Azure AD User Sync

Sync users periodically from Azure Active Directory to ServiceDesk Plus Cloud. You can import users based on criteria and custom-map Azure fields with ServiceDesk Plus fields to suit your requirements.

Role Required: SDAdmin

While mapping fields or configuring the criteria for user import, you can sync complete user information (besides basic details) from Azure AD to ServiceDesk Plus Cloud if any of the following integrations is enabled:

• Microsoft Azure, enabled by Microsoft Azure global administrator.
• Azure AD User Sync, enabled by a Microsoft Azure user after obtaining consent from Microsoft Azure global administrator to authorize ServiceDesk Plus in Microsoft Azure. In this case, the user does not require the global administrator privileges. 

The document will help you understand the following topics:

• Authorize Workflow for Non-Admin Users
• Enable Azure AD User Sync
• Configure Azure AD User Sync
• Disable Azure AD User Sync
• Process Workflow

Authorize Workflow for Non-Admin Users

The workflow and configurations described below are required only when the authorizing user is not a Global Administrator or Privileged Administrator. In all other cases, authorization proceeds without any additional configuration.

Authorization Error for Non-Admin Users

If this error occurs for non-admin users, follow the steps below to complete the Azure AD authorization workflow.

 Step 1: Grant Admin Consent for ServiceDesk Plus (Cloud)  

• Sign in to the Microsoft Entra admin center as a Global Administrator.

• Go to Enterprise applications.

• From the left pane, under Manage, select All applications.

• Search for the application by name, ServiceDesk Plus (Cloud), and select it.

• In the left pane, under Security, click Permissions.

• Under the Permissions section, select Grant admin consent for ServiceDesk Plus. This will redirect you to the Microsoft authorization page, where you must complete the authorization process.

 Step 2: Enable the Admin Consent Workflow        

• Sign in to the Microsoft Entra admin center as a Global Administrator.

• Go to Enterprise applications > Consent and permissions > Admin consent settings.

  • Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to.

• Configure the following settings:

  • Who can review admin consent requests - Select users, groups, or roles who can review admin consent requests. 

  • Note:

    • Global Administrators or Privileged Administrators can approve requests for apps needing application permissions. 

    • Reviewers can view, block, or deny requests and see incoming requests on the My Pending tab. 

    • New reviewers cannot act on existing or expired requests.

  • Selected users will receive email notifications for requests - Enable or disable email notifications to reviewers when a request is made.

  • Selected users will receive request expiration reminders - Enable or disable reminder emails to reviewers before a request expires.

  • Consent request expires after (days) - Specify how many days a consent request stays valid.

• Click Save.

 Authorization Page View After Configuration

Requesting User Consent on the Authorization Page   

To request consent in Azure AD  

• Start enabling the integration in your application or service.

• If you lack permission, Azure AD will prompt you with a message requesting admin approval.

• Click Request approval in the prompt.

Where the Authorization Consent Request Appears in Azure AD   

If Admin Consent Workflow is Enabled:  

• Sign in to the Azure Portal.

• Go to Azure Active Directory.

• Under Manage, click Enterprise applications.

• In the left pane, under Activity, select Admin consent requests.

  • My Pending tab: You will see pending consent requests that users have raised.

  • Click on the request you want to review.

• Click Review permissions and consent.

  • To view the application details, select the App details tab.

  • To see who is requesting access and why, select the Requested by tab.

• Evaluate the request and choose Approve or Deny or Block. Learn more.

Enable Azure AD User Sync

• Go to Setup > Apps & Add-ons > Integrations > Third Party Integrations.
• On the Azure AD User Sync card, toggle the integration ON.
• Click Agree.

• You will be directed to the Microsoft authorization page to verify user identity if Microsoft Single Sign on is not configured.

• Sign in to your Microsoft account and complete the authorization process. This is a one-time process.  

Configure Azure AD User Sync  

Click Configure on the Azure AD User Sync card to schedule the sync or to choose how the user information must reflect in ServiceDesk Plus when deleted in Azure AD. You can import users based on criteria from Azure AD. You can also custom map Azure AD fields with ServiceDesk Plus fields as per requirement. 

Sync Frequency and User Profile Management  

• Set a sync frequency. You can set it between 1 to 7 days.

