Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Support filtering = false | ServiceProviderConfig
Azure AD SCIM client is not compatible with applications, which do not support "filtering".
If “filtering” is not supported by 3rd party app, do not ignore that.
Use the “matching” attribute defined in mappings during the initial cycle to check, if the resource exists.
If resource exists (HTTP-200), save “ID” persistently.
Use “ID” in every subsequent requestcf. RFC7644 section 4: https://tools.ietf.org/html/rfc7644#section-4
4 votes -
Please support Join in provisioning with user groups in Azure AD.
Please support Join function in provisioning with user groups in Azure AD.
Excerpt:
Matching based on a combination of attributes is not supported: Most applications do not support querying based on two properties. Therefore, it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems3 votes -
Additional User Entitlement in Salesforce Provisioning
At the moment, AFAIK, the Salesforce Connector provisions a Salesforce Profile to a User based on the Security Group they belong to in a 1 to 1 mapping.
User Provisioning should cover more.
A Salesforce User can have:
- 1 Profile
- 0 to 1 Role
- 0 to N Permission Sets
- 0 to N Permission Set Groups
- member of 0 to N Public Groups
- member of 0 to N QueuesHow to provision the other entitlements from AD ?
3 votesAre you looking to push that data from Azure AD to Salesforce or import from Salesforce to Azure AD.
For the former we support profiles, roles, permission sets, permissions. You can go into the attribute mappings and add new mappings for the properties you need. We are evaluating the Salesforce SCIM endpoint to see if we can move to a more standards based integration and support all the attributes that you are requesting.
For the latter we support importing roles as an Azure AD profile.
-
2 votes
-
AAD provisioning does not show Audit logs for group membership
AAD and G suite provisioning does not show Audit logs for group membership update which is I believe quite important to know. As per MS agent :
If the user is not provisioned already on G suite, when we try to update group membership, this would obviously fail since we don't have a reference attribute to resolve on the target. Currently, by design, Azure AD doesn't retry the previously failed group membership update after the user is provisioned. Workarounds to fix this problem is to remove and re-add the user as a member of the group or trigger a clear…
2 votes -
IDCS Provisioning doesn't work
The Oracle Cloud Infrastructure Gallery app uses OracleIDCS object. But it doesn't support the attribute primary email = boolean. You cannot create a user in IDCS unless you set the email and put it as primary. so essentially, the email.primary has to be set to a boolean(true). Please include it in the OracleIDCS objectclass
2 votesWhich email would you like to set as the primary? If the work email is part of the mappings, we send that as the primary.
-
SingleAppRoleAssignment([appRoleAssignments]) should return appRole value not name
Currently SingleAppRoleAssignment([appRoleAssignments]) returns appRole name. It should either return the value or there should be a way of telling the mapping what field from the object to pass to the target.
2 votesIs your app a SCIM app and could you show an example payload that you expect? Currently we try to follow the example shown on page 65 of the standard. https://tools.ietf.org/html/rfc7643
-
Application Provisioning Attribute Mapping Configuration Backup for last 5 changes
During recent incident I came to know the Provisioning Configuration changes details does not get backed up. i.e. attribute changes which we make on attribute mapping. Only a text message get recorded the when changes are performed. It never record what changes were made. If Microsoft provide anyone functionality it will be helpful for all Azure customer.
Option 1) Provide backup for provisioning application schema for the last 5 configuration changes which can be access by Admin. It will help Admin to restore from the backup if incase of any failure while updating the Schema
Option 2) Currently Microsoft records…
2 votesThanks for the feedback. We are looking to add more detail to our audit logs. This is good feedback.
-
Any automatic user provisioning avaialble for Amadeus products?
Hello, May I know any automatic user provisioning available for Amadeus products, like Altea Customer Management (CM) and Flight Management (FM)?
1 vote -
SCIM Bulk
Is there support for SCIM 2.0 /Bulk end point?
https://tools.ietf.org/html/rfc7644#section-3.71 vote -
entitlements scim
In SCIM mapping, there is the missing target attribute "entitlements". However, this attribute is in the core user Schemas and the rfc 7643 says :
entitlements
…A list of entitlements for the user that represent a thing the
user has. An entitlement may be an additional right to a thing,
object, or service. No vocabulary or syntax is specified; service
providers and clients are expected to encode sufficient
information in the value so as to accurately and without ambiguity
determine what the user has access to. This value has no
canonical types, although a type may be useful as a1 vote -
Add more scope options for user/group syncing
Enterprise Applications currently offer two scoping options with SCIM to sync users/groups in AAD with third party SaaS solution.
This poses some issues for companies with large number of users and groups in Azure AD.In some cases, when selecting the provisioning scope, we would like to synchronize all users, and selected groups. But that is not available, the only options are :
1. Sync all users and groups
2. Sync only assigned users and groupsIf we want to sync all users and select groups, we have to choose the first option and set up scope filters for group…
1 vote -
Allow blocked users to be provisioned to SaaS apps
we have group/ user provisioning turned on to ServiceNow. Everything is working great, except the users with "block sign in" checked. I reviewed the provisioning logs and show these users aren't sent over to SN. We are doing license management and need to see when inactive users are still assigned a license.
1 vote -
Sub attributes in mappings
Sub attributes arent supported in custom sso apps.
I'm unable to match a user if their email is a sub attribute
e.g. emails.value
1 vote -
Configure sync Scope per mapping
There is a global provisioning setting to Sync only assigned users and groups, or Sync all users and groups. I would like to set this per user mappings or per group mappings. The reason for this is because we have applications that we don't have licenses for all our users. So I would like to provision the users by group membership (assigned), but sync groups globally based on a naming standard (scoping filter).
The issue with scoping filters is you can't scope based on group membership, which would be another feature request I suppose.
1 vote -
Custom Schema Namespace is not included in the Schema "Header"
As described in this article the custom attribute "namespace" should be included in the "Shemas" list.
more detail here:
https://github.com/MicrosoftDocs/azure-docs/issues/656481 vote -
Allow kicking off the enterprise app sync job with a service principal
At the moment, the permissions required to call our SCIM endpoint API), it only supports the delegated permission of ‘Directory.ReadWrita.all’ for work or school account.
To better integrate with a CICD pipeline, it would be great that we can kick off the enterprise app sync job with a service principal.
1 vote -
Provisioning about delete user
I want you to select the deleted user so that it can be provisioned on request.
1 voteCould you please elaborate on the scenario?
-
Add ability to test attribute expressions
It would be very helpful to have the ability to provide sample input to attribute expressions and see what the output of the expression would be. Attempting to troubleshoot expressions is currently very difficult as there doesn't seem to be any way to test the expression you're creating other than to actually try to provision users with it.
1 voteWork is in progress for this.
/Arvind
-
Azure AD to on-premises application user provisioning
Support provisioning users from Azure AD to on-premises applications such as SQL, PowerShell, and LDAP.
1 vote
- Don't see your idea?