|
| 1 | +--- |
| 2 | +title: Automate identity provisioning to applications introduction |
| 3 | +description: Learn to design solutions to automatically provision identities in hybrid environments to provide application access. |
| 4 | +services: active-directory |
| 5 | +author: janicericketts |
| 6 | +manager: martinco |
| 7 | +ms.service: active-directory |
| 8 | +ms.workload: identity |
| 9 | +ms.subservice: fundamentals |
| 10 | +ms.topic: overview |
| 11 | +ms.date: 09/23/2022 |
| 12 | +ms.author: jricketts |
| 13 | +ms.custom: |
| 14 | + - it-pro |
| 15 | + - seodec18 |
| 16 | + - kr2b-contr-experiment |
| 17 | +ms.collection: M365-identity-device-management |
| 18 | +--- |
| 19 | + |
| 20 | +# Introduction |
| 21 | + |
| 22 | +These articles are for: |
| 23 | + |
| 24 | +* Architects |
| 25 | + |
| 26 | +* Microsoft partners |
| 27 | + |
| 28 | +* IT professionals |
| 29 | + |
| 30 | +The article provides information for decision makers addressing identity [provisioning](https://www.gartner.com/en/information-technology/glossary/user-provisioning) needs in their organizations, or the organizations they're working with. The content focuses on automating user provisioning for access to applications across all systems in your organization. |
| 31 | + |
| 32 | +Employees in an organization rely on many applications to perform their work. These applications often require IT admins or application owners to provision accounts before an employee can start accessing them. Organizations also need to manage the lifecycle of these accounts and keep them up to date with the latest information and remove accounts when users don't require them anymore. |
| 33 | + |
| 34 | +The Azure AD provisioning service automates your identity lifecycle and keeps identities in sync across trusted source systems (like HR systems) and applications that users need access to. It enables you to bring users into Azure AD and provision them into the various applications that they require. The provisioning capabilities are foundational building blocks that enable rich governance and lifecycle workflows. For [hybrid](../hybrid/whatis-hybrid-identity.md) scenarios, the Azure AD agent model connects to on-premises or IaaS systems, and includes components such as the Azure AD provisioning agent, Microsoft Identity Manager (MIM), and Azure AD Connect. |
| 35 | + |
| 36 | +Thousands of organizations are running Azure AD cloud-hosted services, with its hybrid components delivered on-premises, for provisioning scenarios. Microsoft invests in cloud-hosted and on-premises functionality, including MIM and Azure AD Connect sync, to help organizations provision users in their connected systems and applications. This article focuses on how organizations can use Azure AD to address their provisioning needs and make clear which technology is most right for each scenario. |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | + Use the following table to find content specific to your scenario. For example, if you want employee and contractor identities management from an HR system to Active Directory (AD) or Azure Active Directory (Azure AD), follow the link to *Connect identities with your system of record*. |
| 41 | + |
| 42 | +| What | From | To | Read | |
| 43 | +| - | - | - | - | |
| 44 | +| Employees and contractors| HR systems| AD and Azure AD| [Connect identities with your system of record](automate-provisioning-to-applications-solutions.md) | |
| 45 | +| Existing AD users and groups| AD| Azure AD| [Synchronize identities between Azure AD and Active Directory](automate-provisioning-to-applications-solutions.md) | |
| 46 | +| Users, groups| Azure AD| SaaS and on-prem apps| [Automate provisioning to non-Microsoft applications](../governance/entitlement-management-organization.md) | |
| 47 | +| Access rights| Azure AD Identity Governance| SaaS and on-prem apps| [Entitlement management](../governance/entitlement-management-overview.md) | |
| 48 | +| Existing users and groups| AD, SaaS and on-prem apps| Identity governance (so I can review them)| [Azure AD Access reviews](../governance/access-reviews-overview.md) | |
| 49 | +| Non-employee users (with approval)| Other cloud directories| SaaS and on-prem apps| [Connected organizations](../governance/entitlement-management-organization.md) | |
| 50 | +| Users, groups| Azure AD| Managed AD domain| [Azure AD Domain Services](https://azure.microsoft.com/services/active-directory-ds/) | |
| 51 | + |
| 52 | +## Example topologies |
| 53 | + |
| 54 | +Organizations vary greatly in the applications and infrastructure that they rely on to run their business. Some organizations have all their infrastructure in the cloud, relying solely on SaaS applications, while others have invested deeply in on-premises infrastructure over several years. The three topologies below depict how Microsoft can meet the needs of a cloud only customer, hybrid customer with basic provisioning requirements, and a hybrid customer with advanced provisioning requirements. |
| 55 | + |
| 56 | +### Cloud only |
| 57 | + |
| 58 | +In this example, the organization has a cloud HR system such as Workday or SuccessFactors, uses Microsoft 365 for collaboration, and SaaS apps such as ServiceNow and Zoom. |
| 59 | + |
| 60 | + |
| 61 | + |
| 62 | +1. The Azure AD provisioning service imports users from the cloud HR system and creates an account in Azure AD, based on business rules that the organization defines. |
| 63 | + |
| 64 | +1. The user complete sets up the suitable authentication methods, such as the authenticator app, Fast Identity Online 2 (FIDO2)/Windows Hello for Business (WHfB) keys via [Temporary Access Pass](../authentication/howto-authentication-temporary-access-pass.md) and then signs into Teams. This Temporary Access Pass was automatically generated for the user through Azure AD Life Cycle Workflows. |
| 65 | + |
| 66 | +1. The Azure AD provisioning service creates accounts in the various applications that the user needs, such as ServiceNow and Zoom. The user is able to request the necessary devices they need and start chatting with their teams. |
| 67 | + |
| 68 | +### Hybrid-basic |
| 69 | + |
| 70 | +In this example, the organization has a mix of cloud and on-premises infrastructure. In addition to the systems mentioned above, the organization relies on SaaS applications and on-premises applications that are both AD integrated and non-AD integrated. |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +1. The Azure AD provisioning service imports the user from Workday and creates an account in AD DS, enabling the user to access AD-integrated applications. |
| 75 | + |
| 76 | +2. Azure AD Connect Cloud Sync provisions the user into Azure AD, which enables the user to access SharePoint Online and their OneDrive files. |
| 77 | + |
| 78 | +3. The Azure AD provisioning service detects a new account was created in Azure AD. It then creates accounts in the SaaS and on-premises applications the user needs access to. |
| 79 | + |
| 80 | +### Hybrid-advanced |
| 81 | + |
| 82 | +In this example, the organization has users spread across multiple on-premises HR systems and cloud HR. They have large groups and device synchronization requirements. |
| 83 | + |
| 84 | + |
| 85 | + |
| 86 | +1. MIM imports user information from each HR stem. MIM determines which users are needed for those employees in different directories. MIM provisions those identities in Active Directory. |
| 87 | + |
| 88 | +2. Azure AD Connect Sync then synchronizes those users and groups to Azure AD and provides users access to their resources. |
| 89 | + |
| 90 | +## Next steps |
| 91 | + |
| 92 | +* [Solutions to automate user provisioning to applications](automate-provisioning-to-applications-solutions.md) |
0 commit comments