I created an Application Registration on our Azure AD.
I then use the application registration id to create "Enterprise Application" in our customers' AD's. It goes like this
- Their admin sign into our system and clicks connect AD
- We send a challenge (OpenId Connect) that allows them to sign into their microsoft account.
- This creates our application under "Enterprise Applications" in their AD and it then workes fine with SSO
So far so good. But now we want to add the next logical step with Provisioning with Scim v2 however if I on a customer/test AD browse to our app under Enterprise Application and then click Provisioning I see the following
There is no way to hook up provisioning no matter if I support Scim2 as required. Why is this? Does our app need to be in the gallery for this to work?
I noticed I can go to Enterprise Applications > New application > Non-gallery application and create a new application. This will then work with provisioning. But then our customers would need two apps, one from our app registration that does SSO and one more for provisioning. I would like one app to do both.
Your app needs to be in the gallery to have provisioning enabled. Barring that, the only other option is what you've already described - a custom non-gallery app.
To get your app in the gallery, https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing