Skip to content

Commit aa65c3b

Browse files
authored
Merge pull request #252732 from MicrosoftDocs/main
9/25/2023 AM Publish
2 parents 9280e04 + be6edf6 commit aa65c3b

File tree

1,053 files changed

+1955
-2517
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

1,053 files changed

+1955
-2517
lines changed

articles/active-directory/app-provisioning/inbound-provisioning-api-configure-app.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ If you're configuring inbound user provisioning to on-premises Active Directory,
3636
## Create your API-driven provisioning app
3737

3838
1. Log in to the [Microsoft Entra admin center](<https://entra.microsoft.com>) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
39-
2. Browse to **Microsoft Entra ID** > **Applications** > **Enterprise applications**.
39+
2. Browse to **Identity** > **Applications** > **Enterprise applications**.
4040
3. Click on **New application** to create a new provisioning application.
4141
[![Screenshot of Microsoft Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox)
4242
4. Enter **API-driven** in the search field, then select the application for your setup:

articles/active-directory/app-provisioning/inbound-provisioning-api-custom-attributes.md

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -28,20 +28,21 @@ You have configured API-driven provisioning app. You're provisioning app is succ
2828

2929
In this step, we'll add the two attributes "HireDate" and "JobCode" that are not part of the standard SCIM schema to the provisioning app and use them in the provisioning data flow.
3030

31-
1. Log in to your [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
32-
1. Browse to **Enterprise applications** and open your API-driven provisioning app.
31+
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
32+
1. Browse to **Identity** > **Applications** > **Enterprise applications**.
33+
1. Open your API-driven provisioning app.
3334
1. Open the **Provisioning** blade.
3435
1. Click on the **Edit Provisioning** button.
3536
1. Expand the **Mappings** section and click on the attribute mapping link. <br>
36-
:::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png" alt-text="Screenshot of edit attribute mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png":::
37+
:::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png" alt-text="Screenshot of edit attribute mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png":::
3738
1. Scroll down the **Attribute Mappings** page. Select **Show advanced options** and click on the **Edit attribute list for API** link.
38-
:::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png" alt-text="Screenshot of edit API attribute list." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png":::
39+
:::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png" alt-text="Screenshot of edit API attribute list." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png":::
3940
1. Scroll down to the end of the **Edit Attribute List** page.
4041
1. Add the following two attributes to the list as SCIM schema extensions. You can use your own SCIM schema namespace. <br>
4142
`urn:ietf:params:scim:schemas:extension:contoso:1.0:User:HireDate` <br>
4243
`urn:ietf:params:scim:schemas:extension:contoso:1.0:User:JobCode` <br>
43-
:::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png" alt-text="Screenshot of adding custom attributes." lightbox="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png":::
44-
1. **Save** your changes
44+
:::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png" alt-text="Screenshot of adding custom attributes." lightbox="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png":::
45+
1. **Save** your changes
4546

4647
> [!NOTE]
4748
> If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra admin center to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process.

articles/active-directory/app-provisioning/on-premises-powershell-connector.md

Lines changed: 144 additions & 130 deletions
Large diffs are not rendered by default.

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

Lines changed: 27 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -30,14 +30,12 @@ The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu
3030

3131
If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
3232

33-
1. In the Azure portal, select **Microsoft Entra ID**.
34-
2. On the left, select **Microsoft Entra Connect**.
35-
3. On the left, select **Cloud sync**.
33+
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).
34+
1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync** > **Agents**.
3635

37-
:::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
36+
:::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
3837

39-
4. On the left, select **Agent**.
40-
5. Select **Download on-premises agent**, and select **Accept terms & download**.
38+
1. Select **Download on-premises agent**, and select **Accept terms & download**.
4139

4240
>[!NOTE]
4341
>Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
@@ -51,24 +49,31 @@ If you have already downloaded the provisioning agent and configured it for anot
5149
## Provisioning to SCIM-enabled application
5250
Once the agent is installed, no further configuration is necessary on-premises, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.
5351

