Home
Home

Account management



Learn how you can create, update and deactivate user accounts on Workplace.
!
Following the industry trend of migration towards cloud IdP solutions, we have decided to sunset the AD Sync solution on 12 August 2021, after which time our team will no longer provide support or software updates. As of today, you will no longer be able to deploy the AD Sync solution to new Workplace communities. Due to security reasons, we will sunset the current version (v15) and all previous versions of the AD Sync support software on 1 February 2021.
?
Which cloud IdP solutions does Workplace integrate with?
Workplace integrates many IdP solutions, including Microsoft Azure AD, Okta, Harbor, G Suite, OneLogin and Connect by Azuronaut. We encourage you to visit our Integration Directory for a full list of IdP solutions that we partner with. We recommend Microsoft Azure AD as a viable alternative to the current AD Sync solution. You may also follow steps as described here to complete the migration.

What if I'm not ready to migrate to a cloud provider?
Should you prefer not to migrate to a cloud provider at this moment, we would encourage you to update your AD Sync support software to the newly released version (v16) as described, which will continue to function until 12 August 2021.
Overview

Overview

As the Workplace Active Directory Sync (also called AD Sync hereafter) product is being deprecated, we've worked together with the Microsoft team to present this guide to help you migrate to Microsoft Azure Active Directory.

Architecture overview

Architecture overview

Scenarios

Scenarios

There are two main scenarios that you may encounter when integrating Workplace with Azure Active Directory:

Follow these steps if you're unsure:

Integrate your on-premises Active Directory with Azure Active Directory

Integrate your on-premises Active Directory with Azure Active Directory

If your organisation does not have an Azure tenant, you will need to create one.
More information: Quickstart: Set up a tenant

Azure AD Connect

It's a Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:

  • Password hash synchronisation - A sign-in method that synchronises a hash of user's on-premises AD password with Azure AD.
  • Pass-through authentication - A sign-in method that allows Azure AD users to authenticate against your on-premises Active Directory, but doesn't require the additional infrastructure of a federated environment.
  • Federated authentication - Federation management is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
  • Synchronisation - Responsible for creating users, groups and other objects, as well as making sure that identity information for your on-premises users and groups is consistent between on-premises Active Directory and Azure AD. This synchronisation can also include password hashes.
  • Health monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
Azure AD Connect

The Azure Active Directory Connect synchronisation services (Azure AD Connect sync) are a main component of Azure AD Connect. It takes care of all the operations that are related to synchronising identity data between your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD Sync and Forefront Identity Manager with the Azure Active Directory Connector configured.

Azure AD Connect cloud provisioning

Azure AD Connect cloud provisioning is a new Microsoft agent designed to meet and accomplish your hybrid identity goals for synchronisation of users, groups and contacts to Azure AD. It can be used alongside Azure AD Connect sync or alone.

How are they different?

With Azure AD Connect cloud provisioning, provisioning from on-premises Active Directory to Azure AD is orchestrated in Microsoft Online Services. An organisation only needs to deploy, in their on-premises and IaaS-hosted environment, a lightweight agent that acts as a bridge between Azure AD and on-premises Active Directory. The provisioning configuration is stored in Azure AD and managed as part of the service.

More information:

Integrate Azure Active Directory automatic provisioning with Workplace

Integrate Azure Active Directory automatic provisioning with Workplace

If your organisation does not possess either Azure Active Directory Premium P1 or P2 licensing for all users who will be provisioned, we recommend using attribute-based scoping rather than group-based assignment.

Group-based assignment of users

If you don't already have applicable groups, you can use Azure Active Directory's dynamic groups feature to create a group where only users who meet specified conditions are added as members. Dynamic group membership reduces the administrative overhead of adding and removing users.

More information: Dynamic membership rules for groups in Azure Active Directory

Whether with an existing group or an Azure AD dynamic group, assigning a group of users to the Azure AD enterprise application is as simple as:

  • Go to the Workplace enterprise application in the Azure portal, click "Users and groups" and add the group(s)
  • After adding Workplace administrator credentials; on the provisioning blade of the Workplace enterprise application, ensure that the "Sync only assigned users and groups" option is set under Scope.

Attribute-based scoping of users

Instead of group-based assignment of users to the Workplace enterprise application, the other option that does not require Azure AD Premium licensing is to use "Sync all users and groups" in combination with attribute-based scoping filters.

A scoping filter allows the Azure Active Directory provisioning service to include or exclude any users who have attribute values matching one or more specified conditions. For example, when provisioning users from Azure AD to an SaaS application (i.e. Workplace) used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.

Scoping filters can be configured in the enterprise application's Provisioning tab in the Mappings section. Scoping filters can be used as your only method of controlling which users are provisioned into Workplace, or in combination with the group-based assignment feature detailed above.

More information: Attribute-based application provisioning with scoping filters

Sample steps to set up attribute-based application provisioning with scoping filters:

Important: If you're using "Attribute-based scoping of users" for provisioning make sure that you also go to the Properties Panel of the later SSO configuration and use the toggle to set the "User assignment required?" to No.

If this option is set to "No", then any users who navigate to the application deep-link URL or application URL directly will be granted access.

If this option is set to yes, then users must first be assigned to this application before access is enabled. This could only be achieved by having either all users assigned or by using group-based filtering for assignment or manually adding the users.

Creating and configuring the enterprise application/third-party integration

You will need system administrator credentials from Workplace and either application administrator, cloud application administrator, application owner or global administrator roles in Azure.

More information: Tutorial: Configure Workplace by Facebook for automatic user provisioning

Follow these sample steps to set up user provisioning:

1

2

3

Note:
After testing and saving your Workplace system administrator credentials in the enterprise app's provisioning configuration, you will need to navigate away from the enterprise application or reload the page in your browser before you try and start the provisioning; otherwise the start of the provisioning process will fail.
After some time, you will see the following screen:

Extra: Configure the SSO using Azure as identity provider

Extra: Configure the SSO using Azure as identity provider

You can also set up SSO using the same enterprise application in Azure.

Step-by-step setup of SSO on both Azure AD and Workplace:

1

2

3

4

SSO URLs correspondence:

Azure

Workplace

Identifier (entity URL)

Audience URL

Reply URL (assertion cast service)

ACS URL

Sign-on URL

https://{your-subdomain}.workplace.com

Single sign-on (SSO) setup in Workplace

Workplace

Azure

Name of the SSO provider

Your custom name for the setup

SAML URL

Login URL

SAML issuer URL

Azure AD identifier

SAML logout URL (optional)

Logout URL

Make sure you add the corresponding domains to the SSO. This domains must be verified in Workplace.:

Once the SSO has been configured, you will need to define the authentication method for your users. This can only be SSO or you can have a mix of authentication methods (have some users log in with password and other with SSO).

More information:

Reference

Reference