Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps employees to sign in and access both internal and external resources.
With Sapling’s integration with Azure AD, you can:
Automatically provision new Azure AD accounts
Keep profile information in Azure AD up to date by pushing specific profile fields from Sapling → Azure AD
De-provision employee accounts in Azure AD when they are offboarded in Sapling
This guide provides a walkthrough on how Sapling Admins can enable the Azure AD integration.
Important to notes:
In order for Sapling to be able to create and make updates to profiles in Azure AD, the user who authorizes the integration must have the admin role of user administrator in Azure.
Currently, Sapling does not support a Sapling <> Azure AD data sync for existing employee attributes. We can only sync data for new employees who have been onboarded via Sapling.
To work around this:
Setup a custom report on field changes that you care about being updated in Azure AD, and have IT check in on that report to confirm changes in Sapling took effect in Azure AD.
Add Azure AD To Sapling
IMPORTANT: You'll need the User administrator role in Azure to correctly activate this integration. Be sure you have that role before starting.
First, login to your Sapling account. Navigate from Home > Integrations, and turn on the toggle for Azure AD.
In the Subdomain box, add your unique Azure AD domain (should look like yourcompanyname.onmicrosoft.com). To enable changes to be sent from Sapling to Azure, turn on the "sync changes" toggle.
Hit the “Save” button after you’ve entered the subdomain.
Next, you need to authorize the integration. This will connect with Azure AD and walk you through the Microsoft consent screen with requested permissions (user provisioning).
Note: to authorize on this screen, you must login using an account with the Microsoft Azure User administrator role (e.g. IT manager).
After a successful authorization, you should be redirected back to the Sapling website.
Provision Users within Azure AD using Sapling app
Start onboarding a test user using the Sapling onboarding workflow.
This should send an email to the test-user’s personal and company email account.
This also makes a call to Azure AD to provision user account in AD.
Wait for ~1 min.
Next, login to the Azure AD portal and Click on “Users”.
Verify that a test user has been created.
De-provision Users within Azure AD using Sapling
First, login to Sapling. *note: you must be a Sapling Admin to make these updates.
With the same test-user as above, go to their profile page. From the “Actions” menu, select “Start Offboarding” and click through the Offboarding flow.
Once the test user is fully offboarded, return to your Azure AD profile. Go to the “Users” section and verify that the user has been de-provisioned.
What fields are updated from Sapling → Azure AD?
We send the following fields from Sapling to Azure:
Any questions, please reach out to firstname.lastname@example.org!