Azure-to-EasyVista-User-Sync

Azure (Entra ID) → EasyVista User Sync

Created: 2026-02-26
Author: Clawddy 🌀
Tags: #EasyVista #Azure #EntraID #ActiveDirectory #UserSync #Integration

Overview

This document covers all known options and best practices for syncing Azure AD (Microsoft Entra ID) users into EasyVista Service Manager's Employee Directory. The goal is to keep EasyVista employee records automatically populated and up-to-date from your authoritative source in Azure.

Option 1 — LDAP Pre-Import (Native EasyVista Integration)

What It Is

EasyVista's built-in integration path for importing Active Directory users into the Employee Directory. Works with on-premises AD or Azure AD via LDAP. This is the most native and fully supported option.

How It Works

smoBackOfficeClient tool queries AD/LDAP on a schedule
Data extracted into staging tables (E_LDAP_TEMP) in EVO_BACKOFFICE SQL database
Normalization SQL scripts clean and filter the data
Data moved to final E_LDAP_OK table
Integration Models run to upsert into EasyVista Employee Directory

Key Requirements

Read-only AD service account (bind rights to LDAP)
LDAP IP/hostname, port (389/636 for SSL), Base DN
EasyVista FTP access to Pre-Import directory (from Management Console)
If >1000 users: raise AD MaxPageSize — default limit is 1000 records per LDAP query. Azure AD Connect or on-prem AD can be configured; pure Azure AD LDAP access is via Azure AD Domain Services (AADDS) or Azure AD LDAP connector

Required Fields for Employee Import

An employee is only imported if ALL of these are present:

AD Attribute	EasyVista Field	Notes
`Company`	Entity	Required
`sn`	Last Name	Required
`givenName`	First Name	Required
`sAMAccountName`	Login	Required — unique ID

Full Attribute Mapping

AD Attribute	EasyVista Field
`sAMAccountName`	Login (unique key)
`displayName`	Full Name
`mail`	Email
`telephoneNumber`	Phone
`mobile`	Mobile
`department`	Department
`title`	Job
`manager`	Manager Login
`company`	Entity / Tenant
`canonicalName`	Location Code
`whenCreated`	Arrival Date
`description`	Note
`userPrincipalName`	UPN / Available Field

⚠️ Timestamps (lastLogon, accountExpires, etc.) are stored as Windows timestamp format. Use AD_DATE_CONVERT() SQL function to convert to standard date format.

Integration Models Needed

Model	Option	Connector
LDAP employees	Insertion & Update	Employee connector
LDAP employees - Managers	Update only	Employee connector

Scheduling

Can be fully automated via EasyVista's built-in integration scheduler. See: How to automate a Service Manager integration in EV docs.

✅ Best For

On-prem AD environments synced to Azure via Entra Connect
Environments already using EasyVista's pre-import framework
Maximum fidelity / native attribute mapping

⚠️ Caveats

SaaS customers: Cannot configure LDAP authentication directly via EV Service Manager — must contact EasyVista Support to configure via SMOAuthService
Pure cloud-only Azure AD (no AADDS) requires an LDAP proxy or alternative method
LDAP is authentication-focused by default; user provisioning (record creation) is done separately via Pre-Import

Option 2 — SAML 2.0 / SSO (Authentication Only)

What It Is

Azure AD configured as an Identity Provider (IdP) with EasyVista as the Service Provider. Enables login via Azure credentials — not a full user sync.

Supported Protocols

SAML v2
CAS 2.0
ADFS (Active Directory Federation Services)

How It Works

User logs into EasyVista → EV redirects to Azure AD login page
Azure AD authenticates, returns SAML assertion
EasyVista validates assertion and logs user in
EasyVista uses the login field (UPN, email, or sAMAccountName) as the link to the internal directory

Key Notes

Does NOT automatically create or sync user records — employees must already exist in EasyVista's directory (via LDAP pre-import or manual creation)
When SSO is enabled, it becomes the default auth method
Password management delegated to Azure AD (Azure passwords override EV passwords)
Profile and domain authorization still managed inside EasyVista

✅ Best For

Federated login / zero-password environments
Compliance-driven SSO (MFA enforcement via Conditional Access)
Often deployed alongside Option 1 (LDAP pre-import for records + SSO for auth)

Option 3 — Power Automate / Logic Apps (Microsoft Graph API + EV REST API)

What It Is

An Azure-native automated workflow that:

Queries Microsoft Graph API for all users in Entra ID
Calls EasyVista REST API to create or update Employee records

Architecture

Entra ID / Graph API
    ↓ (scheduled trigger or event-based)
Power Automate / Logic Apps
    ↓ HTTP Action
EasyVista REST API (/api/v1/{account}/employees)

EasyVista REST API — Employee Endpoints

Method	Endpoint	Purpose
`POST`	`/api/v1/{account}/employees`	Create new employee
`PUT`	`/api/v1/{account}/employees/{id}`	Update existing employee
`GET`	`/api/v1/{account}/employees`	List employees

Auth: Basic auth (login:password) or Bearer token
Content-Type: application/json

Create/Update Payload Example:

{
  "last_name": "Smith",
  "first_name": "John",
  "login": "jsmith",
  "email": "jsmith@company.com",
  "phone": "555-1234",
  "department": "IT",
  "begin_of_contract": "01/01/2024"
}

