Updated Snowflake SCIM Configuration.

Author: udhaymahajan

articles/active-directory/saas-apps/media/snowflake-provisioning-tutorial/image00.png

@@ -21,7 +21,9 @@ This tutorial demonstrates the steps that you perform in Snowflake and Azure Act
 > This connector is currently in public preview. For information about terms of use, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
 ## Capabilities supported
+
 > [!div class="checklist"]
+>
 > * Create users in Snowflake
 > * Remove users in Snowflake when they don't require access anymore
 > * Keep user attributes synchronized between Azure AD and Snowflake
@@ -38,6 +40,7 @@ The scenario outlined in this tutorial assumes that you already have the followi
 * A user account in Snowflake with admin permissions
 
 ## Step 1: Plan your provisioning deployment
+
 1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
 1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
 1. Determine what data to [map between Azure AD and Snowflake](../app-provisioning/customize-application-attributes.md). 
@@ -46,76 +49,83 @@ The scenario outlined in this tutorial assumes that you already have the followi
 
 Before you configure Snowflake for automatic user provisioning with Azure AD, you need to enable System for Cross-domain Identity Management (SCIM) provisioning on Snowflake.
 
-1. Sign in to your Snowflake admin console. Enter the following query in the highlighted worksheet, and then select **Run**.
+1. Sign in to Snowflake as an administrator and execute the following from either the Snowflake worksheet interface or SnowSQL.
 
