Skip to Content
Technical Articles
Author's profile photo Ivelina Kiryakova

Identity Provisioning: How to Get Users Based on Group Assignments from MS Azure AD

Filtering users and groups in MS Azure AD and provisioning them to target systems supported by Identity Provisioning is hardly any news for you. What might be news, however, is that you can combine filters to get users based on their group assignments. Moreover, you don’t need to add conditions in the default read transformation.

What used to be achieved by “condition-based” filtering (until now, to get users based on their group assignments, you had to define a condition for reading specific group and set the aad.user.attributes.membership.active to true), is now achieved by “property-based” filtering only.

For this, you need to set the aad.user.filter.group.filter.combine property to true. As its name implies, it combines filters defined on aad.user.filter and aad.group.filter properties. After running a Read or Resync job, the search result will be narrowed down to users that match the user filter and at the same time are members of а group that matches the group filter.

Note: When combining filters, it is important that both – user and group filters, are defined. Otherwise, you will not get the expected result. For more information, see: List of Properties -> aad.user.filter.group.filter.combine.

Example Scenario Overview

Let’s start from the basic filtering capabilities that Identity Provisioning service provides. First, we’ll apply group and user filters separately without combining them. Then, we’ll combine both filters by adding aad.user.filter.group.filter.combine=true.

Prerequisites

  • In this example scenario, MS Azure AD is configured as a source system and Identity Authentication is configured as the target system.
  • A provisioning job has already been run. As a result, in Identity Authentication there are 180 users and 67 groups provisioned from MS Azure AD.
  • The following 3 users exist in MS Azure AD and Identity Authentication:
Name City Country Member of Group
Sarah Williams Los Angeles US Employee
Stefan Schmidt Munich Germany Employee, Procurement
Michelle Brown Los Angeles US Employee, Procurement

Filtering a Group

First, we’ll filter a group in MS Azure AD and provision it to Identity Authentication when aad.user.filter.group.filter.combine is not defined or is set to false.

1. On the Properties tab of your MS_Azure_AD source system, set aad.group.filter=displayName eq ‘Procurement’.

2. On the Jobs tab, run the provisioning job and verify that only one group is read.

After applying the group filter, one group is read, and the rest (previously existed) 66 groups in Identity Authentication are deleted. All 180 users in MS Azure AD are read but no users are deleted because a user filter is not yet defined.

3. In the User Groups section of your Identity Authentication tenant, verify that the Procurement group is created.

The Procurement group contains only two group members: Michelle Brown and Stefan Schmidt.

Filtering Users

Now, we’ll filter users in MS Azure AD and provision them to Identity Authentication when aad.user.filter.group.filter.combine is not defined or is set to false.

1. On the Properties tab of your MS_Azure_AD source system, set the aad.user.filter=City eq ‘Los Angeles’.

Keep the aad.group.filter property as-is.

2. On the Jobs tab, run the provisioning job and verify that only two users are read.

After applying the user filter, two users matching the user filter are read, and the rest (previously existed) 178 users in Identity Authentication are deleted.  

3. In the User Management section of your Identity Authentication tenant, verify that the two users from Los Angeles – Michelle Brown and Sarah Williams, are read (the third user is the tenant administrator).

4. In the User Groups section of your Identity Authentication tenant, you will notice that Michelle Brown is the only member of the Procurement group. Stefan Schmidt (from Munich) is removed as a group member and deleted as a user because he doesn’t match the user filter City eq ‘Los Angeles’.

User and Group Filtering Combined

Finally, we’ll combine the user and group filtering.

1. On the Properties tab of your MS_Azure_AD source system, set aad.user.filter.group.filter.combine=true.

Keep the aad.group.filter and aad.user.filter properties as-are.

2. On the Jobs tab, run the provisioning job and verify that only one user is read.

After combining both filters, one group – Procurement, and one user – Michelle Brown, are read.

Michelle Brown is the only user that matches the user filter City eq ‘Los Angeles’ and at the same time is a member of the group Procurement.

Although Sarah Williams matches the user filter (she is from Los Angeles), she is not a member of the group Procurement (she is a member of the group Employee). Therefore, her user is deleted.

Although Stefan Schmidt is a member of the group Procurement, he doesn’t match the user filter (he is from Munich). Therefore, his user is deleted when the user filter is applied. The group is updated.

3. In the User Management section of your Identity Authentication tenant, verify that Michelle Brown is the only user read from MS Azure AD (the second user is the tenant administrator).

Now, the floor is yours! You can test it out and share your feedback.

Assigned tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Istvan Bokor
      Istvan Bokor

      Nice and well-detailed documentation, thank you, Ivelina Kiryakova 🙂

      Author's profile photo namona lio
      namona lio

      Go through all the details here on Identity Provisioning: How to Get Users Based on Group Assignments from MS Azure AD as that was the main topic that you need to understand at this stage. We will hope that users will be able to explore college-paper.org is good in writing papers for the sake of the who like it for now.

      Author's profile photo E. Schuiteman
      E. Schuiteman

      Very nice blog, I was looking for this an long time, i set it up and it's working.

      One question is it also possible to filter on multiple groups or to filter for example on "Procurement*"

       

       

      Author's profile photo Ivelina Kiryakova
      Ivelina Kiryakova
      Blog Post Author

      Thanks E. Schuiteman,

      Filtering on multiple groups is possible by using the eq and or operators.

      For example, is you want to filter three groups, provide the value of the aad.group.filter property as follows: displayName eq 'Procurement' or displayName eq 'Development' or displayName eq 'Operations'