The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Recommended method of Entra ID user provisioning to ServiceNow, Entra ID User Provisioning vs SCIM

Roar Refsland
Tera Expert

‎08-16-2024 05:58 AM

We are migrating from LDAP and MID user import to Entra ID User Provisioning, any recommendations of method with our requirements listed below? Any pros and cons with Entra User Provisioning vs SCIM User Provisioning?

Searching directory for user objects will be both Organizational Unit (OU) and Group Membership, so we need to filter user imports on both of these. From onprem AD we use LDAP Starting search directory (RDN) to narrow down OU search, and LDAP filter "memberOf:1.2.840.113556.1.4.1941:=CN=<Group name>" to narrow down AD Group Members.

We need to create new records on empty coalesce fields for location, department and cost center. Not a straightforward operation (as with LDAP) in early Entra ID User provisioning since these are reference fields in sys_user table. Also we use onAfter transfer scripts to add prefix to phone numbers.


From AD the current coalesce is sAMAccountName, moving to Entra ID we understand best practise is to move coalesce to UPN. In our environment email and UPN matches, so either we could change coalesce to match email, or simply update userid with UPN (with value from email in sys_user) to avoid creating new user object and sysid's.

Currently we do not imports Groups from Entra ID, which means that membership of Group and OU's is determined on import and user is added to corresponding group in ServiceNow with use of onAfter script in Transform Map.

Any input, experience on best practise and what to avoid (...) is much apprecciated as we tried migrating little over a year ago, but reverted to LDAP because of the current (at that time) limitations with Entra ID User Provisioning where values from reference tables had to exsist in order for import to be successful and starting directory relied on group memberships, not OU's.

@Steven Meissner has a great article on SCIM (Thanks for the great work, Steven!), but I am still uncertain if we need the SCIM plugin to achieve the requirements of Entra ID User Provisioning to ServiceNow as mentioned above.
Read the Blog article here: https://www.servicenow.com/community/developer-blog/scim-provisioning-from-microsoft-entra-id/ba-p/2...

  • 2,504 Views
0 REPLIES 0