Say you had a SaaS product configured as an enterprise App in AAD and wanted to automate the addition / decommissioning of users for that app.

There’s a few paths to consider here.

  1. Users Exist in the Corporate AD and are synced to AAD (to a group).
  2. SCIM provisioning can automatically create any new users added in the AAD group to the SaaS service.
  3. Likewise, when it is time to decommission a user, removing them from the AAD group will automatically remove them from the SaaS service’s database as well.

How does all this work?

The SaaS provider exposes their user database via a SCIM endpoint.

AAD (under each enterprise app) has a feature called Automatic User Provisioning (Simply ‘Provisioning’)

What about Graph API? Where does that come into the picture?

When users are originally added to your SaaS application, you could write them to AAD using Graph API.



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.