Table of Contents
What is Microsoft Azure AD Automatic User Provisioning and Why use it?
Is this a replacement for Federation?
How much does it cost to use the service?
How often does the sync occur?
How does Automatic User Provisioning work?
What happens when you delete a user from a group in Azure AD that has been synced?
Can you sync external users?
Can you sync nested groups?
What happens when a user is deleted from Active Directory?
What happens when a user with the same name is created after being deleted?
What happens if the users UPN changes?
Is there a limit to the number of groups that can be synced?
Will existing groups be removed once sync is enabled?
Which group types are supported?
Microsoft Azure AD Automatic User Provisioning is the maintenance and removal of user identities as status or roles change in your Active Directory. Common scenarios include provisioning an Azure AD user into the Bentley application that syncs with User Management.
User Provisioning lets you:
-Create users in Bentley - Automatic User Provisioning
-Remove users in Bentley - Automatic User Provisioning when they do not require access anymore
-Keep user attributes synchronized between Azure AD and Bentley - Automatic User Provisioning
-Provision groups and group memberships in Bentley - Automatic User Provisioning
Microsoft Azure AD Automatic User Provisioning is not a replacement for federation. To set up federation, please refer to our Azure AD OIDC Federation Configuration and Automatic User Provisioning guide.
There's no additional cost to use the service, but you will need an Azure AD account, a Federated Azure Bentley IMS account and you must be a Bentley IMS Account Administrator.
The sync occurs in 40-minute intervals from the initial start.
After 40 mins, the Azure AD sync engine checks if there are any changes in the directory. If yes, the sync engine sends an appropriate request (like create, update, delete, etc.) to the User Provisioning service and then we make a Ping equivalent request and call the Ping API to make the necessary change.
Using the Provision on-demand option we can quickly create or update the user's account. But it doesn't support group create/update/delete.
When a user has been added to an Active Directory group and the group is synced the user is then added to User Management and is a member of the group. If that user is then removed from the group in Active Directory the user is then deleted from the organization in User Management upon the next sync interval. That user will lose all User Management roles for security purposes. If the user was removed accidentally they can be added back to the group or synced as an individual user. They'll be added back to User Management upon the next sync interval. Any roles that the user had will need to be restored by the administrator after sync.
External users cannot be synced at this time.
Microsoft currently does not allow for the ability to sync nested groups through enterprise applications.
When a user is deleted from Active Directory the user is then deleted from your organization in User Management. The user will no longer be able to access any Bentley application that they previously had access to. The users IMS account will become an unaffiliated account, meaning it's not attached to an organization. The account will still maintain any learning credits earned and any other legacy information attached to the account. If a removed user is not restored within 30 days, the link to user provisioning is also removed.
If user John Smith with email jsmith@email.com existed in your AD and then left the organization that user is then deleted from your organization in User Management. If a new user with the same name is added back to AD and sync'd a new account will be created in User Management that is not linked to the previous account. The two accounts are not linked in any way.
The name is updated in User Management when on the next sync interval after the change is made.
A synced group can become an Entitlement group. Allocation groups are not supported when the group is synced. If you wish to create Allocation groups you must create them manually.
An organization can create/sync a total of 500 groups.
Existing groups are not affected. They will remain as they are/were before sync is enabled.
Azure AD OIDC Federation Configuration and Automatic User Provisioning