If a Company Manager changes the IDP, then they will lock themselves out.
Currently, Venn only supports uni-directional syncing: Azure-> Venn, which means that users and groups should be created, modified, and deleted in Azure in order for the changes to appear in Venn.
Bi-directional syncing, creating/ modifying/ deleting users in Venn to trigger changes in Azure is NOT currently supported.
Set up Azire AD as Your IDP
To set up Azure AD as your IDP:
- Venn or Partner proxies in to the company as a Company Manager.
- Click Company admin or Manage > Company admin.
- Click Identity Management in the left sidebar.
- Click Change identity provider.
- Before you choose new identity provider from the pulldown menu, understand that:
- If a Workplace enterprise app in Azure AD was created before, it will be deleted.
- Before you click Continue, please review the instructions:
- Login to Azure as company manager
- Accept permissions requested for your organization
- Workplace enterprise app is added in Azure AD for your organization
- Login to Azure AD and assign users to Workplace enterprise app
- Users will be provisioned into Venn by Azure sync job during the next sync
- Click Continue on the popup screen.
- Sign in to Azure with the username and password you created.<></>
- Grant permissions for Workplace to be added as an Enterprise application and other settings, such as provisioning and SSO.
Provision users into Venn from Azure
To provision users into Venn, an admin will need to add a specific user to the Workplace Enterprise application or a group of users. This will create the user in Venn along with any backend resources they require.
- Log in to Azure portal
- Navigate to Azure > Enterprise applications and find Workplace in the list.
- Assign users to the Workplace enterprise application. You can follow this article to learn how to assign users and groups to an application.
- Navigate to Azure > Provisioning page and select Provision on demand.
- Users will now be provisioned in Venn and can begin onboarding. You can confirm that the users were created in Venn by using the Venn Admin portal. From the admin portal, locate and click on Directory from the left navigation. When the menu expands, select Users.
Provision on Demand
After users are assigned to the Workplace enterprise application, users will start getting provisioned in Venn anywhere from 0-40 minutes after, (the protocol pushes user info to Venn every 40 minutes). This can be forced to happen at will if the admin chooses to ‘Provision on demand’ in Azure.
Users are then provisioned and can start signing in to Venn with their Azure creds.
Delete Users in Azure and Workplace
- To delete a user in both Azure and Venn:
- Delete user in Azure. The user will be moved to Azure > Deleted users list
- After 30 days, this user will be automatically deleted in Azure and Venn
- If an admin wants to finalize the deletion prior to the 30 day period, the user has to be deleted again from the Azure Deleted users list
- If admin wants to delete a user in Venn but keep their Azure account:
- Unassign user from Workplace Enterprise app in Azure and then delete user from Venn manually
Switching IDP from Azure to Workplace
Switching the IDP requires a special user role and will require assistance from Venn engineers:
- Venn or Partner proxies in to the company as a Company Manager.
- Click Company admin or Manage > Company admin.
- Click Identity Management in the left sidebar.
- Click Change identity provider.
- Select Workplace from dropdown and click Confirm.
How does this affect the User workflow?
Because you've created users in Venn that were previously managed by Azure, passwords for Venn did not exist. After the IDP is switched to Workplace, an admin should share the user’s activation codes with them.
Users can log in to Venn with their username (same username they were using before the switch) and their Venn activation code. Once they are authenticated, they will be prompted to change their password from the temporary activation code.