• Home
• App Integrations
• Provisioning Integrations
• Active Directory Provisioning

Active Directory Provisioning

---

Active Directory Provisioning automates the process of creating, updating, and removing user accounts in third-party applications using API endpoints. miniOrange's automated User Provisioning feature seamlessly integrates with Active Directory to provision all user identities automatically, saving time and managing access privileges throughout the user lifecycle.

Bi-directional and automatic user provisioning and de-provisioning actions enhance security by removing access to sensitive applications and content when an employee leaves or changes roles. This improves your organization's security profile.

Automatic Provisioning saves time when setting up new users and teams, and also manages access privileges through the user lifecycle. It is considered as a part of user lifecycle management . miniOrange can create, read, and update user accounts for new or existing users, remove accounts for deactivated users, and synchronize attributes across multiple directories and the applications that the user needs access to.

Active Directory Deprovisioning means deleting a user and removing their access from multiple applications and network systems at once. Automatic Deprovisioning action is triggered when an employee leaves a company or changes roles within the organization. The deprovisioning features increase your organization's security profile by removing access to sensitive applications and content from people who leave your organization.

Automate Provisioning & Automatic Deprovisioning Scenarios

miniOrange provides solutions for all scenarios of provisioning, which includes AD Integration, LDAP Integration and automated provisioning for all External Applications such as Office 365, Google Workspace, Workday, etc

Following is the Step-by-Step Guide given below to setup Provisioning in Microsoft Active Directory (Active Directory)

1. Setup Automatic Provisioning in Microsoft Active Directory (Active Directory)

• Login into miniOrange Admin Console.
• Go to the External directories, Click on Add Directory.



• Select Directory type as AD/LDAP.



• STORE LDAP CONFIGURATION IN MINIORANGE: Choose this option if you want to keep your configuration in miniOrange. If the active directory is behind a firewall, you will need to open the firewall to allow incoming requests to your AD.
• STORE LDAP CONFIGURATION ON PREMISE: Choose this option if you want to keep your configuration in your premise and only allow access to AD inside premises. You will have to download and install miniOrange gateway on your premise.



• Enter LDAP Display Name and LDAP Identifier name.
• Select Directory Type as Active Directory .
• Enter the LDAP Server URL or IP Address against the LDAP Server URL field.
• Click on the Test Connection button to verify if you have made a successful connection with your LDAP server.



• In Active Directory, go to the properties of user containers/OU's and search for the Distinguished Name attribute.



• Enter the valid Bind account Password.
• Click on the Test Bind Account Credentials button to verify your LDAP Bind credentials for LDAP connection.



• Search Base is the location in the directory where the search for a user begins. You will get this from the same place you got your Distinguished name.



• Select a suitable Search filter from the drop-down menu. Use Users and Group Authentication and Provisioning Filter if you are not sure. If you use User in Single Group Filter or User in Multiple Group Filter, replace the group-dn in the search filter with the distinguished name of the group in which your users are present. To use custom Search Filter select Write your Custom Filter option and customize it accordingly. Please note that, include (objectGUID=?) while writing custom filter, otherwise provisioning will not work.



• Click on the Next button, or go to the Authentication tab.
• If you want to set up (AD as External Directory), click here for detailed information. For now, we are skipping this step by clicking Skip on Authentication.
  
• In the Provisioning tab, there are two sections: Users and Groups. Each section contains a list of attributes and their functions when enabled. You can enable or disable them as needed.

	Attribute	Description
Users	Create Users	Enabling this option will create the user in the selected application upon user creation in miniOrange.
	Edit Users	Enabling this option will update the user profile in the selected application if updated in miniOrange.
	Delete Users	Enabling this option will delete the user from the selected application if the user is deleted from the miniOrange.
	Password Sync	Enabling this option will sync the user password from the miniOrange database to the application selected.
	Account Enable/Disable Sync	Enabling this option will sync the user account enable/disable from the miniOrange database to the application selected.




	Attribute	Description
Groups	Create Group	Enabling this option will create the Group in the selected application upon Group creation in miniOrange.
	Delete Group	Enabling this option will delete the Group from the selected application if the Group is deleted from the miniOrange.
	Add/Remove Group membership of User	Enabling this option will add/remove the Group membership of a user from the selected application if the respective user group membership is updated from the miniOrange.





• Click on the Next button, or go to the Attributes tab.

Attributes Mapping from AD

• By default userName, firstName, lastName, email are configured. Scroll down and click on Save Configurations.

2. Create Group

• To create a group, follow these steps:
• Go to the Manage Groups section in the Groups tab, located on the left side and click on Create Group Button



• Enter the group name and click the Create Group button.
• You will receive a success notification upon group creation, and the group will be displayed in the Manage Groups section of the Groups tab.

3. App Policy (Connects Group to Active Directory App)

• Go to the App Login Policy section under Policies, and click Add Policy.



• Select the application you have configured in the External Directories tab.
• Enter the group name you created.
• Enter a policy name of your choice.
• In First Factor there are two options:
• Password
• OTP/PUSH/Mobile Token (Password-Less Login)
• Click on Submit button to create a policy.



• You will receive a success notification upon policy creation, and the policy will be displayed in the App Login Policy section of the Policies tab.



• Provisioning configuration is complete now.
• Now, we can verify whether provisioning is working as expected.
• Go to the Manage Groups section in the Groups tab, click Select, and then choose Assign Users.



• Ensure that users are already present in miniOrange or import them into the user list. This allows you to assign the user you want to provision in Active Directory.
• From the list below, select the user you want to provision, choose the Assign to Group option, and click Apply. This will automatically create the user in Active Directory.



• To update a user, go to the User List, select the user you want to update, click Select, and then choose Edit.



• After updating the user, click the Save button. This will automatically update the user in Active Directory.



• To delete a user, go to the Manage Groups section of the Groups tab. Then, navigate to the group from which the user needs to be deleted. In the Users column, click on the displayed number of users.



• Select the user you want to delete, choose Remove from Group as the action, and click the Apply button. This will automatically remove the user from Active Directory as well.

View Provisioning Reports

External References

• Automated Provisioning
• User Lifecycle Management
• Connect Active Directory DS with LDAP
• Setup Automatic User Provisioning using SCIM
• HR driven IT provisioning
• Know how Microsoft Entra ID as SAML IDP for SSO works