What is user provisioning in salesforce


User provisioning for a connected app simplifies account creation and links your Salesforce users’ accounts to their third-party accounts. After the accounts are linked, you can configure the App Launcher to display the connected app as a tile. With a single click, users get instant access to the third-party app.


Table of Contents

What is Salesforce provisioning and how it works?

Salesforce Provisioning allows to create account in a simplified way and link Salesforce users’ account to their existing or new apps. Salesforce Provisioning automates user provisioning with their identities.

Why can’t I configure Automated User provisioning on my Salesforce trial account?

If you are using a Salesforce.com trial account, then you will be unable to configure automated user provisioning. Trial accounts do not have the necessary API access enabled until they are purchased. You can get around this limitation by using a free developer account to complete this tutorial.

What is user provisioning and how does it work?

User provisioning is the process of creating, maintaining, updating, and deleting a user’s account and access from multiple applications and systems all at once, be it on-premise, cloud-based, or a mix of both.

How to enable Azure AD provisioning service for Salesforce?

To enable the Azure AD provisioning service for Salesforce, change the Provisioning Status to On in the Settings section Click Save. Once the users are provisioned in the Salesforce application, administrator need to configure the language specific settings for them. Please see this article for more details on language configuration.


What is User Provisioning?

User provisioning or account provisioning technology creates, modifies, disables and deletes user accounts and their profiles across IT infrastructure and business applications.

How does user provisioning work?

User provisioning and deprovisioning involves the process of creating, updating and deleting user accounts in multiple applications and systems. This access management practice can sometimes include associated information, such as user entitlements, group memberships and even the groups themselves.

What is user provisioning in SSO?

User provisioning is the process of assigning permissions based on roles and event changes throughout an account’s lifecycle. Provisioning (and deprovisioning) grants, modifies, or revokes access and privileges based on triggers such as: New hire. Role change.

What is user provisioning in Active Directory?

User provisioning involves various processes that span multiple departments and applications. HR, IT, and payroll teams all need to create accounts across multiple systems so that users can access each relevant app. If these systems are AD-integrated, administrators need to provision fewer accounts.

What is provisioning application?

Application provisioning is an infrastructure management solution that helps administrators create customized application configurations called packages. Administrators can use application provisioning to automate the deployment of these packages to heterogeneous platforms in the enterprise.

What are provisioning logs?

A provisioning log has a default list view that shows: The identity. The action. The source system. The target system.

What is provisioning system?

Provisioning is the process of setting up IT infrastructure. It can also refer to the steps required to manage access to data and resources, and make them available to users and systems. Provisioning is not the same thing as configuration, but they are both steps in the deployment process.

What is provisioning in SaaS?

SaaS (software as a service) provisioning refers to the process for on-boarding or establishing service delivery to users of cloud based software applications. SaaS self provisioning refers to the establishment of such services using automated processes, which provides immediate access to software in the cloud.

How does SAML assertion work?

SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials.

What is cloud provisioning?

Cloud provisioning is the allocation of a cloud provider’s resources and services to a customer. Cloud provisioning is a key feature of the cloud computing model, relating to how a customer procures cloud services and resources from a cloud provider.

What is group provisioning?

Provisioning is the process of granting EPM System roles to users and groups. Provisioning is performed by Provisioning Managers or Functional Administrators by assigning EPM System application roles to a group. See Provisioning (Role-based Authorization).

What is the default attribute mapping for provisioning to Salesforce?

The default attribute mapping for provisioning to Salesforce includes the SingleAppRoleAssignments expression to map appRoleAssignments in Azure AD to ProfileName in Salesforce. Ensure that the users do not have multiple app role assignments in Azure AD as the attribute mapping only supports provisioning one role.

When assigning a user to Salesforce, must you select a valid user role?

When assigning a user to Salesforce, you must select a valid user role. The “Default Access” role does not work for provisioning

How to get a security token for Salesforce?

To get your Salesforce security token, open a new tab and sign into the same Salesforce admin account. On the top right corner of the page, click your name, and then click Settings.

What is Azure AD provisioning?

The Azure AD provisioning service supports provisioning language, locale, and timeZone for a user. These attributes are in the default attribute mappings but do not have a default source attribute. Ensure that you select the default source attribute and that the source attribute is in the format expected by SalesForce. For example, localeSidKey for english (UnitedStates) is en_US. Review the guidance provided here to determine the proper localeSidKey format. The languageLocaleKey formats can be found here. In addition to ensuring that the format is correct, you may need to ensure that the language is enabled for your users as described here.

How often does Salesforce sync?

