Share via

Azure AD SCIM provisioning - Create User random password

GonzaloSanMartin-2333 40 Reputation points
2023-07-28T21:03:47.1233333+00:00

Hi, I am integrating Azure AD SCIM provisioning to an external app.

The external app requires password on the create user API call. When I tried to configure the attribute mapping for the provisioning app there is not password attribute (I was thinking in create a randomString expression and assign as target attribute password but it is not an option). I tried also to add a new custom attribute as "password" but then when I test the on demand provisioning feature the attribute is not sent .

I was checking this similar question https://learn.microsoft.com/en-us/answers/questions/1113754/azure-ad-scim-provisioning-how-to-sync-passwords , last comment says :

Take note, this is different than initially seeding a random redacted/nondisclosed password into an application because the user cannot be created without a value being provided, which may be supported by some of our on-premises provisioning flows.

but it does not clarify how to implement such a thing.

Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,901 questions
Accepted answer
  1. Peter Kayode 506 Reputation points
    2023-07-28T21:11:28.0966667+00:00

    Gonzalo San Martin

    I understand your situation with Azure AD SCIM provisioning.

    Azure AD does not support the synchronization of passwords to external systems through SCIM. This is primarily due to security concerns, as it can be risky to send passwords across the network, even if the connection is secure.

    In situations where you require user authentication, systems typically use some form of Single Sign-On (SSO) through protocols like SAML or OpenID Connect. These allow users to authenticate with Azure AD without your external system needing to know the user's password.

    If your specific case requires sending a password to an external system during the creation of a new user, Azure AD SCIM provisioning does not provide a built-in mechanism for generating random passwords. The attributes that Azure AD provisions to your external system are based on the user's attributes in Azure AD. Passwords are not included due to the aforementioned security reasons.

    A general practice in such cases is to assign a temporary password during provisioning, which the user is then prompted to change upon their first login. This kind of implementation would typically be handled on your external system's end rather than within Azure AD.

    Hope this help.

    Peter

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest