Follow this procedure to set up Microsoft Entra ID (formerly known as Microsoft Azure Active Directory) as a source system.
-
You've logged on to Microsoft Azure Portal, with credentials for a user with directory role Global administrator. For more information, see Microsoft Entra built-in roles.
-
In Azure Active Directory > App registrations, you've registered an application with a secret key and permissions for Microsoft Graph API. These permissions must be consented by an administrator. For more information, see Microsoft Graph permissions reference.
-
(Relevant to target systems) Your registered application is assigned the User Account Administrator role. This role allows you to deprovision users. For more information, see Add-MsolRoleMember.
If this role isn't assigned, you can only disable users. To do that, set the
accountEnabledproperty to false. For more information, see MS Graph: user resource type
Permissions
Assign the following permissions to your application, according to your scenario. Also, the permissions have to be of type Application.
- Users – User.Read.All
- Groups – Group.Read.All
For more information, see MS Graph: Users and MS Graph: Groups
When using it as a source system, you can read both users and groups from Azure AD and provision them to any target system you've added in the Identity Provisioning user interface (if it supports groups).
If you've successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure.
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Source Systems.
-
Add Microsoft Entra ID as a source system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLEnter: https://graph.microsoft.com
ProxyTypeEnter: Internet
AuthenticationEnter: BasicAuthentication
UserEnter the application ID registered in your Azure AD subscription (see the Prerequisites section).
Password(Credential) Enter the secret key associated to your app registration.
aad.domain.nameEnter one of the verified domain names from the corresponding Azure AD tenant. On this domain, you perform the provisioning operations. For more information, see Managing custom domain names in your Microsoft Entra ID.
oauth.resource.nameEnter: https://graph.microsoft.com
OAuth2TokenServiceURLEnter: https://login.microsoftonline.com/<your_domain>/oauth2/token, where
<your_domain>is the domain name you have set in theaad.domain.nameproperty.(Optional)
aad.group.member.attributesThis property defines the attributes of a group member to be read by the Identity Provisioning. By default, it always reads the type and the id of a member.
If you want the Identity Provisioning to read additional attributes, enter them as a single or a comma-separated value. For example:
-
If you want to read the e-mails too, enter:
aad.group.member.attributes=mailThis reads a member's type, ID, and e-mail.
-
If you want to read multiple additional attributes, enter:
aad.group.member.attributes=mail,mobilePhone,displayNameThis reads a member's type, ID, e-mail, phone, and display name.
(Optional)
aad.user.attributes.membership.activeUse this property if you want to retrieve information about all the groups to which the users are assigned (if any).
- If the property is missing, or is set to false – group membership details for the users will not be extracted.
- If the property is set to true – group membership details for the users will be extracted.
To learn more, see: List of Properties
(Optional)
aad.user.filterUse this property to filter users by specific criteria, according to the Microsoft Graph REST API.
This property replaces the deprecated
msgraph-filterproperty. To learn more, see: List of Properties(Optional)
aad.group.filterUse this property to filter groups by specific criteria, according to the Microsoft Graph REST API.
(Optional)
aad.user.filter.group.filter.combineUse this property to filter users based on their group assignments.
When set to true, this property combines user and group filters defined on the
aad.user.filterandaad.group.filterproperties to further narrow the search results. This way, only users that meet the following filtering criteria are returned:-
Users that match the user filter and at the same time are members of groups that match the group filter.
-
Members of the filtered groups that match the user filter.
When set to false, user and group filters are not combined.
To learn more, see:
Identity Provisioning: How to Get Users Based on Group Assignments from MS Azure AD
(Optional)
aad.user.attributesDefines which user attributes are read from Microsoft Entra ID system.
The property is set during system creation with the following default value: id,mail,userPrincipalName,displayName,mailNickname,givenName,surname,mobilePhone,businessPhones
This means that by default, Identity Provisioning will read from Microsoft Entra ID the user attributes defined in the property value. Those attributes are used in the default read transformation.
To check the complete set of user attributes (properties) supported by Microsoft Entra ID, see: Microsoft Graph: User Properties
To learn more, see: List of Properties
(Optional)
aad.group.attributesDefines which group attributes are read from Microsoft Entra ID system.
