Tutorial: Configure Federated Directory for automatic user provisioning
The objective of this tutorial is to demonstrate the steps to be performed in Federated Directory and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Federated Directory.
This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory.
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
- An Azure AD tenant.
- A Federated Directory.
- A user account in Federated Directory with Admin permissions.
Assign Users to Federated Directory
Azure Active Directory uses a concept called assignments to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been assigned to an application in Azure AD are synchronized.
Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Federated Directory. Once decided, you can assign these users and/or groups to Federated Directory by following the instructions here:
Important tips for assigning users to Federated Directory
It is recommended that a single Azure AD user is assigned to Federated Directory to test the automatic user provisioning configuration. Additional users and/or groups may be assigned later.
When assigning a user to Federated Directory, you must select any valid application-specific role (if available) in the assignment dialog. Users with the Default Access role are excluded from provisioning.
Set up Federated Directory for provisioning
Before configuring Federated Directory for automatic user provisioning with Azure AD, you will need to enable SCIM provisioning on Federated Directory.
Sign in to your Federated Directory Admin Console
Navigate to Directories > User directories and select your tenant.
To generate a permanent bearer token, navigate to Directory Keys > Create New Key.
Create a directory key.
Copy the Access Token value. This value will be entered in the Secret Token field in the Provisioning tab of your Federated Directory application in the Azure portal.
Add Federated Directory from the gallery
To configure Federated Directory for automatic user provisioning with Azure AD, you need to add Federated Directory from the Azure AD application gallery to your list of managed SaaS applications.
To add Federated Directory from the Azure AD application gallery, perform the following steps:
In the Azure portal, in the left navigation panel, select Azure Active Directory.
Go to Enterprise applications, and then select All applications.
To add a new application, select the New application button at the top of the pane.
In the search box, enter Federated Directory, select Federated Directory in the results panel.
Navigate to the URL highlighted below in a separate browser.
Click LOG IN.
As Federated Directory is an OpenIDConnect app, choose to login to Federated Directory using your Microsoft work account.
After a successful authentication, accept the consent prompt for the consent page. The application will then be automatically added to your tenant and you will be redirected to your Federated Directory account.
Configuring automatic user provisioning to Federated Directory
This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Federated Directory based on user and/or group assignments in Azure AD.
To configure automatic user provisioning for Federated Directory in Azure AD:
Sign in to the Azure portal. Select Enterprise Applications, then select All applications.
In the applications list, select Federated Directory.
Select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Under the Admin Credentials section, input
https://api.federated.directory/v2/in Tenant URL. Input the value that you retrieved and saved earlier from Federated Directory in Secret Token. Click Test Connection to ensure Azure AD can connect to Federated Directory. If the connection fails, ensure your Federated Directory account has Admin permissions and try again.
In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - Send an email notification when a failure occurs.
Under the Mappings section, select Synchronize Azure Active Directory Users to Federated Directory.
Review the user attributes that are synchronized from Azure AD to Federated Directory in the Attribute Mapping section. The attributes selected as Matching properties are used to match the user accounts in Federated Directory for update operations. Select the Save button to commit any changes.
To configure scoping filters, refer to the following instructions provided in the Scoping filter tutorial.
To enable the Azure AD provisioning service for Federated Directory, change the Provisioning Status to On in the Settings section.
Define the users and/or groups that you would like to provision to Federated Directory by choosing the desired values in Scope in the Settings section.
When you are ready to provision, click Save.
This operation starts the initial synchronization of all users and/or groups defined in Scope in the Settings section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the Synchronization Details section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Federated Directory.
For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning
- Managing user account provisioning for Enterprise Apps
- What is application access and single sign-on with Azure Active Directory?