0

Currently we are using SAML SSO, the client starts the Azure Enterprise App, provides us with tenantId, appId, certificate, and its users can log in to us through their Microsoft account.

Can we use the same or similar integration in in the background to get access to users who are assigned to our Enterprise application?

now they do Application Registration according to the instructions, with the privilege of the Directory.Read.All type and give us tenantId, clientId, clientSecret Many do not want to give us access to the entire AD, but how to assign groups/users to our application in the Enterprise App. and reading the entire AD for large clients takes a lot of time

Where to read? ideally, use exactly the same application that is used for SSO

Alexander Popov
  • 101

1 Answers1

0

SAML is for authentication. The most you can do is auto-provisioning a user that authenticated but is not yet in the SP database, by using the claims that the user provides.

If you want something like user provisioning, use SCIM.

https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups

Daniel
  • 6,780
  • 5
  • 31
  • 60