Note that the initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the Synchronization Details section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service on your Salesforce app.

How to add Salesforce to your list of applications?

If you have already configured Salesforce for single sign-on, search for your instance of Salesforce using the search field. Otherwise, select Add and search for Salesforce in the application gallery. Select Salesforce from the search results , and add it to your list of applications.

Where to enter tenant URL in Salesforce?

The Tenant URL should be entered if the instance of Salesforce is on the Salesforce Government Cloud. Otherwise, it is optional. Enter the tenant URL using the format of “https://<your-instance>.my.salesforce.com,” replacing <your-instance> with the name of your Salesforce instance.

User Provisioning Requests

After you configure user provisioning, Salesforce manages requests for updates on the third-party system. Salesforce sends user provisioning requests to the third-party system based on specific events in your org, either through the UI or API calls.


Roles and permissions for the service provider can’t be managed or stored in the Salesforce org. So specific entitlements to resources at the service provider aren’t included when a user requests access to a third-party app that has user provisioning enabled. With user provisioning, you can create a user account for a service provider.

Run the User Provisioning Wizard

From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.

Create Your Own User Provisioning Flow

If the packaged flows don’t support the third-party system that you want to provision, or if you want to customize the user provisioning process, you can create your own flow. Creating a flow requires you to be familiar with Flow Builder and Apex triggers.

What is Salesforce 360?

Welcome to Salesforce Customer 360, One Integrated CRM Platform for uniting Marketing, Sales, Commerce, Service, and I.T. Departments.

When an employee or contractor is hired in an organization, do admins need to grant them access to Salesforce and other applications?

When an employee or contractor is hired in an organization, admins need to grant them access to Salesforce and other applications. Employees need an easy way to launch these applications without having to remember their URLs or passwords. And, when the employee leaves the organization, their accounts need to be disabled across all the applications. Join us to learn how to implement Salesforce Identity features to simplify user lifecycle management, single sign-on (SSO) for your applications, and how customers are using it to solve their business problems.

What is a user permission?

User permissions specify what tasks users can perform and what features users can access. For example, users with the “View Setup and Configuration” permission can view Setup pages, and users with the “API Enabled” permission can access any Salesforce API.

Where are user permissions listed?

In the original profile user interface , user permissions are listed under Administrative Permissions and General User Permissions.

What is user management?

The most basic aspect of user management is creating the usernames and login accounts for your users. In just a few clicks, you can send a team member their login and get them into the platform.

What is permission set?

Permission sets grant access to objects outside of profiles. They are helpful when specific users need access to objects outside of their profiles. They help grant access to objects on an as-needed basis.

What is a sysadmin profile?

Standard User. The SysAdmin has access to setup and all objects, as they are the ones maintaining the platform. You can create custom profiles with fine-tuned access for different teams.

What does it mean to assign the right profiles, roles, and data access?

Assigning the right profiles, roles, and data access means you will have more flexibility in the future. Consider a comprehensive user management strategy that incorporates these best practices.

What are Organization-wide defaults and sharing rules?

Organization-wide defaults and sharing rules determine what data is private and what data is shared with other users. These settings come in handy when working across a large team with varying data security needs



Assigning Users to Salesforce

  • Azure Active Directory uses a concept called “assignments” to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been “assigned” to an application in Azure AD is synchronized. Before configuring and enabling the provisioning service, you need to de…

See more on docs.microsoft.com

Enable Automated User Provisioning

  • This section guides you through connecting your Azure AD to Salesforce’s user account provisioning API – v40, and configuring the provisioning service to create, update, and disable assigned user accounts in Salesforce based on user and group assignment in Azure AD.

See more on docs.microsoft.com

Common Issues

  1. If you are having issues authorizing access to Salesforce ensure the following:
  2. The Azure AD provisioning service supports provisioning language, locale, and timeZone for a user. These attributes are in the default attribute mappings but do not have a default source attribute….
  3. SalesforceLicenseLimitExceeded:The user could not be created in the target application bec…
  1. If you are having issues authorizing access to Salesforce ensure the following:
  2. The Azure AD provisioning service supports provisioning language, locale, and timeZone for a user. These attributes are in the default attribute mappings but do not have a default source attribute….
  3. SalesforceLicenseLimitExceeded:The user could not be created in the target application because there are no available licenses for this user. Either procure additional licenses for the target appli…
  4. SalesforceDuplicateUserName:The user cannot be provisioned because it has a Salesforce.com ‘Username’ that is duplicated in another Salesforce.com tenant. In Salesforce.com, values for the ‘Usernam…

Additional Resources

Leave a Comment