The property is set during system creation with the following default value: id,displayName,mailNickname
This means that by default, Identity Provisioning will read from Microsoft Entra ID the group attributes defined in the property value and will also return the members attribute. Those attributes are used in the default read transformation.
To check the complete set of group attributes (properties) supported by Microsoft Entra ID, see: Microsoft Graph: Group Properties
To learn more, see: List of Properties
(Optional)
aad.entities.topThis property defines the number of entities to be read per page. Default value: 100
To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
-
-
(Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the Microsoft Entra ID source system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules depending on your setup of entities in your Microsoft Entra ID. For more information, see:
Default transformation:
{ "user": { "condition": "$.userPrincipalName EMPTY false", "mappings": [ { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.mailNickname", "optional": true, "targetPath": "$.externalId", "correlationAttribute": true }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.mail", "targetPath": "$.emails[0].value", "correlationAttribute": true }, { "sourcePath": "$.userPrincipalName", "targetPath": "$.userName", "correlationAttribute": true }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, { "sourcePath": "$.givenName", "optional": true, "targetPath": "$.name.givenName" }, { "sourcePath": "$.surname", "optional": true, "targetPath": "$.name.familyName" }, { "sourcePath": "$.mobilePhone", "optional": true, "targetPath": "$.phoneNumbers[0].value" }, { "condition": "$.mobilePhone EMPTY false", "constant": "mobile", "targetPath": "$.phoneNumbers[0].type" }, { "sourcePath": "$.businessPhones[0]", "optional": true, "targetPath": "$.phoneNumbers[1].value" }, { "condition": "$.businessPhones.length() > 0", "constant": "work", "targetPath": "$.phoneNumbers[1].type" }, { "sourcePath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.groups" }, { "sourcePath": "$.manager.id", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true }, { "sourcePath": "$.manager.displayName", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "optional": true } ] }, "group": { "ignore": true, "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.mailNickname", "optional": true, "targetPath": "$.externalId" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" }, { "targetPath": "$.members[*].id", "constant": "value", "type": "rename", "optional": true } ] } }Custom Configurations
Goal
Action
Result
You want Identity Provisioning to read the additional user attributes specified in property
aad.user.attributesand write them successfully in the target system.Extend the "user" mapping as follows:
{ "user": { "condition": "$.userPrincipalName EMPTY false", "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, ...For example, you specify the
aad.user.attributesproperty and set its value to: id,mail,userPrincipalName,city,department,companyNameAs a result, every user in the target system will have the following attributes populated – ID, e-mail, user principle name, city, department, and company name.
Returned information of an exemplary user:
... { "Resources":[ { "id":"555-aaaa-333-abcd-111222333", "mail":"[email protected]", "userPrincipalName":"[email protected]", "city": "Sofia", "department":"029", "companyName":"SAP" } ... ] }You want Identity Provisioning to read the additional group attributes specified in property
aad.group.attributesand write them successfully in the target system.Extend the "group" mapping as follows:
{ "group": { "ignore": false, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, ...Example: Specify the
aad.group.attributesproperty and set its value to: id,displayName,recommendation,isSubscribedByMailAs a result, every group in the target system will have the following attributes populated – ID, display name, date and time of the last renewal, and information if it's subscribed by e-mail or not.
Returned information of an exemplary group:
... { "Resources":[ { "id":"12345-ccc-000-xyz-777888999", "displayName":"ImportantGroup3", "renewedDateTime":"2018-01-01T00:00:00Z", "isSubscribedByMail":"true" } ... ] }You want the returned value of a group member to be not the ID but a different attribute.
In the
"group"mapping, replace id with the new attribute. For example:If you replace id with mail, the transformation will look like this:
... { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" }, { "targetPath": "$.members[*].mail", "constant": "value", "type": "rename", "optional": true } ...Make sure that you've added this attribute as a value of property aad.group.member.attributes.
Returned information of an exemplary group member:
... { "members":[ { "id":"5555555-aaaa-333-abcd-1111122223333", "type":"user", "value":"[email protected]" } ] } ... -
Now, add a target system to provision users and groups into it. Choose from: Target Systems
- Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications.
- Now, start an identity provisioning job. For more information, see Monitor Provisioning Job Logs.