Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps employees to sign in and access both internal and external resources.
With Sapling’s integration with Azure AD, you can:
Automatically provision new Azure AD accounts
Keep profile information in Azure AD up to date by pushing specific profile fields from Sapling → Azure AD
De-provision employee accounts in Azure AD when they are offboarded in Sapling
This guide provides a walkthrough on how Sapling Admins can enable the Azure AD integration.
Important to notes:
- In order for Sapling to be able to create and make updates to profiles in Azure AD, the user who authorizes the integration must have the admin role of user administrator in Azure.
- Currently Sapling does not support a Sapling <> Azure AD data sync for existing employee attributes. We can only sync data for new employees who have been onboarded via Sapling.
To work around this:
Setup a custom report on field changes that you care about being updated in Azure AD, and have IT check in on that report to confirm changes in Sapling took effect in Azure AD
This article covers the following topics:
- Add Azure AD To Sapling
- What fields are updated from Sapling → Azure AD?
Add Azure AD To Sapling
IMPORTANT: You'll need the User administrator role in Azure to correctly activate this integration. Be sure you have that role before starting.
First, login to your Sapling account. Navigate from Home > Integrations, and turn on the toggle for Azure AD.
In the Subdomain box, add your unique Azure AD domain (should look like yourcompanyname.onmicrosoft.com). To enable changes to be sent from Sapling to Azure, turn on the "sync changes" toggle.
Hit the “Save” button after you’ve entered the subdomain.
Next, you need to authorize the integration. This will connect with Azure AD and walk you through the Microsoft consent screen with requested permissions (user provisioning).
Note: to authorize on this screen, you must login using an account with the Microsoft Azure User administrator role (e.g. IT manager).
After successful authorization, you should be redirected back to the Sapling website.
Provision Users within Azure AD using Sapling app
Start onboarding a test user using the Sapling onboarding workflow.
- This should send an email to the test user’s personal and company email account.
- This also makes a call to Azure AD to provision a user account in AD.
- Wait for ~1 min.
Next, login to the Azure AD portal and Click on “Users”.
Verify that a test user has been created.
De-provision Users within Azure AD using Sapling
First, login to Sapling. *note: you must be a Sapling Admin to make these updates.
With the same test-user as above, go to their profile page. From the “Actions” menu, select “Start Offboarding” and click through the Offboarding flow.
Once the test user is fully offboarded, return to your Azure AD profile. Go to the “Users” section and verify that the user has been de-provisioned.
A de-provision request is sent to Azure AD when:
- The team member has been offboarded and moved to the 'Departed' stage
- and the team member's state has been changed to "Inactive"
**Note: As long as you have deprovisioning rules set up in Azure AD to take effect to de-provision access based on the offboarding request, it can de-provision/suspend access to all software that's been provisioned via the Azure AD account.
What fields are updated from Sapling → Azure AD?
We send the following fields from Sapling to Azure:
- First Name
- Last Name
- Mobile Phone