Azure AD User Provisioning
  • 4 Minutes to read
  • PDF

Azure AD User Provisioning

  • PDF

About this document

This document includes the step-by-step procedure to enable user provisioning in Azure AD for SAFE People.
Once provisioned, SAFE can regularly sync the users' list with Azure AD as users join or leave the organization or their attributes like Department and Location change.

This page provides the procedure to enable user provisioning for SAFE People.


  • The organization should be onboarded to SAFE Me. Contact the SAFE Support team to onboard your organization to SAFE Me.
  • All the users' domains should be mapped to the organization.
  • Get the Bearer Token from the SAFE support team. For authenticating provisioning API calls to SAFE Me, the organization's Active Directory needs a Bearer Token specific to a particular organization. Currently, the SAFE Support team manually generates this token. Contact the SAFE Support team to get the Bearer Token for your organization.

Configure Azure AD User Provisioning

To configure the user provisioning, perform the following steps on the Azure portal:

If the enterprise application has already been created in Azure for SAFE SSO, steps 1 to 9 for creating a new application are not required. You can directly go to step 10 of this document i.e., add the users and groups to the existing enterprise application.

  1. Navigate to
  2. Click the Azure AD Active Directory from the Azure Services List.
  3. Click the Enterprise Application from the left-navigation
  4. Click the New Application button to create a new Enterprise Application.
  5. Click the Create your Own application button.
  6. Enter a name for the application as SAFE Me.
  7. Select the option "Integrate any other application you don't find in the gallery (Non-gallery)".
  8. Click the Create button.
  9. Once the application is successfully created, the system redirects you to the Applications Home Page.
  10. Click the Users and Groups from the left navigation to start assigning Users to the Application. You can assign any number of users to the application enabling them to use SAFE Me.
  11. Click the Add User/Groups
  12. Select Users from the list
  13. Click the Assign button
  14. The system displays the list of assigned users/groups. These users are now eligible to use SSO and also be synced to SAFE Me along with their details via user provisioning.
  15. Click the Provisioning from left navigation.
  16. Click the Get Started button
  17. Select the Provisioning Mode as Automatic
  18. Under Admin Credentials, enter the Tenant URL as and Bearer Token provided by the SAFE Support team.
  19. Click the Test Connection button.
  20. Once the connection is verified, click the Save button.
  21. If the system displays an error, then either the URL or the token is wrong. Please recheck the URL and validate the token with the SAFE Support team.
  22. Once the credentials are saved, Go to the Mapping section.
  23. The system displays two types of mappings, Provision Azure Active Directory Groups and Provision Azure Active Directory Users; both are enabled by default.
  24. Click the Provision Azure Active Directory Groups and disable it by setting the toggle switch to No.
  25. Click the Save button.
  26. Go to Provision Azure Active Directory Users and enable it by setting the toggle switch to Yes.
  27. Mark all the Target Object Actions (Create, Update and Delete) checkboxes.
  28. Go to the Attribute Mapping section and make sure the supported attributes in SAFE Me are selected with the exact mapping.
  29. You can add new mappings by clicking Add new mapping and remove any mapping from defaults that are not in the list by clicking the Delete button corresponding to the mapping.
  30. For attributes where Mapping Type is Direct, you need to select the source attribute from the list, and for other attributes where Mapping Type is Expression you need to put the value from the table as an expression.

    Mapping TypeSource Attribute Value / ExpressionTarget Attribute
    ExpressionSwitch([IsSoftDeleted], , "False", "True", "True", "False")active
    ExpressionJoin(" ", [givenName], [surname])name.formatted
    Directmailemails[type eq "work"].value
    Directcountryaddresses[type eq "work"].country
  31. We only use 2 attributes with Expression mapping type - name.formatted and active and they are present in the list by default.
  32. For Match object using this attribute, select No for all except the userName.
  33. Among the above attributes - ‘userName’, ‘emails[type eq "work"].value’, ‘externalId’ and ‘active’ are Required. Rest are optional. Any additional attributes that are kept/added there will be ignored. Ideally, this is how it should look like.
  34. Click the Save and then Yes. The system displays a success message at the top right corner.
  35. Now on the Provisioning screen, turn the toggle for Provisioning Status to On and click Save and confirm. You will see a success toast message on the top right.
  36. Now the setup is done, the provision cycle should start in some time. Initially, on the provisioning screen, you will see a message Initial cycle is not run, and clicking the View Provisioning Logs displays empty logs.
  37. Once the provisioning cycle is completed, you will see a new message on provisioning screen "Initial Cycle Completed" and by clicking the View Provisioning Logs you can see the users that got created (and later on updated) and also check if there are any failures.

  38. Provisioning is now all set up, and the user's data will automatically be synced with SAFE Me. Now, if any supported attribute for a provisioned User changes in Azure AD, it will reflect in SAFE Me in some time automatically.
  • Provisioning will happen automatically after an interval of 40minutes (by default).
  • An admin can trigger provisioning for any user at any given point in time by clicking the Provision on Demand button available on the Provisioning Screen and then selecting a user and clicking the Provision button.
  • At any point in time, you can start and stop provisioning. You can also Restart provisioning, which will start the process all over again and create the users in the Target Application. If some users already exist in the target application with the same userName/id, they will be skipped.

Was this article helpful?

What's Next