• When users are deleted in Azure AD, you can modify user profiles in ServiceDesk Plus Cloud as follows: Revoke login, Remove user, and Do nothing.

• When users are moved to trash in Azure AD, you can modify the user in ServiceDesk Plus as follows: Revoke login, Remove user, and Do nothing.

• Select what happens to the manually deleted users during the next sync cycle. You can either ignore the deleted users or re-sync them using appropriate options.

• Choose whether to sync the user profile picture from Azure AD to ServiceDesk Plus.

• Set the login status for users added via Azure AD: Follow login status from Azure, Enable Login, or Disable Login.

• Set the login status for users updated via Azure AD: Follow login status from Azure or Do nothing.

Field Mapping 

Choose which fields from Azure AD should be mapped to the respective ServiceDesk Plus fields.

By default, i.e, without enabling Microsoft Azure AD integration, Name, Email, First name, Last name, User Principal name fields can be mapped. After enabling the integration, the following fields will be available for mapping.

• By default the following fields will be available for mapping:

If Microsoft Azure integration is enabled, you can map the following details from Azure AD to ServiceDesk Plus:

Select and map the respective fields as shown below. An Azure field can be mapped with only one ServiceDesk Plus field.
 

Criteria for User Import

You can import users based on criteria or you can import all users without any criteria.

If you want to import users based on criteria, select Based on Criteria and add conditions. For example, you can set a criterion to import users only from a particular Site by choosing the Site column, setting the operator value as is and by entering the Site name.

If you want to import users without any criteria, select Without Criteria. This option will import all users from Azure AD. 

Azure AD Fields available for configuring criteria:

1. Domain
2. Email
3. First Name
4. Last Name
5. Name
6. Usage Location
7. User Principle Name
8. Users with Azure Login

If Microsoft Azure integration is enabled, the following fields will be available for configuring criteria:

1. User Type
2. Department
3. Office
4. Job title
5. Employee ID
6. Mobile Phone
7. Business Phone
8. Reporting To
9. City
10. Company Name
11. Street Address
12. State or Province
13. ZIP or Postal Code
14. Country or Region
15. Alternate Email
16. Groups
17. Cost Center
18. Division
19. Fax Number
20. On-premises Sync Enabled
21. On-premises Distinguished Name
22. On-premises Domain Name
23. On-premises Immutable Id
24. On-premises Last Sync Date Time
25. On-premises SAM Account Name
26. On-premises Security Identifier

Once you have configured everything, click Save to save the configurations or Save and Sync to initiate sync.

You can also start the sync using the Start Sync button on the Azure AD User Sync integration card.

Resync Data from Azure 

After the initial sync, administrators can initiate a complete resync of all data from Azure to ServiceDesk Plus Cloud. This option can be used especially when the integration configurations were modified after users were imported to ServiceDesk Plus Cloud.

1. On the Azure AD User Sync card, click Configure.
2. Select Resync to apply changes to the old data option.
3. Click Save.

Disabling Azure AD User Sync

1. Under Setup > Apps & Add-ons > Third Party Integrations, disable Azure AD User Sync by switching the toggle button.
2. Click Disable on the confirmation pop-up.
    

Azure AD User Sync Reports

Get a report on all actions taken on each user synced from Active Directory (AD), including additions, updates, deletions, and any modifications to user data with Azure AD User Sync Reports. To get the report, select the Enable Azure AD User Sync Reports checkbox under Integrations > Azure AD User Sync > Configure > Sync Reports.

Once enabled, the reports will be available to download on the Azure AD User Sync card under Integrations.

Points to remember:

• If the administrator who configured Azure User Sync integration leaves the organization, the user who revokes the administrator/global admin privileges for the former user will added as the integration owner. The new integration owner's token will be used to validate the integration.

• Users in unverified domains will be added as non-login users in ServiceDesk Plus Cloud.

• Login users will be added only if the Account Enabled field is selected in Azure AD.
  • If the Account Enabled field is enabled after adding users to ServiceDesk Plus Cloud, login permissions will be provided to users following the next scan.
  • If the Account Enabled field is disabled after adding users to ServiceDesk Plus Cloud, login permissions provided previously will not be removed for users. However, users added subsequently will not have login permissions.

Process Workflow