User provisioning with Azure AD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-23-2018 09:16 PM
Hello!
We have LDAP integration in our ServiceNow instance where we have mapped "user_name" with "samAccountName" from AD. Ex: abcxxx
Recently our customer moved to Azure AD and we need to integrate with Azure now instead of LDAP. We integrated with Azure and are able to configure SSO and provision users (following the Microsoft docs). However these new users provisioned are duplicate records, ie., from Azure the "user_name" field is mapped with "User Principal Name" field which is of the format lastname.firstname@companyname.com and does not match with the former user_names.
I believe samAccountName is not available in Azure AD and by default the user_name is mapped with User Principal Name and cannot be changed in Azure.
Has anyone else encountered this and how did you handle?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-28-2018 12:37 PM
ssuhail - did you ever find a solution? I'm running into this same issue right now. The above reply from Vivek shows you where to change the mappings but what Azure Active Directory Attribute did you use for the username instead of userPrincipalName? I've tried samAccountName, user.onpremisessamaccountname and neither have worked, my provisioning keeps throwing a sync error "Synchronization is now in quarantine with execution frequency reduced."
I'm considering just switching the matching attribute to mail/email and then it should update the ServiceNow user_name field to userPrincipalName.
Appreciate any help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-30-2018 04:34 AM
@Diana, We did a workaround to prevent the duplicates from getting created.
Basically we exported the list of all active users from Azure (UPN, Email ID) and imported them in to ServiceNow and replaced the user_name with UPN in users table based on Email Id (coalesce). Then we enabled Azure sync to update / create new users.
We did this for two reasons: one was to prevent duplicates and secondly after SSO integration, the old user_name (samaccountname) does not matter since the users will anyway use the UPN to login to Azure portal / ServiceNow. Also all your old references will still work since the user records are still the same, just the user_name has changed. You just need to take some precautions while taking this approach, like - disable LDAP before making this change (else it will recreate the old id once more), take a scheduled downtime so that users don't get impacted, etc.
Hope it helps.
Cheers,
Suhail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-30-2018 05:32 AM
Thanks Suhail! That makes sense. Very similar to the workaround I was considering: using email ID for the matching attribute in Azure provisioning, turning that on so all usernames are updated in Azure to UPN, then changing it back to UPN as the matching attribute in Azure AD for provisioning moving forward.
I have a meeting with a ServiceNow engineer today, if I learn of another workaround or solution I'll post it in here.
I appreciate your reply!
Diana Blakey
