Loading
Ongoing maintenance for Salesforce HelpRead More
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set Up Microsoft Entra ID User Sync with Salesforce

            You are here:

            1. Salesforce Help
            2. Docs
            3. Agentforce IT Service

            Set Up Microsoft Entra ID User Sync with Salesforce

            Synchronize employee information from directory providers, such as Azure AD, with Salesforce to keep employee records up to date. Automatically create, update, or deactivate Salesforce users when employees join, change roles, or leave.

            Required Editions

            Available in: Lightning Experience
            Available in: Unlimited and Enterprise editions with Agentforce IT Service.
            User Permissions Needed
            To enable Employee Provisioning from Azure AD and configure named credentials: Salesforce Admin Profile
            To schedule Apex jobs: Salesforce Admin Profile
            To sync employee data from Microsoft Entra ID: Azure AD Employee Sync Graph Access permission set

            Register an Application in Microsoft Entra ID

            Create an app registration in the Microsoft Azure portal to allow Salesforce to authenticate with Microsoft Graph and read your organization's user directory data.

            1. Sign in to the Microsoft Azure portal.
            2. On the Azure home page, under Azure services, select App registrations.
            3. Select New registrations.
            4. In the Name field, enter a name for the application.
            5. Under Supported account types, select Accounts in this organizational directory only (Single tenant).
            6. Select Register.
            7. On the app Overview page, copy and securely save Application (client) ID and Directory (tenant) ID values. You need them in later steps.

            Configure API Permissions

            Add the required Microsoft Graph application permissions to your app registration so Salesforce can read user profile data from Microsoft Entra ID.

            1. In the left navigation of your app registration, under Manage, select API permissions.
            2. Select Add a permission.
            3. In the Request API permissions panel, select Microsoft Graph.
            4. Select Application permissions.
            5. In the permissions list, expand the User section and select User.Read.All — Read all users' full profiles and User.ReadBasic.All — Read all users' basic profiles permissions.
            6. Select Add permissions.
            7. Select Grant admin consent for (your organization) and confirm when prompted.
              Granting admin consent is required for application-level permissions. After consent is granted, the Status column shows Granted for (organization) for each permission.

            Create a Client Secret

            Create a client secret for the app registration. Salesforce uses this secret to authenticate with Microsoft Entra ID when performing user sync operations.

            1. In the left navigation of your app registration, under Manage, select Certificates & secrets.
            2. Select the Client secrets tab, then select + New client secret.
            3. In the Description field, enter a label for the secret, such as Data Sync.
            4. In the Expires dropdown, select an expiry period for the secret.
            5. Select Add.
            6. In the Value column, copy the client secret value and store it securely.
              The client secret value is only visible immediately after creation. You can't retrieve it after you navigate away from this page. Store the value in a secure location before proceeding.

            Enable Employee Provisioning from Azure AD

            Turn on Employee Provisioning from Azure AD in Salesforce Go and assign the required permission set to your admin user.

            1. From the Setup menu, select Salesforce Go.
            2. In the Search features box, enter azure and then select Employee Provisioning from Azure AD.
            3. Turn on Employee Provisioning from Azure AD.
              When you enable the feature, the external credentials and named credentials for Azure AD sync are installed automatically in your org.
            4. Select Manage next to Assign Azure Data Sync Graph Access.
            5. In the Manage Employee Provisioning from Azure AD User Access window, select the users to assign the Azure AD Employee Sync Graph Access permission set, then select Assign.
            6. Select Done.

            Configure Named Credentials in Salesforce

            Update the external credential that was automatically installed when you enabled Employee Provisioning, replacing the placeholder values with the Client ID and Client Secret from your Microsoft Entra ID app registration.

            1. From Setup, in the Quick Find box, enter Named Credentials, then select Named Credentials.
            2. Select the Azure AD Employee Sync NC external credential.
            3. Click Edit.
            4. In Identity Provider URL, replace the placeholder tenant Id with your tenant Id copied from the Azure Portal.
            5. In the Principals section, select the edit action for the principal entry.
            6. In the Client ID field, enter the Application (client) ID from your Microsoft Entra ID app registration.
            7. In the Client Secret field, enter the client secret value you copied from Microsoft Entra ID.
            8. Save your changes.

            The named credential is updated with your Microsoft Entra ID app credentials and is ready to authenticate sync requests.

            Schedule the Azure AD Employee Sync Job

            Schedule the AzureADEmployeeSyncScheduler Apex class to run automatically at a specified interval to sync user data from Microsoft Entra ID to Salesforce.

            1. From Setup, in the Quick Find box, enter Apex Classes, then select Apex Classes.
            2. Select Schedule Apex.
            3. In the Job Name field, enter a descriptive name for the scheduled job, such as User Sync Job Trigger.
            4. In the Apex Class field, select the lookup icon and choose AzureADEmployeeSyncScheduler.
            5. Under Schedule Using, select Cron Expression.
            6. In the Cron Expression field, enter a valid cron expression for your desired sync frequency.
              For example, to run the sync daily at 6:13 PM UTC, enter 0 13 18 * * ?. See Salesforce Help for cron expression syntax.
            7. Save your changes.
             
            Loading
            Salesforce Help | Article