Skip to Content
Technical Articles
Author's profile photo Badri krishna NMS

Bidirectional integration between SAP SuccessFactors & Azure Active Directory in Microsoft Azure Enterprise applications – Part 1 – Technical configuration for SAP SuccessFactors to Azure Active Directory user provisioning

This blog is a continuation of the “Bidirectional Integration between SAP SuccessFactors & Azure Active Directory in Microsoft Azure Enterprise applications – Automatic email id creation and manage the Azure AD identity life cycle of users between SAP SuccessFactors <-> Azure AD“.

In section, we will focus on the Technical configuration for SAP SuccessFactors to Azure Active Directory user provisioning.

Bidirectional integration between SAP SuccessFactors & Azure Active Directory in Microsoft Azure Enterprise applications
Part 1 – Technical configuration for SAP SuccessFactors to Azure Active Directory user provisioning
Part 2 – Technical configuration for SuccessFactors Writeback


For this demonstration, I have already created an Azure AD tenant and using SAP SuccessFactors & Azure  trail account for the POC.

Steps need to perform in SAP SuccessFactors

Step 1: Create an API user in SuccessFactors

Create a API user creation (Example : sfapi2) request to the SuccessFactors admin .

Step 2: Create an API permissions role

2.1 Log in to SAP SuccessFactors with a user account that has access to the Admin Centre.

2.2 Search for Manage Permission Roles, then select Manage Permission Roles from the search results.

2.3 From the Permission Role List, click Create New.








2.4 Add a Role Name and Description for the new permission role. The name and description should indicate that the role is for API usage permissions.

2.5 Under Permission settings, click Permission.

2.6 Scroll down the permission list and click Manage Integration Tools. Check the box for Allow Admin to Access to OData API through Basic Authentication.


2.7 Scroll down in the same box and select Employee Central API. Add permissions as shown below to read using ODATA API and edit using ODATA API. Select the edit option as we plan to use the same account for the Writeback to SuccessFactors scenario.

2.8 In the same permissions box, go to User Permissions -> Employee Data and review the attributes that the service account can read from the SuccessFactors tenant.

Review the attributes “Employee Profile ” and select the Email and Check the box for the read and write.

Make sure read option is enable for all attributes.


2.9 Click on Done. Click Save Changes.


Step 3: Create a Permission Group for the API user


3.1 In the SuccessFactors Admin Center, search for Manage Permission Groups, then select Manage Permission Groups from the search results.

3.2 From the Manage Permission Groups window, click Create New.


3.3 Add a Group Name for the new group. The group name should indicate that the group is for API users.


3.4 Add SFAPI2 user to the group.


3.5 Click Done to finish creating the Permission Group.


Step 4: Grant Permission Role to the Permission Group


4.1 In SuccessFactors Admin Center, search for Manage Permission Roles, then select Manage Permission Roles from the search results.

4.2 From the Permission Role List, select the role that you created for API usage permissions.

4.3 Under Grant the role , click Add button.

4.4 Select Permission Group from the drop-down menu, then click Select to open the Groups window to search and select the group created above.

4.5 Review the Permission Role grant to the Permission Group.

4.6 Click Save Changes.

Steps need to perform in Microsoft Azure AD

Step 5:  Add the provisioning connector app and download the Provisioning Agent

5.1 Login azure portal

5.2 In the left navigation bar, select Azure Active Directory

5.3 Select Enterprise Applications

5.4 Click on All application and Select Add new application

5.5 Search for “SuccessFactors to Azure Active Directory User Provisioning” and select

5.6 Click on create and add that app from the gallery.


5.7 Wait till adding the application “SuccessFactors to Azure Active Directory User Provisioning “


5.8 After the app is added and the app details screen is shown, select Provisioning


5.9 Change the Provisioning Mode to Automatic

5.10  Complete the Admin Credentials section as follows and click the Test Connection button.

5.11  If the connection test succeeds, click the Save button at the top. If it fails, double-check that the SuccessFactors credentials and URL are valid.


5.12 Once the credentials are saved successfully, the Mappings section will display the default mapping Synchronize SuccessFactors Users to Azure Active Directory

Step 6: Configure attribute mappings

6.1 On the Provisioning tab under Mappings, click Synchronize SuccessFactors Users to Azure Active Directory.

6.2 In the Source Object Scope field, you can select which sets of users in SuccessFactors should be in scope for provisioning to Azure AD, by defining a set of attribute-based filters.

The default scope is “all users in SuccessFactors”

6.3 In the Target Object Actions field, you can globally filter what actions are performed on Active Directory. Create and Update are most common.

6.4 In the Attribute mappings section, you can define how individual SuccessFactors attributes map to Active Directory attributes.

6.5 Click on an existing attribute mapping to update it, or click Add new mapping at the bottom of the screen to add new mappings.

6.6 To save your mappings, click Save at the top of the Attribute-Mapping section.

Once your attribute mapping configuration is complete, you can now enable and launch the user provisioning service.


Once the SuccessFactors provisioning app configurations have been completed, you can turn on the provisioning service in the Azure portal.


Step 7: Enable and launch user provisioning


7.1 In the Provisioning tab, check the status.

7.2 set the Provisioning Status to On and Click Save.


7.3 This operation will start the initial sync, which can take a variable number of hours depending on how many users are in the SuccessFactors tenant. You can check the progress bar to the track the progress of the sync cycle.



7.4 At any time, check the Audit logs tab in the Azure portal to see what actions the provisioning service has performed. The audit logs lists all individual sync events performed by the provisioning service, such as which users are being read out of Workday and then subsequently added or updated to Active Directory.


7.5 Once the initial sync is completed, it will write an audit summary report in the Provisioning tab, as shown below.


Jump to Part 2 – Technical configuration for SuccessFactors Writeback to continue with the Technical configuration for SuccessFactors Writeback.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Simon Bolton
      Simon Bolton

      Hello! I've followed this guide but when I enable provisioning in the end it says that the initial sync is quarantined. “One or more invalid property names found in Successfactors schema. Please verify the property names in the Admin Center > OData API Data Dictionary or entity metadata in Successfactors portal. Ensure there are no data model changes that would cause this error and please execute a refresh metadata to ensure the cache is not corrupted.”

      I have tried to do the refresh but it doesn't help. Can you help me?

      Author's profile photo Badri krishna NMS
      Badri krishna NMS
      Blog Post Author

      looks like new issue and could you please check the below notes

      2883171 - COE_PROPERTY_NOT_FOUND: [COE0021]Invalid property names: EmpJob/emplStatus. - OData API

      Author's profile photo Mike Baker
      Mike Baker

      is there any guidance on integration of multiple Azure ADs in the realm of M&A and business segmentation for user provisioning / JML?

      Author's profile photo Prakash Jeevakala
      Prakash Jeevakala

      Hi Badri Krishna,


      We are trying with the same setup to configure Azure AD with successfactors but receiving below error and not moving ahead.


      Can you pls help if  is there a specific way to providing the URL format ?


      Testing connection to SuccessFactors to Active Directory User Provisioning

      You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.


      Error code: SuccessFactorsInvalidBaseAddress

      Details: The remote name could not be resolved

      Request-id: 897a950b-32ab-447c-8068-eda5ef82d91a

      Author's profile photo Peter Munt
      Peter Munt


      great blog and thanks for contributing it.

      So point 5.10  .  where you begin the steps for Automatic Provisioning there is another steps whereby the Azure AD Provisioning Agent must be installed on a domain-joined Windows server to it to work.

      You have not shown the additional elements for Active Directory Domain and Default OU for New Users.

      Without that it will not work.