Azure AD User auto provision in Salesforce

AROHAN BHATTACHARJYA 1 Reputation point
2020-09-21T01:57:11.127+00:00

Hi Team,

I have one Salesforce profile and one permission set in Salesforce. As per the requirement, there are two user personas in our Salesforce application.

Persona 1 -> SF Profile
Persona 2 -> SF Profile + Permission Set

To achieve the above configuration using Azure AD auto-provision, we have created two security groups and added relevant business users into those two groups. Currently, we struggling to determine the best approach on how to assign the Salesforce permission sets to the users in the "Persona 2" user group.

Please suggest on this asap.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-09-21T06:11:48.127+00:00

    Hi @AROHAN BHATTACHARJYA

    You can see all the supported attributes here:

    Azure AD > Enterprise Applications > Salesforce > Mapping > Provision Azure Active Directory Users > Click on Add New Mapping link and under Source attribute drop down.

    The attribute list for Azure Active Directory doesn't include group membership attribute. You can request additional attributes you would like to see supported here.

    As of now, you can only use appRoles to provision users in Salesforce with specific roles.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-09-28T10:34:53.687+00:00

    Hello @AROHAN BHATTACHARJYA · You can update Salesforce App Manifest using App Registration to add your custom role for persona type. Please refer to the example mentioned below: 

    "appRoles": [  
    {  
      "allowedMemberTypes": [  
        "Application"  
      ],  
      "displayName": "ConsumerApps",  
      "id": "47fbb575-859a-4941-89c9-0f7a6c30beac",  
      "isEnabled": true,  
      "description": "Consumer apps have access to the consumer data.",  
      "value": "Consumer"  
    }  
  ],

    While assigning user to Salesforce enterprise app, you can select this role or edit already assigned users to assign this role.

    Although we can build expressions to pass multiple roles for a user but for salesforce we strongly recommend using default mapping, which is SingleAppRoleAssignment. Refer to this document for more details on this.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.