This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 50%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
The SAP SuccessFactors to Active Directory user provisioning agent provisions users to Active Directory. Subsequently Azure AD Connect provisions the user in Azure/M365. Since the SAP provisioning agent creates the user with a password that is not logged, the user needs to change or reset their password to authenticate.
I can create an on-premises application that scans new user in on-premises Active Directory, set the password to a new random value, and convey that password to the user or user's manager via email but that's a stand-alone on-premises custom application the client needs to own/maintain.
We have personal mobile and email information available to pre-register authentication methods in Azure. I can create an on-premises application that scans new user in on-premises Active Directory and check the consistency GUID as a signal the Azure object has been created and register the methods(s). However, this is still a stand-alone on-premises custom application the client needs to own/maintain.
Appreciate any guidance on how to improve upon these possible solutions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 72%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETA%3C/text%3E%3C/svg%3E)
I have the same issue, I am able to push all changes and everything but having below issues.
TAP from Lifecycle workflow is not for AD users. We are looking for a good solution.
We would like to move terminated users into a separate OU which is not possible though SuccessFactors Active directory integration form.
I think what you're looking for is our new Lifecycle Workflows feature. See documentation here: https://learn.microsoft.com/en-us/azure/active-directory/governance/what-are-lifecycle-workflows
I don't know that you'll be able to do the plaintext password via email thing, but I think you can leverage the Temporary Access Pass (TAP) feature in its place, in combination with Lifecycle Workflows.
The link seems to cover the plaintext password thing:
Automating and extending user onboarding/HR provisioning - Use Lifecycle workflows when you want to extend your HR provisioning scenarios by automating tasks such as generating temporary passwords and emailing managers. If you currently have a manual process for on-boarding, use Lifecycle workflows as part of an automated process.
FWIW, I'm not keen on emailing passwords but it is what the customer is requesting. I think the Authentication Methods approach is better since it registers user in SSPR without needing a password.
I'll dig further but this seems to point me a good direction. Thanks.
Hello zollnerD
I hope you are fine yes I am here for looking my workflow azure if u help me then reply. I find a link in your post azure...... Before I click this tell. Me about your self
Thanks
warm regards.......
Syed bilal shah
Ceo
THE ROYAL EXPRESS TRAVELS
we would like to move terminated users into separate OU and TAP solution is for only cloud logins, we need to find a way to set password for AD account.
Please advise.
