Hope you all are doing good !!!
In our previous articles we have discussed about how to configure Single Sign-On (SSO) of SaaS application after integrate with Azure AD. Today in this article, we will proceed further and will discuss a very important Service of application management is Automatic User Provisioning For SaaS Application.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Automatic User Provisioning :
The Azure AD User Provisioning Service offers IT administrators to automatically Create,Update and Delete user profile records inside popular SaaS apps, based on users and groups in Azure Active Directory. Many SaaS applications from following groups can use automatic user provisioning service of Azure AD.
- Pre-integrated applications (gallery SaaS apps) – Many SaaS applications from gallery can use this service like Service-now, Salesforce etc..
- Applications that support SCIM 2.0 – Applications that implemented based on SCIM 2.0 user management APIs can use the user provisioning service.
Features Of Automatic User Provisioning :
As we discussed, it is a very crucial service for organisations using huge amount of SaaS application. It has following features, which makes it very useful and robust.
Automate provisioning , deprovisioning and updating users and groups.
- Synchronize data between source and target system.
- Governing access by monitoring and auditing, who has been provisioned into your applications.
- Seamlessly deploy in brown field scenarios.
- Allowing to customize attribute mappings, so that define what user data should flow from the source system to the target system.
- It provides alerts for critical events.
Benefits Of Automatic User Provisioning :
With the help of the above feature, we are getting following benefits from automatic user provisioning service of Azure AD application management.
- Maximizing the efficiency and accuracy of provisioning processes.
- Saving on costs associated with hosting and maintaining custom provisioning solutions and on IT person to provisioning and deprovisioning users.
- Securing your organization by instantly deprovisioning users’ identities from SaaS apps when they leave the organization.
- Easily importing a large number of users when synchronizing.
- Having a single set of policies to verify the provisioned users.
- Increased productivity.
- Managing risks.
- Address compliance and governance.
- Support of Microsoft Graph API.
Lab Exercise :
In this lab we will go through the steps required to perform in Azure AD and Servicenow application to automatically provision and de-provision user accounts from Azure AD to Servicenow. As we discuss, Azure AD provisioning service deals with create, update, and disable users and/or groups in configured SaaS application based on user and/or group assignments in Azure AD.
Steps required to configure automatic user provisioning for different SaaS applications may vary to each other but the basic is same like, we have divided it into 4 different logical sections. In the First Section, we need to verify, if Configuration of ServiceNow is in place to support provisioning with Azure AD. In Second Section, we need to integrate the SaaS App with Azure AD and then in Third Section of configuration, assign users/groups to the integrated app. In Fourth Section, we need to configure user provisioning to automate the users/groups synchronization from Azure AD to integrated application. In the following exercise we will see how to configure user provisioning for Servicenow application.
Let’s go through the following steps to configure user provisioning for Servicenow SaaS application.
Step 1 – Let’s Identify our ServiceNow instance name. We can find the instance name in the URL that we use to access ServiceNow. As showing in the following figure, the Instance Name is dev91749.
Step 2 – Get the credentials for an admin in ServiceNow. Navigate to the user profile in ServiceNow and verify that the user has the admin role as we can see in the following figure.
Step 3 – Go to Azure Portal => Azure Active Directory => All Applications => click +New Application if the required application has not been integrated otherwise select required integrated application as shown in the following figure, we will configure user Provisioning for Servicenow For Manas application.
Step 4 – Now we have done with our first step to integrate the required application. As we can see in the following figure, and highlighted with Number ‘1’ is allowing admin to Assign users and groups . As we discussed earlier that, in our second step, we should assign users and groups and their rolls for the application.
As showing in the following figure, I have assigned 4 users to the Servicenow application. If we see there are couple of users name started with ‘Manas’
Step 5 – We have done with our second step. Now let’s proceed for the last and crucial step to configure Provisioning. select Provisioning from Manage section => Click on Get started to start with the configuration as shown in the following figure.
Step 6 – On the Provisioning page, first we need to configure Provisioning Mode. There are following two options.
- Manual – This option is shown if Azure AD doesn’t support automatic provisioning of user accounts to this application.
- Automatic – This option is shown if Azure AD supports automatic API-based provisioning or de-provisioning of user accounts to this application.
I have set the Provisioning Mode to Automatic for our exercise.
Step 7 – As per the above figure, the next is to configure following fields and then Click Test Connection to verify the connection from Azure AD to Servicenow application.
- Instance Name – Instance name of our ServiceNow account.
- Admin Username – ServiceNow administrator Username.
- Admin Password – ServiceNow administrator Password.
- Notification Email – To whom it send an email notification when a failure occurs but this configuration is optional.
Step 8 – As shown in the above figure, we have configured the required fields. Now let’s Test the connection. As showing in the following figure, it success to establish a connection fro Azure AD to ServiceNow For Manas application.
Step 9 – In the above steps, we have done with configuring Admin Credential section and also successfully established a connection with ServiceNow For Manas application. Now let’s configure rest of the sections. The next one is Mapping section and Setting section.
As we can see in the following figure, we leave with the default setting and in Setting Section Set Provisioning Status to On.
Step 10 – Now we are done with our automatic user provisioning configuration. Before save the configuration, lets check how many users, whose name starting with ‘Manas’ exist in User section of ServiceNow application. As we can see in the following figure, only one user is in the list.
Step 11 – Now Let’s go back to Azure portal and click Save button to save the configuration to start the user provisioning service.
Step 12 – Once successfully done with synchronization, we can see the actions and status of the provisioning in Provisioning Log as shown in the above figure. We can see 4 users success fully created in target ServiceNow system. Now let’s verify the same in Service Now application. To verify that go to Users section of service now application and try to find all users provisioned from Azure AD s showing in the following figure.
Step 13 – Now let’s go back to Provisioning page of Azure portal and now we can see two different default mapping created. One is to sync Users and the other one is to sync Groups.
We can see the details of mapping by clicking on the mapping link. As showing in the following figure, We can configure the actions for the mapping . Also we can configure/modify mapping between source system property with target system property
The default setting of the provisioning is set to 40 minute so in every 40 minute the sync job will run. After first run it would be incremental. If we want to do it on demand or instantly we can start the provisioning immediately. Let’s assign a new user ‘Ashok Kumar’ to our integrated ‘ServiceNow For Manas’ app.
Suppose we have added a new user and we want that user should be in target system as soon as possible then, after assign the new user to app, go to Provisioning page of App => Check ‘Clear current state and restart synchronization‘ checkbox => Click Save button and it will ask for a confirmation before start.
Now in the following figure we can see the user is created in target system.
Provisioning feature is very flexible and allow user to perform many action by just clicking the button as showing in the following figure.
Following are the actions we can perform from Provisioning page of integrated SaaS App.
- Stop Provisioning
- Restart Provisioning
- Edit Provisioning
- Provision On Demand
- Update Credentials
- Edit Attribute Mapping
- Add Scoping Filter
With the above information, we are concluding this article . I hope this is informative to you. As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with Azure Active Directory . Please let me know if I missed anything important or if my understanding is not up to the mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