Azure AD Sync Transform Map
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2018 08:17 AM
We have recently set up an Azure AD integration with automatic user provisioning. I followed the steps at https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-tutorial which included giving Azure admin credentials and having them automatically create an IDP. I see there was also a transform map created, but my question is, does Azure even use this transform map?
I've been seeing user fields getting set that are not even mapped in the transform map at all, and it looks like the admin account I gave them has been making SOAP transactions directly into our user table. It also appears these SOAP transactions are ignoring business rules. We have a business rule to check for duplicate email addresses, but this Azure SAML sync is bypassing it. Is there a way to make sure Azure only sets the user fields in the transform map, and that business rules are run on every transaction?
- Labels:
-
Integrations
- 3,737 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2019 08:14 PM
Hi Chris - did you ever get an answer to this? I've noticed that the Transform map is ignored too. I suspect that the mapping is done on the AzureAD side of things.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2019 04:47 PM
Never got an answer from anyone else officially, but we did do some more testing and I became more familiar with the process. The transform map is indeed ignored and the Azure admin account will make direct web services calls into the user table. The mappings are configured on the Azure side using "Attribute Mappings". The schedule of the loads is pretty unpredictable, and the Azure AD admins have to ensure that when users are deprovisioned, they are set inactive prior to having their enterprise application role removed to ensure auto deprovisioning from ServiceNow. Even then, the service account would sometimes make bizarre transactions into ServiceNow that you have very little control over from my experience.
The part I mentioned about business rules was actually incorrect. Business rules are run on the Azure transactions, but sometimes Azure may do multiple transactions to update a single account so your business rule conditions would have to be set up to account for this.
Ultimately we decided to stick with LDAP authentication/provisioning, using regular AD and an LDAP server hosted on the Azure platform.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2019 03:16 AM
Thanks for your reply and sharing your experience Chris! This has confirmed my understanding too. The issue you alluded to where the accounts get deactivated in the wrong sequence has caused issues for us too - it was escalated to Microsoft who are apparently attempting to address this as a bug in future.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2020 12:19 AM
Hi Kevclark,
have you any Feedback from MS yet?
