from Azure AD using SCIM
we use SCIM 2.0 to provision accounts from a source, like AD, to our app. However, increasingly customers move to AzureAD. Provision 'normal' acounts from Azure AD is supported and is straight forward. However, we can find no information on how group/functional/delegated account can be created in AzureAD with assigned users and thus also not how to provision those accounts. Currently our customers seem manage these accounts directly in ExchangeOnline, which makes that there are two distinct sources, and these accounts can not be provisioned from Exchange using SCIM.
Anyone can help to understand what is and what is not possible in AzureAD in terms of these accounts and provisioning?
Thanks!
Regards, Rick
Upvotes: 0
Views: 171
Answers (1)
Reputation: 5159
• As per your query, group accounts can be created, and they can be assigned to a particular app assignment or an app role. Please find the below powershell script to create a group that can be assigned to a role: -
$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true
• For more information on delegated accounts, please refer the below link: -
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-delegate
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management
• As far as provisioning is concerned related to user and group accounts, we can do the below tasks: -
- Automate provisioning: Automatically create new accounts in the right systems for new people when they join your team or organization.
- Automate deprovisioning: Automatically deactivate accounts in the right systems when people leave the team or organization.
- Synchronize data between systems: Ensure that the identities in your apps and systems are kept up to date based on changes in the directory or your human resources system.
- Provision groups: Provision groups to applications that support them.
- Govern access: Monitor and audit who has been provisioned into your applications.
- Seamlessly deploy in brown field scenarios: Match existing identities between systems and allow for easy integration, even when users already exist in the target system.
- Use rich customization: Take advantage of customizable attribute mappings that define what user data should flow from the source system to the target system.
- Get alerts for critical events: The provisioning service provides alerts for critical events and allows for Log Analytics integration where you can define custom alerts to suit your business needs.
Please refer below link for more information: -
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning
Thanking you,
Upvotes: 0
Related Questions
- Azure Active Directory Enterprise App OpenID and User Provisioning (SCIM)
- Azure AD SCIM client implementation - Users/Groups clarification
- Get groups of user during provisioning on Enterprise application in Azure AD
- How to support multiple tenants and secret tokens in azure ad scim provisioning
- Does Azure AD User provisioning SCIM supports /bulk operations?
- SCIM endpoint and user provisioning with Azure Active Directory & Symfony
- Azure AD Self Service Group Management
- provisioning using SCIM
- Azure AD User Provisioning with SCIM 2.0
- Azure AD Synchronization using SCIM and Asp.Net Web-Services