Identity Provisioning: How to Get Users Based on Group Assignments from MS Azure AD
Filtering users and groups in MS Azure AD and provisioning them to target systems supported by Identity Provisioning is hardly any news for you. What might be news, however, is that you can combine filters to get users based on their group assignments. Moreover, you don’t need to add conditions in the default read transformation.
What used to be achieved by “condition-based” filtering (until now, to get users based on their group assignments, you had to define a condition for reading specific group and set the aad.user.attributes.membership.active to true), is now achieved by “property-based” filtering only.
For this, you need to set the aad.user.filter.group.filter.combine property to true. As its name implies, it combines filters defined on aad.user.filter and aad.group.filter properties. After running a Read or Resync job, the search result will be narrowed down to users that match the user filter and at the same time are members of а group that matches the group filter.
Note: When combining filters, it is important that both – user and group filters, are defined. Otherwise, you will not get the expected result. For more information, see: List of Properties -> aad.user.filter.group.filter.combine.
Example Scenario Overview
Let’s start from the basic filtering capabilities that Identity Provisioning service provides. First, we’ll apply group and user filters separately without combining them. Then, we’ll combine both filters by adding aad.user.filter.group.filter.combine=true.
- In this example scenario, MS Azure AD is configured as a source system and Identity Authentication is configured as the target system.
- A provisioning job has already been run. As a result, in Identity Authentication there are 180 users and 67 groups provisioned from MS Azure AD.
- The following 3 users exist in MS Azure AD and Identity Authentication:
|Name||City||Country||Member of Group|
|Sarah Williams||Los Angeles||US||Employee|
|Stefan Schmidt||Munich||Germany||Employee, Procurement|
|Michelle Brown||Los Angeles||US||Employee, Procurement|
Filtering a Group
First, we’ll filter a group in MS Azure AD and provision it to Identity Authentication when aad.user.filter.group.filter.combine is not defined or is set to false.
1. On the Properties tab of your MS_Azure_AD source system, set aad.group.filter=displayName eq ‘Procurement’.
2. On the Jobs tab, run the provisioning job and verify that only one group is read.
After applying the group filter, one group is read, and the rest (previously existed) 66 groups in Identity Authentication are deleted. All 180 users in MS Azure AD are read but no users are deleted because a user filter is not yet defined.
3. In the User Groups section of your Identity Authentication tenant, verify that the Procurement group is created.
The Procurement group contains only two group members: Michelle Brown and Stefan Schmidt.
Now, we’ll filter users in MS Azure AD and provision them to Identity Authentication when aad.user.filter.group.filter.combine is not defined or is set to false.
1. On the Properties tab of your MS_Azure_AD source system, set the aad.user.filter=City eq ‘Los Angeles’.
Keep the aad.group.filter property as-is.
Note: For performance reasons, try to define a user filter based on specific criteria as this will make Identity Provisioning read less users. Find something common for the users that you want to provision. For example, the domain of their email address, department, organization or other.
If you can’t find this “common thing”, there is no point in workarounding it by providing a filter such as: aad.user.filter=userPrincipalName ge ‘ ‘. This would mean that you want to read all users. It is the same as defining no user filter. In this case, the job will run longer because first, users are calculated internally based on the user filter, then groups are calculated based on the group filter and the user members matching the user filter. As a result, only users that are members of the group(s) matching the group filter will be provisioned.
2. On the Jobs tab, run the provisioning job and verify that only two users are read.
After applying the user filter, two users matching the user filter are read, and the rest (previously existed) 178 users in Identity Authentication are deleted.
3. In the User Management section of your Identity Authentication tenant, verify that the two users from Los Angeles – Michelle Brown and Sarah Williams, are read (the third user is the tenant administrator).
4. In the User Groups section of your Identity Authentication tenant, you will notice that Michelle Brown is the only member of the Procurement group. Stefan Schmidt (from Munich) is removed as a group member and deleted as a user because he doesn’t match the user filter City eq ‘Los Angeles’.
User and Group Filtering Combined
Finally, we’ll combine the user and group filtering.
1. On the Properties tab of your MS_Azure_AD source system, set aad.user.filter.group.filter.combine=true.
Keep the aad.group.filter and aad.user.filter properties as-are.
2. On the Jobs tab, run the provisioning job and verify that only one user is read.
After combining both filters, one group – Procurement, and one user – Michelle Brown, are read.
Michelle Brown is the only user that matches the user filter City eq ‘Los Angeles’ and at the same time is a member of the group Procurement.
Although Sarah Williams matches the user filter (she is from Los Angeles), she is not a member of the group Procurement (she is a member of the group Employee). Therefore, her user is deleted.
Although Stefan Schmidt is a member of the group Procurement, he doesn’t match the user filter (he is from Munich). Therefore, his user is deleted when the user filter is applied. The group is updated.
3. In the User Management section of your Identity Authentication tenant, verify that Michelle Brown is the only user read from MS Azure AD (the second user is the tenant administrator).
Now, the floor is yours! You can test it out and share your feedback.