Entra ID to Salesforce auto provisioning - how to link the Entra ID account to a different Salesforce user account?

Question

Entra ID to Salesforce auto provisioning - how to link the Entra ID account to a different Salesforce user account?

Sana R 5

We have Entra ID to Salesforce integration for auto provisioning / deprovisoning. The link to both the system is via matching Federation ID field in EntraID and Salesforce.

We have a use case whereby we are intentionally blocking user provisioning update on an existing Salesforce user account when a key user attribute value changes in Entra ID (for example, user changes to a different sister company). In this case, the Entra ID provisioning results in error because we have a validation rule in Salesforce to prevent the auto provisioning update. We then manually update the Federation ID of this user at the Entra ID level so that we would expect Entra ID to create a new Salesforce user account. However, this does not happen as Entra ID seems to be trying to update the previously linked Salesforce user account.

Ravi Kanth Koppala 3,391 Reputation points Microsoft Employee Moderator

2023-12-16T02:56:31.6566667+00:00
@Sana R

To link a different Salesforce user account to Entra ID, you need to update the Federation ID field in Entra ID for the corresponding user. This will create a new Salesforce user account instead of updating the previously linked one. However, in the user's scenario, they are intentionally blocking user provisioning updates on an existing Salesforce user account when a key user attribute value changes in Entra ID. In this case, Entra ID will not create a new Salesforce user account even if the Federation ID is updated.

Unfortunately, the provided context does not contain information on how to handle this specific use case. It is recommended to consult Salesforce documentation or reach out to their support team for further assistance.

References:

Tutorial: Configure Salesforce for automatic user provisioning

Plan an automatic user provisioning deployment in Microsoft Entra ID

Access control safeguard guidance

AI Note: This comment is generated using the Microsoft Q&A AI Assist tool.
Sana R 5 Reputation points

2023-12-17T11:43:42.3+00:00

@Ravi Kanth Koppala This statement may not be true.. "To link a different Salesforce user account to Entra ID, you need to update the Federation ID field in Entra ID for the corresponding user." Our understanding is that once Entra ID establishes a link to the Salesforce User, it preserves the Salesforce userid of that user for future linkage. So updating the Federation identifier does not create a new account. In our case, we would want to have a new user created in Salesforce.

See this article.

https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works

"If a matching user isn't found in the target system, it's created using the attributes returned from the source system. After the user account is created, the provisioning service detects and caches the target system's ID for the new user. This ID is used to run all future operations on that user."

Is restarting sync (clearing state) the only option to fix this?

https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http&preserve-view=true
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-12-27T06:20:24.1433333+00:00

@Sana R Apologies for the delayed response, would request to review the Matching precedence configuration - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes#understanding-attribute-mapping-properties:~:text=Understanding%20attribute%2Dmapping%20properties

Also do share with the current configuration details (matching precedence) for better understanding of the issue.

1 answer

Your answer

Ravi Kanth Koppala 3,391 Reputation points Microsoft Employee Moderator

2023-12-16T02:56:31.6566667+00:00

@Sana R

To link a different Salesforce user account to Entra ID, you need to update the Federation ID field in Entra ID for the corresponding user. This will create a new Salesforce user account instead of updating the previously linked one. However, in the user's scenario, they are intentionally blocking user provisioning updates on an existing Salesforce user account when a key user attribute value changes in Entra ID. In this case, Entra ID will not create a new Salesforce user account even if the Federation ID is updated.

Unfortunately, the provided context does not contain information on how to handle this specific use case. It is recommended to consult Salesforce documentation or reach out to their support team for further assistance.

References:

Tutorial: Configure Salesforce for automatic user provisioning

Plan an automatic user provisioning deployment in Microsoft Entra ID

Access control safeguard guidance

AI Note: This comment is generated using the Microsoft Q&A AI Assist tool.
Sana R 5 Reputation points

2023-12-17T11:43:42.3+00:00

@Ravi Kanth Koppala This statement may not be true.. "To link a different Salesforce user account to Entra ID, you need to update the Federation ID field in Entra ID for the corresponding user." Our understanding is that once Entra ID establishes a link to the Salesforce User, it preserves the Salesforce userid of that user for future linkage. So updating the Federation identifier does not create a new account. In our case, we would want to have a new user created in Salesforce.

See this article.

https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works

"If a matching user isn't found in the target system, it's created using the attributes returned from the source system. After the user account is created, the provisioning service detects and caches the target system's ID for the new user. This ID is used to run all future operations on that user."

Is restarting sync (clearing state) the only option to fix this?

https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http&preserve-view=true
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-12-27T06:20:24.1433333+00:00

@Sana R Apologies for the delayed response, would request to review the Matching precedence configuration - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes#understanding-attribute-mapping-properties:~:text=Understanding%20attribute%2Dmapping%20properties

Also do share with the current configuration details (matching precedence) for better understanding of the issue.

Answer 1

Hello Sana,

Thank you for your question, you are correct, in this case since we have already established a link with an identity the sync engine will continue to update that specific identity.

To clear this link and allow the sync engine to search for the identity based on the matching property, you will need to run the graph call from the document you linked on one of your comments:

To run the call, you'll need:

The objectId of the provisioning app.
The jobId of the provisioning app.
A global admin who can sign in to graph and consent to this permission: Synchronization.ReadWrite.All

The graph call is:

POST https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/{jobId}/restart
Authorization: Bearer <token>
Content-type: application/json
{
   "criteria": {
       "resetScope": "Full"
   }
}

Please let me know if you have any questions about the steps provided.

Share via

Entra ID to Salesforce auto provisioning - how to link the Entra ID account to a different Salesforce user account?

1 answer

Your answer