Table of Contents
I. PrerequisitesII. Instructions for InstallationIII. Instructions for ConfigurationIV. Syncing Users and GroupsV. Provisioning of External UsersVI. Attributes That Can Be ModifiedVII. On-Demand Provisioning (Users Only)
To set up your Azure AD for automatic syncing of users and groups, you must have:
In its current release, the account must be in coordination with the Bentley User Provisioning product team in order to set this up for your account. This application is not a replacement for federation.
II. Instructions for Installation
1. Reach out to the Bentley User Provisioning Team by emailing email@example.com to start this process. Once coordinated with the team, they will provide you with a 90-day secret token that you can use to enable this application on your Azure Active Directory. This token process will be replaced once it is offered on the MS store, where the authentication process will be slightly different.
2. In the Azure portal, in the left navigation panel, select Azure Active Directory.
4. Go to Enterprise applications, and then select All applications.
5. To add a new application, select the New application button at the top of the pane.
6. Search "Bentley - Automatic User Provisioning" and click on this application.
7. Now you can access on your application's homepage. Proceed to the next section to configure your application.
III. Instructions for Configuration
This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups based on user and/or group assignments in Azure AD.
2. Click "Get Started".
4. Set the Provisioning Mode to Automatic.
5. Under the Admin Credentials section, input https://userprovisioning.bentley.com/scim in the section titled Tenant URL. Input the SCIM Authentication Token value retrieved earlier in the Secret Token section. Click Test Connection to ensure Azure AD can connect to Bentley. If the connection fails, ensure your Bentley account has Admin permissions and try again.
6. Under the "Settings" area, there is a Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - Send an email notification when a failure occurs.
7. Scroll to the top and click Save.
8. To enable the Azure AD provisioning service for Bentley, change the Provisioning Status to On in the Settings
9. Define the users and/or groups that you would like to provision to Bentley by choosing the desired values in Scope in the Settings.
10. When you are ready to provision, click Save.
This operation starts the initial synchronization of all users and/or groups defined in Scope in the Settings section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the Synchronization Details section to monitor progress and follow links to the provisioning activity report, which describes all actions performed by the Azure AD provisioning service into IMS.
For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.
IV. Syncing Users and Groups
If while configuring the application it was selected to sync only the assigned users and groups, then those users/groups need to be added to the application manually.
Microsoft currently does not allow for the ability to sync nested groups through enterprise applications.
The Requirement is :
To add users/groups to the Bentley User Provisioning Application:
Users and groups will be synchronized on the next provision run.
V. Provisioning of External Users
In the future, we are exploring the possibility to sync external users, but in its current state, we do not allow external users to be synced into IMS by using this tool. We will provide updates as new releases come out when this ability is added.
VI. Attributes That Can Be Modified
You can update user details through Azure AD and those attributes will be automatically updated in User Management after next Provision run.
User Attributes that can be updated:
Group attributes that can be updated:
VII. On-Demand Provisioning (Users Only)
1. Go to Provision section of the Application in Azure Portal:
2. Click On-Demand Provision – new page should open:
3. Enter the user you want to Provision/update Attributes and click Provision:
4. The user should be provisioned instantly and the results are shown on the same page.