Microsoft Azure AD Automatic User Provisioning Configuration

Table of Contents

I. Prerequisites
II. Instructions for Installation
III. Instructions for Configuration
IV. Syncing Users and Groups
V. Provisioning of External Users
VI. Attributes That Can Be Modified
VII. On-Demand Provisioning (Users Only)

I. Prerequisites

To set up your Azure AD for automatic syncing of users and groups, you must have:

In its current release, the account must be in coordination with the Bentley User Provisioning product team in order to set this up for your account.  This application is not a replacement for federation.

II. Instructions for Installation

1. Reach out to the Bentley User Provisioning Team by filing a new federation request to start this process.  Once coordinated with the team, they will provide you with a 365-day secret token that you can use to enable this application on your Azure Active Directory.  This token process will be replaced once it is offered on the MS store, where the authentication process will be slightly different.

2. In the Azure portal, in the left navigation panel, select Azure Active Directory.

3. Go to Enterprise applications, and then select All applications.

4. To add a new application, select the New application button at the top of the pane.

5. Search "Bentley - Automatic User Provisioning" and click on this application.

6. Now you can access on your application's homepage.  Proceed to the next section to configure your application.

III. Instructions for Configuration

This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups based on user and/or group assignments in Azure AD.

  1. Select the Provisioning tab.

2. Click "Get Started".

3. Set the Provisioning Mode to Automatic.

4. Under the Admin Credentials section, input in the section titled Tenant URL. Input the SCIM Authentication Token value retrieved earlier in the Secret Token section. Click Test Connection to ensure Azure AD can connect to Bentley. If the connection fails, ensure your Bentley account has Admin permissions and try again.

5. Under the "Settings" area, there is a Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - Send an email notification when a failure occurs.

6. Scroll to the top and click Save.

7. To enable the Azure AD provisioning service for Bentley, change the Provisioning Status to On in the Settings

8. Define the users and/or groups that you would like to provision to Bentley by choosing the desired values in Scope in the Settings.

9. When you are ready to provision, click Save.

This operation starts the initial synchronization of all users and/or groups defined in Scope in the Settings section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the Synchronization Details section to monitor progress and follow links to the provisioning activity report, which describes all actions performed by the Azure AD provisioning service into IMS.

For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.

WarningWarning: To avoid unintentionally removing users from User Management, do not set the Provisioning Status to On until your list of users and groups has been finalized. Users can be provisioned on demand for testing purposes using the instructions in the section titled "VII. On-Demand Provisioning (Users Only)." Once users display a green badge in User Management, indicating they are synced with Azure AD, they will be removed from User Management if removed from the access list in your enterprise application. They can be restored by adding them back to the access list, but any roles they previously possessed must be re-assigned in User Management.

IV. Syncing Users and Groups

If while configuring the application it was selected to sync only the assigned users and groups, then those users/groups need to be added to the application manually.

Microsoft currently does not allow for the ability to sync nested groups through enterprise applications.

The Requirement is :

  1. Group description cannot be empty.
  2. Group name or description cannot contain any special characters. Here is a list of unsupported characters. *  \  /   <  >  ?  :  ;  "  +  !  (  )  ^  @  #  &  `  ~  =  {  }  [  ]  |  $  %

To add users/groups to the Bentley User Provisioning Application:

  1. Open the application and click "Assign users and groups" from an Overview page


  1. On the opened page click “+ Add User"


  1. Click on the “Users and groups” section and choose users or groups that you want to synchronize into the Bentley system, select and “Assign”.


Users and groups will be synchronized on the next provision run.

V. Provisioning of External Users

In the future, we are exploring the possibility to sync external users, but in its current state, we do not allow external users to be synced into IMS by using this tool.  We will provide updates as new releases come out when this ability is added.

VI. Attributes That Can Be Modified

You can update user details through Azure AD and those attributes will be automatically updated in User Management after next Provision run.

User Attributes that can be updated:

Group attributes that can be updated:

VII. On-Demand Provisioning (Users Only)

1. Go to Provision section of the Application in Azure Portal:

2. Click On-Demand Provision – new page should open:

3. Enter the user you want to Provision/update Attributes and click Provision:

4. The user should be provisioned instantly and the results are shown on the same page.

See also Instructional Video