Skip to content

Commit b35d117

Browse files
authored
Merge pull request #180238 from ArvindHarinder1/patch-224
Update on-premises-scim-provisioning.md
2 parents bda4dba + c5c769f commit b35d117

6 files changed

+47
-99
lines changed

articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -7,17 +7,14 @@ manager: karenh444
77
ms.service: active-directory
88
ms.workload: identity
99
ms.topic: overview
10-
ms.date: 05/28/2021
10+
ms.date: 11/18/2021
1111
ms.subservice: hybrid
1212
ms.author: billmath
1313
ms.collection: M365-identity-device-management
1414
---
1515

1616
# Azure AD on-premises application provisioning architecture
1717

18-
>[!IMPORTANT]
19-
> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability (GA).
20-
2118
## Overview
2219

2320
The following diagram shows an overview of how on-premises application provisioning works.
@@ -91,8 +88,8 @@ You can define one or more matching attribute(s) and prioritize them based on th
9188

9289

9390
## Agent best practices
94-
- Ensure the auto Azure AD Connect Provisioning Agent Auto Update service is running. It's enabled by default when you install the agent. Auto-update is required for Microsoft to support your deployment.
95-
- Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
91+
- Using the same agent for the on-prem provisioning feature along with Workday / SuccessFactors / Azure AD Connect Cloud Sync is currently unsupported. We are actively working to support on-prem provisioning on the same agent as the other provisioning scenarios.
92+
- - Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
9693
- The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by:
9794
- Reducing the distance between the two ends of the hop.
9895
- Choosing the right network to traverse. For example, traversing a private network rather than the public internet might be faster because of dedicated links.
@@ -112,10 +109,6 @@ For the latest GA version of the provisioning agent, see [Azure AD connect provi
112109
2. Go to **Control Panel** > **Uninstall or Change a Program**.
113110
3. Look for the version that corresponds to the entry for **Microsoft Azure AD Connect Provisioning Agent**.
114111

115-
### Does Microsoft automatically push provisioning agent updates?
116-
117-
Yes. Microsoft automatically updates the provisioning agent if the Windows service Microsoft Azure AD Connect Agent Updater is up and running. Ensuring that your agent is up to date is required for support to troubleshoot issues.
118-
119112
### Can I install the provisioning agent on the same server running Azure AD Connect or Microsoft Identity Manager?
120113

121114
Yes. You can install the provisioning agent on the same server that runs Azure AD Connect or Microsoft Identity Manager, but they aren't required.

articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,17 +7,14 @@ manager: karenh444
77
ms.service: active-directory
88
ms.workload: identity
99
ms.topic: overview
10-
ms.date: 10/21/2021
10+
ms.date: 11/19/2021
1111
ms.subservice: hybrid
1212
ms.author: billmath
1313
ms.collection: M365-identity-device-management
1414
---
1515

1616
# Troubleshoot on-premises application provisioning
1717

18-
>[!IMPORTANT]
19-
> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
20-
2118
## Troubleshoot test connection issues
2219
After you configure the provisioning agent and ECMA host, it's time to test connectivity from the Azure Active Directory (Azure AD) provisioning service to the provisioning agent, the ECMA host, and the application. To perform this end-to-end test, select **Test connection** in the application in the Azure portal. When the test connection fails, try the following troubleshooting steps:
2320

articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ manager: karenh444
77
ms.service: active-directory
88
ms.workload: identity
99
ms.topic: how-to
10-
ms.date: 11/11/2021
10+
ms.date: 11/17/2021
1111
ms.subservice: hybrid
1212
ms.author: billmath
1313
ms.collection: M365-identity-device-management
@@ -16,9 +16,6 @@ ms.collection: M365-identity-device-management
1616

1717
# Export a Microsoft Identity Manager connector for use with the Azure AD ECMA Connector Host
1818

19-
>[!IMPORTANT]
20-
> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
21-
2219
You can import into the Azure Active Directory (Azure AD) ECMA Connector Host a configuration for a specific connector from a Forefront Identity Manager Synchronization Service or Microsoft Identity Manager Synchronization Service (MIM Sync) installation. The MIM Sync installation is only used for configuration, not for the ongoing synchronization from Azure AD.
2320

2421
>[!IMPORTANT]

