Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

AD & Azure AD hybrid management

LeeEG
New Contributor II
New Contributor II

We cannot apply AzureAD/O365 entitlements to users as a birthright, because AzureAD Sync has not yet created their accounts

If we instead use Saviynt to deploy AzureAD accounts, but we need to synchronize other AD attributes using AADSync (group memberships, Hybrid-exchange information, etc), what is the best practice for this?

How do other customers deal with this?

 

If we create Azure connector, it needs a separate security system according to the documents.

If we do it this way, each user will have 2 "accounts" that are really the same account, one for AzureAD/O365, and one for Azure infrastructure.

Also in this case, if User 1 needs to get BOTH o365 permissions and Azure Permissions as a birthright, Saviynt will attempt to create an account for this user in Azure twice. Once will obviously fail, and then birthright entitlements will fail. What is the correct way to deal with

this?

4 REPLIES 4

SB
Saviynt Employee
Saviynt Employee

To confirm if I understood the requirement, you need to use AAD connector for Import Accounts/object and for provisioning you will be using REST Connector. If my understanding is correct, then you can define both the connection under Security system.

For Import, you can define the AAD connection under "Connection" .

For provisioning, you can define the REST connection under "Provisioning Connection"

sahil_0-1681163519146.png

 


Regards,
Sahil

SB
Saviynt Employee
Saviynt Employee

I guess I misunderstood the query, the first time. You are looking for a way to manage the AAD and Azure accounts under a single account in Saviynt. Is it right?


Regards,
Sahil

LeeEG
New Contributor II
New Contributor II

Correct, as in the account comes in from Workday and then gets provisioned in both AD and Azure. The issue currently is that the client has Azure AD Connect running onprem that they used previously to create the account in Azure after Saviynt pushed it to AD. The issue there was the time delay in synchronizing the accounts as the saviynt task would fail as the Azure account wouldn't have been created yet. 

The current plan is to have Saviynt deploy both Azure and AD accounts and then leverage Azure AD Connect to link the two using soft-matching.

I need some guidance on how to proceed as the current Azure connection is functioning, but the task returns a error due to a requirement set by Azure AD Connect.

Any advice or recommendations would be appreciated!

Sunanda_Bishnoi
Saviynt Employee
Saviynt Employee

Hi LeeEG,

We generally use Sav4Sav Rest Connector for this where you can call the analytics which has the logic to check if Azure AD account is present for the user. If account is present, then we update some customproperty for that user in user profile for which further we configure User update rule to trigger add access for set of entitlements.

Thanks,

Sunanda Bishnoi