Azure User Provisioning - Adding department "create"

john_duchock · ‎09-24-2018

We are using azure integration to create users, groups and group members.

Upon configuring the system, we found that if the cmn_department table was populated with same values as what are in azure, the department field on the user record populated properly, however if the value on the user record in azure does not exist in cmn_department, the user record would not be updated.

On a typical transform map, you can set "choice actions" to create, ignore and reject. If "create" is chosen, the transform map will create the necessary values in your table (much like discover creates new core_company records). However, i cannot seem to find where to set up ServiceNow to "create" new departments that come over on a user record from azure.

Can anyone point me to a resource or explain what needs to be done (and if it should be done on the IDP transform map).

Thanks

John

Mike91 · ‎12-10-2019

Hi John,

I've stumbled on your question here a year later with (I think) the same goal in mind: use Azure AD User Provisioning to add/create Departments that don't exist within your ServiceNow instance.

ServiceNow posted a Knowledge Base article that says that the Azure AD User Provisioning service is able to update sys_user or sys_group tables, but NOT cmn_ tables (such as cmn_department). Here's a link to the article that includes more information: https://hi.service-now.com/kb_view.do?sysparm_article=KB0655991

Another point I'd like to touch on was when you said "however if the value on the user record in azure does not exist in cmn_department, the user record would not be updated" - I believe this might be due to your setup in Azure AD. If you navigate to the ServiceNow integration from Azure AD, go to Manage > Provisioning > Mapping and click the name of the attributes mapping (ours is "Synchronize Azure Active Directory Users to ServiceNow"). Find Department on the list and click on it. If "Match objects using this attribute" is set to Yes, then I believe it will cause the behavior of skipping the update on the entire user record. I have this toggled to No and all of our users profiles are updated, albeit with many errors where the Department field doesn't align with what's available in ServiceNow (due to a bigger issue with how our HR system tracks and feeds Departments and Business Units into AD).

Given the amount of time that has passed, I'm not sure that this response will prove useful to you, but I hope it will benefit others such as myself who stumble upon your question in the future. Did you ever resolve this?

Mike

View solution in original post

Roy13 · ‎12-16-2020

Hello, did you find a solution to that problem ?

I imported Groups from Azure AD the name and description of the groups seems to be working fine but the group members seem to have an issue and they look like this.

Prerana1 · ‎01-05-2021

Hello,

Did you fix this problem, if so please let us know.

Many thanks in advance!!!

Roy13 · ‎01-05-2021

Hello Prerana,

I managed to solve this issue, the only thing I was missing was that I forgot to map the first name and last name when I was importing users into ServiceNow.

If the user does not have a first name/ last name then it will display "empty".

Make sure that the users in the group have the first name and last name field filled.

Tejaswini9 · ‎02-15-2021

Hello Roy,

The integration is automatic rgt( we provide the service account credentials and all the users will be imported directly from azure but is there any possibility to add some restrictions for the user creation based on certain condition in snow.

Please suggest me how this is bit urjent.

Thank you

Roy13 · ‎02-15-2021

Yes, we can do the restriction from either side. If you want to do from AAD's side you can select the below option and manually assign Users/Groups that are to be provisioned.

If you want to do it from SNOW's side you will need to write a business rule (On insert) according to your needs.