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -8,16 +8,13 @@ ms.service: active-directory
88
ms.subservice: app-provisioning
99
ms.topic: conceptual
1010
ms.workload: identity
11-
ms.date: 10/16/2021
11+
ms.date: 11/17/2021
1212
ms.author: billmath
1313
ms.reviewer: arvinh
1414
---
1515

1616
# Azure AD on-premises application provisioning to SCIM-enabled apps
1717

18-
>[!IMPORTANT]
19-
> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
20-
2118
The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) client that can be used to automatically provision users into cloud or on-premises applications. This article outlines how you can use the Azure AD provisioning service to provision users into an on-premises application that's SCIM enabled. If you want to provision users into non-SCIM on-premises applications that use SQL as a data store, see the [Azure AD ECMA Connector Host Generic SQL Connector tutorial](tutorial-ecma-sql-connector.md). If you want to provision users into cloud apps such as DropBox and Atlassian, review the app-specific [tutorials](../../active-directory/saas-apps/tutorial-list.md).
2219

2320
![Diagram that shows SCIM architecture.](./media/on-premises-scim-provisioning/scim-4.png)
@@ -30,21 +27,19 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
3027
## On-premises app provisioning to SCIM-enabled apps
3128
To provision users to SCIM-enabled apps:
3229

33-
1. Add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
34-
1. Go to your app and select **Provisioning** > **Download the provisioning agent**.
35-
1. Select **On-Premises Connectivity**, and download the provisioning agent.
30+
1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
3631
1. Copy the agent onto the virtual machine or server that your SCIM endpoint is hosted on.
3732
1. Open the provisioning agent installer, agree to the terms of service, and select **Install**.
3833
1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
3934
1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
4035
1. Select **Confirm** to confirm the installation was successful.
41-
1. Go back to your application, and select **On-Premises Connectivity**.
36+
1. Navigate to the Azure Portal and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
37+
1. Select **On-Premises Connectivity**, and download the provisioning agent. 1. Go back to your application, and select **On-Premises Connectivity**.
4238
1. Select the agent that you installed from the dropdown list, and select **Assign Agent(s)**.
43-
1. Wait 10 minutes or restart the Azure AD Connect Provisioning agent service on your server or VM.
44-
1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim.
45-
39+
1. Wait 20 minutes prior to completing the next step, to provide time for the agent assignment to complete.
40+
1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim.
4641
![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
47-
1. Select **Test Connection**, and save the credentials.
42+
1. Select **Test Connection**, and save the credentials. Use the steps [here](https://docs.microsoft.com/azure/active-directory/app-provisioning/on-premises-ecma-troubleshoot#troubleshoot-test-connection-issues) if you run into connectivity issues.
4843
1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
4944
1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
5045
1. Test provisioning a few users [on demand](provision-on-demand.md).

includes/active-directory-app-provisioning-ldap.md

Lines changed: 18 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,6 @@ For important details on what this service does, how it works, and frequently as
44

55
## Prerequisites for provisioning users into an LDAP directory
66

7-
>[!IMPORTANT]
8-
> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability. Provisioning users into Active Directory Domain Services is not supported through this preview.
9-
10-
117
### On-premises prerequisites
128

139
- A target system, such as Active Directory Lightweight Services (AD LDS), in which users can be created, updated, and deleted. This AD LDS instance should not be used to provision users into Azure AD because it may create a loop with Azure AD Connect.
@@ -122,35 +118,21 @@ Now that we have configured the certificate and granted the network service acco
122118

123119
## Download, install, and configure the Azure AD Connect Provisioning Agent Package
124120

