Automate user provisioning and de-provisioning to SaaS applications with Azure Active Directory

0
votes

first of all, I'm absolutely new to Azure, so if my questions sound uneducated, that's the reason.

I'm looking for a guide or better—an understanding of how much effort is involved to provide automated user provisioning and de-provisioning as a SaaS provider as per here.

At the moment, my SaaS is not listed in the Azure Active Directory application gallery and instead, my clients enable SSO (Single Sign-On) by configuring single sign-on to applications that are not in the Azure Active Directory application gallery as per here.

In an ideal scenario, my clients will continue configuring single sign-on to applications that are not in the Azure Active Directory application gallery. That being said after they successfully configure the integration should enable automated user provisioning and de-provisioning with my SaaS.

Right, where do I start? :)

1
azure-active-directory

1 Answers

2
votes

You have two options: SCIM 2.0, or Microsoft Graph. You can use one or the other individually, or both together.

Option 1: SCIM 2.0

Start here: Using System for Cross-Domain Identity Management (SCIM) to automatically provision users and groups from Azure Active Directory to applications

Azure AD natively supports SCIM 2.0, a standardized way of exchanging identity information that could also work with other SCIM-compatible systems.

One advantage is that there's a chance you can re-use this work for a different identity source system. Another is that the Azure AD provisioning service will take care of filtering and only sending you the users and groups the customer has assigned to the app.

A disadvantage is that you will be more constrained to the schema and protocol of SCIM 2.0, as compared to what you could get with native integration with Microsoft Graph.

Option 2: Microsoft Graph

Start here: Use delta query to track changes in Microsoft Graph data

The Microsoft Graph API has two change-tracking features which your app can make use of to sync changes to users and groups: change notifications (you get a ping every time something changes) and delta query (you retrieve all changes since the last time you checked).

The advantage here is you have much greater control over the sync process and options, and you'll have the option to provide very rich integrations (if relevant) with Office 365 and other Microsoft cloud services.