Merge pull request #112845 from ArvindHarinder1/patch-108

PRMerger6 · web-flow · commit 7cdd065ec6bb · 2020-04-27T09:00:57.000-07:00
Update scim-graph-scenarios.md
diff --git a/articles/active-directory/app-provisioning/scim-graph-scenarios.md b/articles/active-directory/app-provisioning/scim-graph-scenarios.md
@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 04/06/2020
+ms.date: 04/23/2020
 ms.author: mimart
 ms.reviewer: arvinh
 
@@ -23,23 +23,28 @@ ms.collection: M365-identity-device-management
 
 # Using SCIM and Microsoft Graph together to provision users and enrich your application with the data it needs
 
-**Target audience:** This document is targeted towards developers building applications integrated with Azure AD. For others looking to integrate an existing application such as Zoom, ServiceNow, and DropBox you can skip this and review the application specific [tutorials](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list). 
+**Target audience:** This document is targeted towards developers building applications to be integrated with Azure AD. For others looking to use applications already integrated with Azure AD, such as Zoom, ServiceNow, and DropBox, you can skip this and review the application specific [tutorials](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list) or review [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/app-provisioning/how-provisioning-works).
 
 **Common scenarios**
 
+Azure AD provides an out of the box service for provisioning and an extensible platform to build your applications on. The decision tree outlines how a developer would use [SCIM](https://aka.ms/scimoverview) and the [Microsoft Graph](https://docs.microsoft.com/graph/overview) to automate provisioning. 
+
 > [!div class="checklist"]
 > * Automatically create users in my application
 > * Automatically remove users from my application when they shouldn't have access anymore
 > * Integrate my application with multiple identity providers for provisioning
-> * Enrich my application with data from Microsoft services such as Sharepoint, Outlook, and Office.
+> * Enrich my application with data from Microsoft services such as Teams, Outlook, and Office.
 > * Automatically create, update, and delete users and groups in Azure AD and Active Directory
 
 ![SCIM Graph decision tree](./media/user-provisioning/scim-graph.png)
 
 ## Scenario 1: Automatically create users in my app
-Today, IT admins manually create user accounts in my application each time someone needs access or periodically upload CSV files. The process is time consuming for customers and slows down adoption of my application. All I need is basic [user](https://docs.microsoft.com/graph/api/resources/user?view=graph-rest-1.0) information such as name, email, and userPrincipalName to create a user. Furthermore, my customers use various IdPs and I don't have the resources to maintain a sync engine and custom integrations with each IdP. 
+Today, IT admins provision users by manually creating user accounts or periodically uploading CSV files into my application. The process is time consuming for customers and slows down adoption of my application. All I need is basic user information such as name, email, and userPrincipalName to create a user. 
+
+**Recommendation**: 
+* If your customers use various IdPs and you do not want to maintain a sync engine to integrate with each, support a SCIM compliant [/Users](https://aka.ms/scimreferencecode) endpoint. Your customers will be able to easily use this endpoint to integrate with the Azure AD provisioning service and automatically create user accounts when they need access. You can build the endpoint once and it will be compatible with all IdPs. Check out the example request below for how a user would be created using SCIM.
+* If you require user data found on the user object in Azure AD and other data from across Microsoft, consider building a SCIM endpoint for user provisioning and calling into the Microsoft Graph to get the rest of the data. 
 
-**Recommendation**: Support a SCIM compliant [/Users](https://aka.ms/scimreferencecode) endpoint. Your customers will be able to easily use this endpoint to integrate with the Azure AD provisioning service and automatically create user accounts when they need access. You can build the endpoint once and it will be compatible with all IdPs, without having to maintain a sync engine. Check out the example request below for how a user would be created.
 
 ```json
 POST /Users
@@ -93,21 +98,21 @@ My application relies on groups for access to various resources, and customers w
 
 **Recommendation:** Support a SCIM compliant /Groups [endpoint](https://aka.ms/scimreferencecode). The Azure AD provisioning service will take care of creating groups and managing membership updates in your application. 
 
-## Scenario 4: Enrich my app with data from Microsoft services such as Teams, Outlook, and OneDrive.
+## Scenario 4: Enrich my app with data from Microsoft services such as Teams, Outlook, and OneDrive
 My application is built into Microsoft Teams and relies on message data. In addition, we store files for users in OneDrive. How can I enrich my application with the data from these services and across Microsoft?
 
 **Recommendation:** The [Microsoft Graph](https://docs.microsoft.com/graph/) is your entry point to access Microsoft data. Each workload exposes APIs with the data that you need. The Microsoft graph can be used along with [SCIM provisioning](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) for the scenarios above. You can use SCIM to provision basic user attributes into your application while calling into graph to get any other data that you need. 
 
-## Scenario 5: Track changes in Microsoft services such as Teams, Outlook, and Azure AD.
+## Scenario 5: Track changes in Microsoft services such as Teams, Outlook, and Azure AD
 I need to be able to track changes to Teams and Outlook messages and react to them in real time. How can I get these changes pushed to my application?
 
-**Recommendation:** The Microsoft Graph provides [change notifications](https://docs.microsoft.com/graph/webhooks) and change tracking for various resources. Note the following limitations of change notifications:
+**Recommendation:** The Microsoft Graph provides [change notifications](https://docs.microsoft.com/graph/webhooks) and [change tracking](https://docs.microsoft.com/graph/delta-query-overview) for various resources. Note the following limitations of change notifications:
 - If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
 - If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
 - Change notifications don't always contain the [resource data](https://docs.microsoft.com/graph/webhooks-with-resource-data)
 For the reasons above, developers often use change notifications along with change tracking for synchronization scenarios. 
 
-## Scenario 6: Provision users and groups in Azure AD.
+## Scenario 6: Provision users and groups in Azure AD
 My application creates information about a user that customers need in Azure AD. This could be an HR application than manages hiring, a communications app that creates phone numbers for users, or some other app that generates data that would be valuable in Azure AD. How do I populate the user record in Azure AD with that data? 
 
 **Recommendation** The Microsoft graph exposes /Users and /Groups endpoints that you can integrate with today to provision users into Azure AD. Please note that Azure Active Directory doesn't support writing those users back into Active Directory. 