125-
1. Sign in to the Azure portal.
126-
2. Go to **Enterprise applications** > **Add a new application**.
127-
3. Search for the **On-premises ECMA app** application, and add it to your tenant.
128-
4. Select the **on-premises ECMA app** that was added.
129-
5. Under **Getting Started**, on the **3. Provision user accounts** box, select **Get started**.
130-
6. At the top, from the drop-down, change provisioning to **automatic**. This action will bring up **on-premises connectivity** below.
131-
7. Under **On-Premises Connectivity**, download the agent installer.
132-
8. Run the Azure AD Connect provisioning installer **AADConnectProvisioningAgentSetup.msi**.
133-
9. On the **Microsoft Azure AD Connect Provisioning Agent Package** screen, accept the licensing terms, and select **Install**.
134-
[![Microsoft Azure AD Connect Provisioning Agent Package screen.](media/active-directory-app-provisioning-sql/install-1.png)](media/active-directory-app-provisioning-sql/install-1.png#lightbox)</br>
135-
10. After this operation finishes, the configuration wizard starts. Select **Next**.
136-
[![Screenshot that shows the Welcome screen.](media/active-directory-app-provisioning-sql/install-2.png)](media/active-directory-app-provisioning-sql/install-2.png#lightbox)</br>
137-
11. On the **Select Extension** screen, select **On-premises application provisioning (Azure AD to application)**. Select **Next**.
138-
[![Screenshot that shows Select extension.](media/active-directory-app-provisioning-sql/install-3.png)](media/active-directory-app-provisioning-sql/install-3.png#lightbox)</br>
139-
12. Use your global administrator account to sign in to Azure AD.
140-
[![Screenshot that shows Azure sign-in.](media/active-directory-app-provisioning-sql/install-4.png)](media/active-directory-app-provisioning-sql/install-4.png#lightbox)</br>
141-
13. On the **Agent configuration** screen, select **Confirm**.
142-
[![Screenshot that shows Confirm installation.](media/active-directory-app-provisioning-sql/install-5.png)](media/active-directory-app-provisioning-sql/install-5.png#lightbox)</br>
143-
14. After the installation is complete, you should see a message at the bottom of the wizard. Select **Exit**.
144-
[![Screenshot that shows finishing.](media/active-directory-app-provisioning-sql/install-6.png)](media/active-directory-app-provisioning-sql/install-6.png#lightbox)</br>
145-
15. Go to back to the Azure portal under the **On-premises ECMA app** application, and back to **Edit Provisioning**.
146-
16. On the **Provisioning** page, change the mode to **Automatic**.
147-
[![Screenshot that shows changing the mode to Automatic.](.\media\active-directory-app-provisioning-sql\configure-7.png)](.\media\active-directory-app-provisioning-sql\configure-7.png#lightbox)</br>
148-
17. On the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**.
149-
[![Screenshot that shows restarting an agent.](.\media\active-directory-app-provisioning-ldap\assign-1.png)](.\media\active-directory-app-provisioning-ldap\assign-1.png#lightbox)</br>
121+
1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that has connectivity to your SQL server.
150122
>[!NOTE]
151-
>After you add the agent, wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes.
152-
>
153-
>Alternatively, you can force the agent registration to complete by restarting the provisioning agent on your server. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart.
123+
>Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
124+
1. Open the provisioning agent installer, agree to the terms of service, and select **next**.
125+
1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
126+
1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
127+
1. Select **Confirm** to confirm the installation was successful.
128+
1. Sign in to the Azure portal.
129+
1. Go to **Enterprise applications** > **Add a new application**.
130+
1. Search for the **On-premises ECMA app** application, and add it to your tenant.
131+
1. Navigate to the provisioning page of your application.
132+
1. Select **Get started**.
133+
1. On the **Provisioning** page, change the mode to **Automatic**.
134+
![Screenshot that shows changing the mode to Automatic.](.\media\active-directory-app-provisioning-sql\configure-7.png)</br>
135+
1. On the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**.
154136

155137
## Configure the Azure AD ECMA Connector Host certificate
156138
1. On the desktop, select the ECMA shortcut.
@@ -236,9 +218,11 @@ Now that we have configured the certificate and granted the network service acco
236218
|Property|Value|
237219
|-----|-----|
238220
|Tenant URL|https://localhost:8585/ecma2host_connectorName/scim|
239-
221+
240222
5. Enter the **Secret Token** value that you defined when you created the connector.
241-
6. Select **Test Connection**, and wait one minute.
223+
>[!NOTE]
224+
>If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart.
225+
7. Select **Test Connection**, and wait one minute.
242226
[![Screenshot that shows assigning an agent.](.\media\active-directory-app-provisioning-ldap\test-1.png)](.\media\active-directory-app-provisioning-ldap\test-1.png#lightbox)
243227
7. After the connection test is successful, select **Save**.</br>
244228
[![Screenshot that shows testing an agent.](.\media\active-directory-app-provisioning-sql\configure-9.png)](.\media\active-directory-app-provisioning-sql\configure-9.png#lightbox)

0 commit comments

Comments
 (0)