Skip to content

Commit f3760b8

Browse files
v-ccolinv-ccolin
authored
Merge pull request #203832 from Rainier-MSFT/patch-132
Added detail and clarity
2 parents cb1310e + 7f9c004 commit f3760b8

File tree

1 file changed

+25
-21
lines changed

1 file changed

+25
-21
lines changed

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

Lines changed: 25 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -23,27 +23,31 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
2323
- Administrator role for installing the agent. This task is a one-time effort and should be an Azure account that's either a hybrid administrator or a global administrator.
2424
- Administrator role for configuring the application in the cloud (application administrator, cloud application administrator, global administrator, or a custom role with permissions).
2525

26-
## On-premises app provisioning to SCIM-enabled apps
27-
To provision users to SCIM-enabled apps:
28-
29-
1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
30-
1. Open the provisioning agent installer, agree to the terms of service, and select **Install**.
31-
1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
32-
1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
33-
1. Select **Confirm** to confirm the installation was successful.
34-
1. Navigate to the Azure Portal and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
35-
1. Select **On-Premises Connectivity**, and download the provisioning agent. 1. Go back to your application, and select **On-Premises Connectivity**.
36-
1. Select the agent that you installed from the dropdown list, and select **Assign Agent(s)**.
37-
1. Wait 20 minutes prior to completing the next step, to provide time for the agent assignment to complete.
38-
1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim.
39-
![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
40-
1. Select **Test Connection**, and save the credentials. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues.
41-
1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
42-
1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
43-
1. Test provisioning a few users [on demand](provision-on-demand.md).
44-
1. Add more users into scope by assigning them to your application.
45-
1. Go to the **Provisioning** pane, and select **Start provisioning**.
46-
1. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
26+
## Deploying Azure AD provisioning agent
27+
The Azure AD Provisioning agent can be deployed on the same server hosting a SCIM enabled application, or a seperate server, providing it has line of sight to the application's SCIM endpoint. A single agent also supports provision to multiple applications hosted locally on the same server or seperate hosts, again as long as each SCIM endpoint is reachable by the agent.
28+
29+
1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM application endpoint is hosted on.
30+
2. Run the provisioning agent installer, agree to the terms of service, and select **Install**.
31+
3. Once installed, locate and launch the **AAD Connect Provisioning Agent wizard**, and when prompted for an extensions select **On-premises provisioning**
32+
4. For the agent to register itself with your tenant, provide credentials for an Azure AD admin with Hybrid administrator or global administrator permissions.
33+
5. Select **Confirm** to confirm the installation was successful.
34+
35+
## Provisioning to SCIM-enabled application
36+
Once the agent is installed, no further configuration is necesary on-prem, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.
37+
38+
1. In the Azure portal navigate to the Enterprise applications and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
39+
2. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
40+
3. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
41+
4. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
42+
5. Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.
43+
6. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolveable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
44+
7. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues.
45+
8. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
46+
9. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
47+
10. Test provisioning a few users [on demand](provision-on-demand.md).
48+
11. Add more users into scope by assigning them to your application.
49+
12. Go to the **Provisioning** pane, and select **Start provisioning**.
50+
13. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
4751

4852
## Additional requirements
4953
* Ensure your [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) implementation meets the [Azure AD SCIM requirements](use-scim-to-provision-users-and-groups.md).

0 commit comments

Comments
 (0)