0

we use SCIM 2.0 to provision accounts from a source, like AD, to our app. However, increasingly customers move to AzureAD. Provision 'normal' acounts from Azure AD is supported and is straight forward. However, we can find no information on how group/functional/delegated account can be created in AzureAD with assigned users and thus also not how to provision those accounts. Currently our customers seem manage these accounts directly in ExchangeOnline, which makes that there are two distinct sources, and these accounts can not be provisioned from Exchange using SCIM.

Anyone can help to understand what is and what is not possible in AzureAD in terms of these accounts and provisioning?

Thanks!

Regards, Rick

Rick Goud
  • 105
  • 5

1 Answers1

0

• As per your query, group accounts can be created, and they can be assigned to a particular app assignment or an app role. Please find the below powershell script to create a group that can be assigned to a role: -

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true

• For more information on delegated accounts, please refer the below link: -

https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-delegate

https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management

• As far as provisioning is concerned related to user and group accounts, we can do the below tasks: -

  1. Automate provisioning: Automatically create new accounts in the right systems for new people when they join your team or organization.
  2. Automate deprovisioning: Automatically deactivate accounts in the right systems when people leave the team or organization.
  3. Synchronize data between systems: Ensure that the identities in your apps and systems are kept up to date based on changes in the directory or your human resources system.
  4. Provision groups: Provision groups to applications that support them.
  5. Govern access: Monitor and audit who has been provisioned into your applications.
  6. Seamlessly deploy in brown field scenarios: Match existing identities between systems and allow for easy integration, even when users already exist in the target system.
  7. Use rich customization: Take advantage of customizable attribute mappings that define what user data should flow from the source system to the target system.
  8. Get alerts for critical events: The provisioning service provides alerts for critical events and allows for Log Analytics integration where you can define custom alerts to suit your business needs.

Please refer below link for more information: -

https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning

Thanking you,

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9