I have a SaaS application that I use SCIM user provisioning with and I want my guests to be fully controlled through my AD. I can map any field from Azure AD to my SaaS app so I want to create aliased fields for my guests.
Example:
My domain: @lovestackoverflow.com
My guests: Can be anything but lets say [email protected] for example
I want to create an aliased field (or attribute) for Joe to be something like [email protected] – This account needs nothing to do with @lovestackoverflow.com or have an email etc. The purpose of this is for the SaaS app to be passed this information as it expects is.
Can anyone point me in the right direction with how to do this in Azure AD?
Apologies, I am a complete Azure Noob 🙂
2
Answers
In my opinion you have two main options:
you can create a user for joe under your tenant (lovestackoverflow.com) and restrict his access only to login to this app. Let him authenticate with a regular account under your tenant and enable 2FA
If you are managing this app thought Azure Enterprise Applications, you can add his user and assign him access to authenticate with his guest user.
More information about how you are managing your saas application will be helpful.
If you’re synced from on-prem, use an on-prem attribute to hold that "alias" information and then sync it to Azure AD via AAD Connect’s Directory Extensions feature. If you’re cloud-only, you can try using AAD’s MS Graph Schema Extensions feature, documented here: https://learn.microsoft.com/en-us/graph/api/resources/schemaextension?view=graph-rest-1.0
At that point, just choose whatever your source attribute is that holds the alias information in the SCIM provisioning config and point it towards whatever your target SCIM app’s attribute is called.