1

I've set up Zoom and DocuSign with SSO and Automatic provisioning in Azure AD Enterprise Applications. Just in Time provisioning works as expected after ensuring roles are correctly mapped. Automatic provisioning however only appears to add users the first time it runs. If I add an application user, change a user's Application Role, or Remove the user from the application nothing happens on the next provisioning run. I would expect the user to be added, the user's permissions to be updated at Zoom or DocuSign, or for the user to be disabled.

Documentation seems to show that updates and deletes should be handled through provisioning. What am I missing?

Second question is whether the timing of how often provisioning job runs can be changed. It is time consuming to test when I have to wait 40 minutes between tests.

Mark Davidson
  • 13
  • 4

1 Answers1

0

updates and deletes are handled if they are configured to. https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/configure-automatic-user-provisioning-portal#configuring-automatic-user-account-provisioning in the screenshot, you'll see there is actions that it can target, create, update, delete. if those are all selected, As a test, you should make sure the target actions are selected and try to change a different attribute, say add some characters to a name or something. it should trigger and update to the provider. I believe changes of the User itself will trigger the provisioning changes, The issue here is likely because app roles are specific to applications, they are not user or group attributes, nothing has actually changed on that user object. so it wouldn't detect any changes.

as per: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#incremental-cycles it will "Query the source system for any users and groups that were updated since the last watermark was stored." if I take that literally, then changing the app role isn't a change to a user or a group, so it won't trigger a delta sync change

Deletes however should occur, if you unassign the user from the application. as per here: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#de-provisioning

as for your second question, the interval I don't believe you can change that for the incremental schedules.

alphaz18
  • 2,309
  • 1
  • 3
  • 4
  • I gave feedback on role assignment change should cause provisioning update to feedback.azure.com. I also have created a support ticket with Microsoft and users not being created or de-provisioned during incremental updates. I'll report back if they manage to help resolve the issue, but I haven't had good luck with Microsoft support in the past. – Mark Davidson Jun 15 '20 at 21:54
  • Marking this as answer as it points to documentation. User creation and deletion eventually started working on their own which points to Microsoft having an issue while I was testing. Microsoft support indicated that role change would most likely not trigger provisioning update. Vote here if you would find it helpful too. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/40671856-changing-approleassignment-should-cause-provisioni – Mark Davidson Jun 16 '20 at 20:53