cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Provision Users & Groups from Azure to IAS via IPS

chrissap
Explorer

on ‎2023 Jul 18 6:36 PM

0 Kudos
1,976

Hello Community of Experts,

  • Our Goal: Provision all users from Azure that are in specific Azure groups based on the Azure group name starting with 'SAP-IAS-BTP' for example.
  • Our current config for MS Azure as Source in IPS:
  1. aad.group.filter: startswith(displayName,'SAP-IAS-BTP')
  2. aad.user.filter: mail ge ' '
  3. aad.user.filter.group.filter.combine: true

The read job itself is successful, the users and groups are exactly what we want. The problem we are running into is that it takes 8-10 hours for this to run. I do not see an option for Delta run on Azure AD connector.

So my questions are:

1. Based on my filters, would expectation be that it runs for 8-10 hours over an Azure AD which is roughly 250k users?

2. Is there a Delta mode for Azure AD read? I'm new to IPS so maybe I'm missing where this is located.

3. How can I improve this performance? We are going to need to run this job daily to get adds/removes from the Azure User Groups, so ideally whatever solution we have should be able to run in less than an hour

4. Am I going about this all wrong? Are there better ways to get ONLY the users from the subset of Azure AD groups into IAS?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

Colt
Active Contributor
‎2023 Aug 15 1:25 PM
0 Kudos

Hi Chris,

I'm curious, did you managed to fix this in the meantime?

Cheers Carsten

Show replies
Show replies
Yogananda
Product and Topic Expert
Product and Topic Expert
‎2023 Jul 18 8:03 PM
0 Kudos

chrisryan

I just found a article in Microsoft Graph API for delta which can be useful for you to add that in IPS Properties .

https://learn.microsoft.com/en-us/graph/delta-query-overview

https://learn.microsoft.com/en-us/graph/delta-query-users?tabs=http

Show replies
Show replies
chrissap
Explorer
‎2023 Jul 18 9:07 PM

Hello Yogananda,

Thanks for providing the links to learn more about the Graph API delta. I'm curious to learn how that would fit into the IPS Source System I have setup for Azure. It seems like SAP would need to provide an option for Delta in the Jobs area highlighted below. Not sure if we can customize the Source app type like suggested in the article. Would love to hear if you've been able to do this in the environment.

Below are the options I see for job types...

dyaryura
Contributor
‎2023 Jul 19 1:18 AM
0 Kudos

Hi Yogananda,

As per the documentation there's no support for delta Synch with AAD and only with on-prem AD:

https://help.sap.com/docs/identity-provisioning/identity-provisioning/manage-full-and-delta-read

What are your thoughts on syncing the other way around using AAD provisioning?

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sap-cloud-platform-identity-authe...

based also on your blog (https://blogs.sap.com/2022/07/18/know-more-about-sap-ias-scim-apis-latest/)

I was able to do some testing and provision users with the app using URL https://<IAS Tenant>/service/scim and a clientid/client secret generated for an admin user. I see this scenario already considers a delta mode but not sure if this scenario is deprecated or recommended from a SAP standpoint.

Thanks

Diego

Yogananda
Product and Topic Expert
Product and Topic Expert
‎2023 Jul 19 6:38 AM
0 Kudos

chrisryan dyaryura

you will have to add delta read attribute field name and value from the Graph API shown in below screen. Any users are modified changes will only be recognized from Azure side and not from SAP IAS/IPS.

Ask a Question