54-
1. In the Azure portal navigate to the Enterprise applications and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
55-
2. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
56-
3. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
57-
4. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
58-
5. Now either wait 10 minutes or restart the **Microsoft Entra Connect Provisioning Agent** before proceeding to the next step & testing the connection.
59-
6. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
60-
7. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues.
61-
>[!NOTE]
62-
> If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above.
63-
64-
8. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
65-
9. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
66-
10. Test provisioning a few users [on demand](provision-on-demand.md).
67-
11. Add more users into scope by assigning them to your application.
68-
12. Go to the **Provisioning** pane, and select **Start provisioning**.
69-
13. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
52+
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
53+
1. Browse to **Identity** > **Applications** > **Enterprise applications**.
54+
1. Add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
55+
1. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
56+
1. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
57+
1. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
58+
1. Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.
59+
1. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim
60+
61+
![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
62+
63+
1. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues.
64+
65+
> [!NOTE]
66+
> If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above.
67+
68+
1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
69+
1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
70+
1. Test provisioning a few users [on demand](provision-on-demand.md).
71+
1. Add more users into scope by assigning them to your application.
72+
1. Go to the **Provisioning** pane, and select **Start provisioning**.
73+
1. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
7074

7175
The following video provides an overview of on-premises provisioning.
76+
7277
> [!VIDEO https://www.youtube.com/embed/QdfdpaFolys]
7378
7479
## Additional requirements

articles/active-directory/app-provisioning/plan-cloud-hr-provision.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,8 +80,8 @@ You also need a valid Microsoft Entra ID P1 or higher subscription license for e
8080

8181
### Prerequisites
8282

83-
- Microsoft Entra ID [hybrid identity administrator](../roles/permissions-reference.md#hybrid-identity-administrator) to configure the Microsoft Entra Connect provisioning agent.
84-
- Microsoft Entra ID [application administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app in the Azure portal
83+
- [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure the Connect provisioning agent.
84+
- [Application Administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app.
8585
- A test and production instance of the cloud HR app.
8686
- Administrator permissions in the cloud HR app to create a system integration user and make changes to test employee data for testing purposes.
8787
- For user provisioning to Active Directory, a server running Windows Server 2016 or greater is required to host the Microsoft Entra Connect provisioning agent. This server should be a tier 0 server based on the Active Directory administrative tier model.

articles/active-directory/app-provisioning/provision-on-demand.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,23 +30,24 @@ Use on-demand provisioning to provision a user or group in seconds. Among other
3030

3131
::: zone pivot="app-provisioning"
3232

33-
2. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
33+
2. Browse to **Identity** > **Applications** > **Enterprise applications** > select your application.
34+
3. Select **Provisioning**.
3435

35-
3. Select your application, and then go to the provisioning configuration page.
3636
::: zone-end
3737

3838
::: zone pivot="cross-tenant-synchronization"
3939

4040
2. Browse to **Identity** > **External Identities** > **Cross-tenant Synchronization** > **Configurations**
41-
4241
3. Select your configuration, and then go to the **Provisioning** configuration page.
42+
4343
::: zone-end
4444

4545
4. Configure provisioning by providing your admin credentials.
4646

4747
5. Select **Provision on demand**.
4848

4949
6. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to five users.
50+
5051
> [!NOTE]
5152
> For Cloud HR provisioning app (Workday/SuccessFactors to AD/Azure AD), the input value is different.
5253
> For Workday scenario, please provide "WorkerID" or "WID" of the user in Workday.

articles/active-directory/app-provisioning/skip-out-of-scope-deletions.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,10 @@ Because this configuration is widely used with the *Workday to Active Directory
2626

2727
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
2828

29-
1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your provisioning application. For example, if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app.
30-
1. In the Properties section of your provisioning app, copy the GUID value associated with the *Object ID* field. This value is also called the **ServicePrincipalId** of your app and it's used in Graph Explorer operations.
29+
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
30+
1. Browse to **Identity** > **Applications** > **Enterprise applications**.
31+
1. Select your application and go to Properties section of your provisioning app. In this example we are using Workday.
32+
1. Copy the GUID value in the *Object ID* field. This value is also called the **ServicePrincipalId** of your app and it's used in Graph Explorer operations.
3133

3234
![Screenshot of Workday App Service Principal ID.](./media/skip-out-of-scope-deletions/wd_export_01.png)
3335

0 commit comments

Comments
 (0)