Azure Group Provisioning : option to sync groups missing

Vanessa29
Tera Contributor

‎07-24-2019 07:57 AM

Hi All,

We're trying to set up User and Group Provisioning from Azure AD to ServiceNow.
We have SSO up and running, works like a charm.

Currently, we're testing the user provisioning.

We have 2 groups of users in Azure, one of all employees and one of "ITIL" users/employees.
The groups have been "allocated" to the application ServiceNow in Azure.

We have configured mapping for the User Synchronisation, and the users get created/update etc in ServiceNow.  So far so good.

However, the option "Synchronize Azure Active Directory Groups to ServiceNow" is missing from our Azure tenant.

find_real_file.png

When I tried it out on a Test Azure tenant, it comes up:

find_real_file.png

Does anyone have any ideas as to why/what we're missing here?

Many thanks
Vanessa

Labels:
Preview file
11 KB
Preview file
9 KB
Preview file
36 KB
  • 4,245 Views
4 REPLIES 4

Barb5
Mega Contributor

‎08-06-2019 10:11 AM

Having the exact same problem on our integration, ideas? 

0 Helpfuls

Vanessa29
Tera Contributor
In response to Barb5

‎08-09-2019 01:36 AM

Hi Barb, unfortuantely not yet.  I asked a Microsort Azure "expert" and he said that whether or not Group Synchronisation is allowed is determined from the target application i.e. ServiceNow.  I then opened a HI issue and ServiceNow said "this Microsoft Azure integration requires several configuration steps on its interface to allow the integration to work. These configurations are outside ServiceNow so there is very limited control over these settings".  So in a bit of a deadlock at the moment 😞   Will let you know if anything changes.

 

0 Helpfuls

Omkar Mone
Mega Sage
In response to Vanessa29

‎05-09-2020 03:55 AM

Hello Barb,

 

Any update on this issue?

0 Helpfuls

Barb5
Mega Contributor

‎05-11-2020 09:37 AM

yes, there is an update but not necessarily a satisfying one!  First issue, if you are using a free - Azure AD setup for POC work, it will not do group provisioning. 

Second, all of a sudden the group mapping started to work. Now I know this is not magic but we re-configured the provisioning a couple of times and each time it worked so I am speculating that it was some change we made to sys_user_group table or to the SSO identity provider that allowed the Azure ServiceNow application to open the group mapping.  

Something we also saw was if groups coming from Azure were already established in ServiceNow, and the name was not changed, Azure did not create new groups but applied the Microsoft GUID to the existing groups - but the names need to be exact.

Sorry our result was not more obvious in the solution.

0 Helpfuls