Tutorial: Configure DocuSign for automatic user provisioning
The objective of this tutorial is to show you the steps you need to perform in DocuSign and Microsoft Entra ID to automatically provision and de-provision user accounts from Microsoft Entra ID to DocuSign.
The scenario outlined in this tutorial assumes that you already have the following items:
- A Microsoft Entra tenant.
- A DocuSign single sign-on enabled subscription.
- A user account in DocuSign with Team Admin permissions.
Assigning users to DocuSign
Microsoft Entra ID uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Microsoft Entra ID are synchronized.
Before configuring and enabling the provisioning service, you need to decide what users and/or groups in Microsoft Entra ID represent the users who need access to your DocuSign app. Once decided, you can assign these users to your DocuSign app by following the instructions here:
Important tips for assigning users to DocuSign
It is recommended that a single Microsoft Entra user is assigned to DocuSign to test the provisioning configuration. Additional users may be assigned later.
When assigning a user to DocuSign, you must select a valid user role. The "Default Access" role does not work for provisioning.
Microsoft Entra ID does not support group provisioning with the Docusign application, only users can be provisioned.
Enable User Provisioning
This section guides you through connecting your Microsoft Entra ID to DocuSign's user account provisioning API, and configuring the provisioning service to create, update, and disable assigned user accounts in DocuSign based on user and group assignment in Microsoft Entra ID.
You may also choose to enabled SAML-based Single Sign-On for DocuSign, following the instructions provided in the Azure portal. Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.
To configure user account provisioning:
The objective of this section is to outline how to enable user provisioning of Active Directory user accounts to DocuSign.
Browse to Identity > Applications > Enterprise applications.
If you have already configured DocuSign for single sign-on, search for your instance of DocuSign using the search field. Otherwise, select Add and search for DocuSign in the application gallery. Select DocuSign from the search results, and add it to your list of applications.
Select your instance of DocuSign, then select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Under the Admin Credentials section, provide the following configuration settings:
In the Admin User Name textbox, type a DocuSign account name that has the System Administrator profile in DocuSign.com assigned.
In the Admin Password textbox, type the password for this account.
If both SSO and user provisioning is setup, the authorization credentials used for provisioning needs to be configured to work with both SSO and Username/Password.
Select Test Connection to ensure Microsoft Entra ID can connect to your DocuSign app.
In the Notification Email field, enter the email address of a person or group who should receive provisioning error notifications, and check the checkbox.
Under the Mappings section, select Synchronize Microsoft Entra users to DocuSign.
In the Attribute Mappings section, review the user attributes that are synchronized from Microsoft Entra ID to DocuSign. The attributes selected as Matching properties are used to match the user accounts in DocuSign for update operations. Select the Save button to commit any changes.
To enable the Microsoft Entra provisioning service for DocuSign, change the Provisioning Status to On in the Settings section
It starts the initial synchronization of any users assigned to DocuSign in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the Synchronization Details section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service on your DocuSign app.
For more information on how to read the Microsoft Entra provisioning logs, see Reporting on automatic user account provisioning.
- Provisioning a role or permission profile for a user in Docusign can be accomplished by using an expression in your attribute mappings using the switch and singleAppRoleAssignment functions. For example, the expression below will provision the ID "8032066" when a user has the "DS Admin" role assigned in Microsoft Entra ID. It will not provision any permission profile if the user isn't assigned a role on the Microsoft Entra ID side. The ID can be retrieved from the DocuSign portal.
Switch(SingleAppRoleAssignment([appRoleAssignments])," ", "DS Admin", "8032066")