-   ![Screenshot of the Snowflake admin console with query and Run button.](media/Snowflake-provisioning-tutorial/image00.png)
-	
    ```
    use role accountadmin;
    
-   create or replace role aad_provisioner;
-   grant create user on account to aad_provisioner;
-   grant create role on account to aad_provisioner;
+    create role if not exists aad_provisioner;
+    grant create user on account to role aad_provisioner;
+    grant create role on account to role aad_provisioner;
    grant role aad_provisioner to role accountadmin;
-   create or replace security integration aad_provisioning type=scim scim_client=azure run_as_role='AAD_PROVISIONER';
-   
-   select SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('AAD_PROVISIONING');
+    create or replace security integration aad_provisioning
+        type = scim
+        scim_client = 'azure'
+        run_as_role = 'AAD_PROVISIONER';
+    select system$generate_scim_access_token('AAD_PROVISIONING');
    ```
 
-1.  A SCIM access token is generated for your Snowflake tenant. To retrieve it, select the link highlighted in the following screenshot.
+2. Use the ACCOUNTADMIN role.
+
+    ![Screenshot of a worksheet in the Snowflake UI with the SCIM access token called out.](media/Snowflake-provisioning-tutorial/step2.png)
+
+3. Create the custom role AAD_PROVISIONER. All users and roles in Snowflake created by Azure AD will be owned by the scoped down AAD_PROVISIONER role.
 
-   ![Screenshot of a worksheet in the Snowflake U I with the S C I M access token called out.](media/Snowflake-provisioning-tutorial/image01.png)
+    ![Screenshot showing the custom role.](media/Snowflake-provisioning-tutorial/step3.png)
 
-1. Copy the generated token value and select **Done**. This value is entered in the **Secret Token** box on the **Provisioning** tab of your Snowflake application in the Azure portal.
+4. Let the ACCOUNTADMIN role create the security integration using the AAD_PROVISIONER custom role.
 
-   ![Screenshot of the Details section, showing the token copied into the text field and the Done option called out.](media/Snowflake-provisioning-tutorial/image02.png)
+    ![Screenshot showing the security integrations.](media/Snowflake-provisioning-tutorial/step4.png)
+
+5. Create and copy the authorization token to the clipboard and store securely for later use. Use this token for each SCIM REST API request and place it in the request header. The access token expires after six months and a new access token can be generated with this statement.
+
+    ![Screenshot showing the token generation.](media/Snowflake-provisioning-tutorial/step5.png)
 
 ## Step 3: Add Snowflake from the Azure AD application gallery
 
-Add Snowflake from the Azure AD application gallery to start managing provisioning to Snowflake. If you previously set up Snowflake for single sign-on (SSO), you can use the same application. However, we recommend that you create a separate app when you're initially testing the integration. [Learn more about adding an application from the gallery](../manage-apps/add-application-portal.md). 
+Add Snowflake from the Azure AD application gallery to start managing provisioning to Snowflake. If you previously set up Snowflake for single sign-on (SSO), you can use the same application. However, we recommend that you create a separate app when you're initially testing the integration. [Learn more about adding an application from the gallery](../manage-apps/add-application-portal.md).
 
-## Step 4: Define who will be in scope for provisioning 
+## Step 4: Define who will be in scope for provisioning
 
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application, or based on attributes of the user or group. If you choose to scope who will be provisioned to your app based on assignment, you can use the [steps to assign users and groups to the application](../manage-apps/assign-user-or-group-access-portal.md). If you choose to scope who will be provisioned based solely on attributes of the user or group, you can [use a scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application, or based on attributes of the user or group. If you choose to scope who will be provisioned to your app based on assignment, you can use the [steps to assign users and groups to the application](../manage-apps/assign-user-or-group-access-portal.md). If you choose to scope who will be provisioned based solely on attributes of the user or group, you can [use a scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
 
 Keep these tips in mind:
 
-* When you're assigning users and groups to Snowflake, you must select a role other than Default Access. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the Default Access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles. 
+* When you're assigning users and groups to Snowflake, you must select a role other than Default Access. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the Default Access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles.
 
 * If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.
 
-
-## Step 5: Configure automatic user provisioning to Snowflake 
+## Step 5: Configure automatic user provisioning to Snowflake
 
 This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Snowflake. You can base the configuration on user and group assignments in Azure AD.
 
 To configure automatic user provisioning for Snowflake in Azure AD:
 
 1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise applications** > **All applications**.
 
-	![Screenshot that shows the Enterprise applications pane.](common/enterprise-applications.png)
+ ![Screenshot that shows the Enterprise applications pane.](common/enterprise-applications.png)
 
 2. In the list of applications, select **Snowflake**.
 
-	![Screenshot that shows a list of applications.](common/all-applications.png)
+ ![Screenshot that shows a list of applications.](common/all-applications.png)
 
 3. Select the **Provisioning** tab.
 
-	![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png)
+ ![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png)
 
 4. Set **Provisioning Mode** to **Automatic**.
 
-	![Screenshot of the Provisioning Mode drop-down list with the Automatic option called out.](common/provisioning-automatic.png)
+ ![Screenshot of the Provisioning Mode drop-down list with the Automatic option called out.](common/provisioning-automatic.png)
 
-5. In the **Admin Credentials** section, enter the SCIM 2.0 base URL and authentication token that you retrieved earlier in the **Tenant URL** and **Secret Token** boxes, respectively. 
+5. In the **Admin Credentials** section, enter the SCIM 2.0 base URL and authentication token that you retrieved earlier in the **Tenant URL** and **Secret Token** boxes, respectively.
 
    Select **Test Connection** to ensure that Azure AD can connect to Snowflake. If the connection fails, ensure that your Snowflake account has admin permissions and try again.
 
-	![Screenshot that shows boxes for tenant U R L and secret token, along with the Test Connection button.](common/provisioning-testconnection-tenanturltoken.png)
+ ![Screenshot that shows boxes for tenant URL and secret token, along with the Test Connection button.](common/provisioning-testconnection-tenanturltoken.png)
 
 6. In the **Notification Email** box, enter the email address of a person or group who should receive the provisioning error notifications. Then select the **Send an email notification when a failure occurs** check box.
 
-	![Screenshot that shows boxes for notification email.](common/provisioning-notification-email.png)
+ ![Screenshot that shows boxes for notification email.](common/provisioning-notification-email.png)
 
 7. Select **Save**.
 
@@ -147,43 +157,46 @@ To configure automatic user provisioning for Snowflake in Azure AD:
 
 13. To enable the Azure AD provisioning service for Snowflake, change **Provisioning Status** to **On** in the **Settings** section.
 
-	 ![Screenshot that shows Provisioning Status switched on.](common/provisioning-toggle-on.png)
+  ![Screenshot that shows Provisioning Status switched on.](common/provisioning-toggle-on.png)
 
 14. Define the users and groups that you want to provision to Snowflake by choosing the desired values in **Scope** in the **Settings** section. 
 
     If this option is not available, configure the required fields under **Admin Credentials**, select **Save**, and refresh the page. 
 
-	 ![Screenshot that shows choices for provisioning scope.](common/provisioning-scope.png)
+  ![Screenshot that shows choices for provisioning scope.](common/provisioning-scope.png)
 
 15. When you're ready to provision, select **Save**.
 
-	 ![Screenshot of the button for saving a provisioning configuration.](common/provisioning-configuration-save.png)
+  ![Screenshot of the button for saving a provisioning configuration.](common/provisioning-configuration-save.png)
 
 This operation starts the initial synchronization of all users and groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs. Subsequent syncs occur about every 40 minutes, as long as the Azure AD provisioning service is running.
 
 ## Step 6: Monitor your deployment
+
 After you've configured provisioning, use the following resources to monitor your deployment:
 
-- Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully.
-- Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion.
-- If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. [Learn more about quarantine states](../app-provisioning/application-provisioning-quarantine-status.md).  
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully.
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion.
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. [Learn more about quarantine states](../app-provisioning/application-provisioning-quarantine-status.md).  
 
 ## Connector limitations
 
-Snowflake-generated SCIM tokens expire in 6 months. Be aware that you need to refresh these tokens before they expire, to allow the provisioning syncs to continue working. 
+Snowflake-generated SCIM tokens expire in 6 months. Be aware that you need to refresh these tokens before they expire, to allow the provisioning syncs to continue working.
 
 ## Troubleshooting tips
 
-The Azure AD provisioning service currently operates under particular [IP ranges](../app-provisioning/use-scim-to-provision-users-and-groups.md#ip-ranges). If necessary, you can restrict other IP ranges and add these particular IP ranges to the allow list of your application. That technique will allow traffic flow from the Azure AD provisioning service to your application.
+The Azure AD provisioning service currently operates under particular [IP ranges](../app-provisioning/use-scim-to-provision-users-and-groups.md#ip-ranges). If necessary, you can restrict other IP ranges and add these particular IP ranges to the allowlist of your application. That technique will allow traffic flow from the Azure AD provisioning service to your application.
 
 ## Change log
 
 * 07/21/2020: Enabled soft-delete for all users (via the active attribute).
+* 10/12/2022: Updated Snowflake SCIM Configuration.
 
 ## Additional resources
 
 * [Managing user account provisioning for enterprise apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
 * [What are application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
 
 ## Next steps
+
 * [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)