Azure AD group provisioning to Adobe with N-to-1 group synchronisation

Question

Good day to all of you,

I work as a software engineer and general IT worker at a highschool. We are having some issues in synchronizing our student and teacher accounts from Azure AD to Adobe, since our usecase is a little unique.
We share the Adobe directory with other highschools, which at this point in time do not use automatic synchronisation. We would like to change that, however, since we're more or less completely separated entities, we organized the Adobe directory using "School Groups", meaning all students from our school are just in the Adobe Group "School A", those from another school in "School B", and so on. Now, obviously we don't have this exact group in Azure, but instead groups like "teachers", "students", "staff" and so on.

What I would like to do is synchronize my users so that they are all part of ONE group on the target directory.

As I see it, I should have 2 possible ways of achieving this:

• Either only synchronize Users, and write my own synchronisationRule to "add" a group membership on the target system ; or:
• Synchronize groups, but change the attribut mapping so that all groups on Azure map to the same group on the target directory.

My question now: Is this even possible ?
I attempted to change the synchronisation_schema.json to reflect possibility 2, but received an error "SchemaInvalid".

What I tried, in the synchronisationRule, in the objectMappings for group, for the groupName attribute:
"targetAttributeName": "displayName",
"source": {
"expression": "[displayName]",
"name": "displayName",
"type": "Attribute",
"parameters": []
}

I changed to:
"targetAttributeName": "displayName",
"source": {
"expression": "\"New unified group name\"",
"name": "New unified group name",
"type": "Constant",
"parameters": []
}

Is this wrong ? Should I provide the whole .json - schema ? The display name of the group is the matching key for the group synchronisation. Is it illegal for that to be a constant ?

So far I was not able to come up with a sync-rule to match my idea nr. 1. Is something like that possible ?

Any help would be greatly appreciated !

Best regards
F. W.

Answer 1

It is not possible to do either of the things you've inquired about - group memberships must remain a "direct" mapping from source (AAD group) -> target(SaaS app group - Adobe in this case).

You'll need to establish a group in Azure AD with membership matching what you'd like it to be in the target, or create a group directly in Adobe and manage it there without AAD Provisioning.

Answer 2

Thank you so much @MarileeTurscak and sorry for not answering you in a timelier fashion. With the holidays in between and generic pandemic stuff going on, things got quite a bit delayed.

Now: Which guide do I follow. There are basically 2, the one you linked and one from Adobe, detailed here:

https://helpx.adobe.com/ee/enterprise/admin-guide.html/ee/enterprise/using/add-azure-sync.ug.html
Which, incidentally, got rewritten over the holidays to contain much less information and instead now references only the official microsoft article. Ooops.

There are two standard options, which both are nicely explained in the article you linked:
Sync of users, and sync of groups. The scoping filters - as I understood them - only tell Azure which users and / or groups to sync, the HOW is done later in the attribute mappings. And here is where I start to stumble.

In the article you linked, point 5.9 reads:
"Review the user attributes that are synchronized from Azure AD to Adobe Identity Management in the Attribute-Mapping section.", and 5.11 reads
"Review the group attributes that are synchronized from Azure AD to Adobe Identity Management in the Attribute-Mapping section.".
This is located in "Enterprise Application" --> "Adobe Identity Management" --> provisioning --> mapping --> and there either "Provision Azure Active Directory Groups" or "Provision Azure Active Directory Users" . I can indeed change these mappings, but the GUI does not allow me to "set" a group membership for a user, since there is no user attribute "memberOfGroup" or something. Instead, the group object contains an attribute "members", which is a list of references to user objects. While neat and clean, it makes it very hard to set a user to a specific group.

I found this tutorial:
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes

But I cannot set the attribute mappings for groups myself in the GUI, the only target attribut I can select is "id", which is not used for the mapping. If I change the mapping for "displayName" to something different, I get an SchemaInvalid Error.

What I did next was read the docs.
You can download the JSON representation of the sync schema if you click the "show advanced options" checkbox at the bottom of the attribute mapping site. To understand it I read the docs here:

https://learn.microsoft.com/en-us/graph/api/resources/synchronization-synchronizationschema
https://learn.microsoft.com/en-us/graph/api/resources/synchronization-synchronizationrule
https://learn.microsoft.com/en-us/graph/api/resources/synchronization-objectmapping
https://learn.microsoft.com/en-us/graph/api/resources/synchronization-attributemapping

And this here:
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/functions-for-customizing-application-data

Which helped me to understand what was written in them, yet sucessfully changing them remains a different beast ^^'

I include 4 screenshots and the JSON of the schema in case some of the things I tried to explain were not clear enough. The language in the Screenshots is part German, if you have any questions please just ask, I will answer quicker than before ! Thank you in advance and best regards,

F.W.

54328-schema.txt