Microsoft Graph API — Users Endpoint

GET https://graph.microsoft.com/v1.0/users
    ?$select=displayName,givenName,surname,mail,userPrincipalName,
             department,jobTitle,mobilePhone,businessPhones,
             accountEnabled,manager,companyName
    &$filter=accountEnabled eq true

Power Automate Flow Pattern

Trigger: Recurrence (daily) or "When a user is added/modified" (event-driven)
Action: HTTP — call Graph API /users with App Registration bearer token
Loop: For each user:
- Check if employee exists in EV (GET by login/UPN)
- If exists: PUT to update
- If not: POST to create
Error handling: Log failures to a SharePoint list or email

App Registration Required

Register app in Azure AD
Grant User.Read.All (or Directory.Read.All) application permission
Grant admin consent
Create client secret (rotate on schedule)

✅ Best For

Cloud-only Azure AD (no on-prem AADDS)
Organizations already using Power Platform
Event-driven sync (react to new hire / termination immediately)
Full control over field mapping logic

⚠️ Caveats

Power Automate Premium connector for EasyVista — may require licensing
EasyVista API rate limit: 100 calls/60 seconds (via Microsoft connector)
For large user bases (1000+), batch with pagination ($top, $skiptoken)
Requires App Registration with appropriate Graph API permissions (admin consent)

Option 4 — Custom Script / PowerShell (Graph API + EV REST API)

What It Is

A scheduled PowerShell script (or Python, etc.) that replicates the Power Automate logic without the Microsoft licensing dependency.

Pattern

# 1. Get Azure AD token
$token = Get-MSGraphToken -TenantId $tenantId -ClientId $appId -ClientSecret $secret

# 2. Get all enabled users from Graph API
$users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users?`$filter=accountEnabled eq true&`$select=displayName,givenName,surname,mail,userPrincipalName,department,jobTitle" -Headers @{Authorization = "Bearer $token"}

# 3. For each user, upsert to EasyVista
foreach ($user in $users.value) {
    $body = @{
        last_name  = $user.surname
        first_name = $user.givenName
        login      = $user.userPrincipalName
        email      = $user.mail
        department = $user.department
    } | ConvertTo-Json

    Invoke-RestMethod -Method POST -Uri "https://{ev_host}/api/v1/{account}/employees" `
        -Headers @{Authorization = "Basic {base64creds}"} `
        -Body $body -ContentType "application/json"
}

Scheduling Options

Windows Task Scheduler (on-prem)
Azure Automation (cloud-native, no server required)
GitHub Actions (workflow-based)
Linux cron (e.g., on srv1196042 — already have infrastructure)

✅ Best For

Environments without Power Platform licensing
Maximum customization of sync logic (deprovisioning, group-based filtering, etc.)
Already have scripting infrastructure (Azure Automation, etc.)

Option 5 — Third-Party iPaaS (MuleSoft, Workato, etc.)

What It Is

Use an integration platform as a service to create a pre-built or custom connector between Azure AD and EasyVista.

Platforms with EasyVista Connectors

OneLogin — SAML SSO + AD/LDAP directory sync
AuthDigital — AD/LDAP + Google Apps SSO for EasyVista
Workato / MuleSoft — Custom recipe/flow with REST connectors

✅ Best For

Organizations with existing iPaaS investment
Multi-system sync (Azure → EasyVista AND other ITSM tools)

⚠️ Caveats

Additional licensing cost
EasyVista does not have native SCIM endpoint (unlike ServiceNow/Jira) — full SCIM provisioning from Entra ID gallery is NOT currently available

Comparison Matrix

Option	Complexity	Cloud-Only Azure	Real-Time	Native EV	Cost
LDAP Pre-Import	Medium	⚠️ Needs AADDS	No (scheduled)	✅ Yes	Included
SAML SSO	Low	✅ Yes	N/A (auth only)	✅ Yes	Included
Power Automate	Low-Medium	✅ Yes	✅ Optional	Via connector	Premium license
PowerShell/Script	Medium	✅ Yes	Scheduled	REST API	Free
iPaaS	Low	✅ Yes	✅ Optional	Via connector	$$

Recommended Approach (for Cody's Environment)

Recommended: Option 3 or 4 (Power Automate OR PowerShell via Azure Automation)

Given:

Cloud-first Azure / Entra ID environment
No indication of on-prem AADDS
Existing infrastructure on srv1196042

Best combo:

SAML SSO — For authentication (users log into EV with Azure credentials, MFA enforced)
PowerShell via Azure Automation OR Power Automate — For user record provisioning (daily sync, filter enabled accounts only)
LDAP Pre-Import — If an on-prem AD or AADDS is available, this is the most native path

Sync Cadence: Daily full sync + event-driven delta (new hire / termination triggers)

Best Practices

Data Quality

Filter on accountEnabled eq true — never import disabled/terminated accounts
Require Company + sn + givenName + sAMAccountName/UPN — don't import incomplete records
Map userPrincipalName as the unique login key (more stable than sAMAccountName in cloud environments)
Include manager mapping — EasyVista uses this for escalation chains

Security

Use a dedicated read-only service account or App Registration with minimal permissions (User.Read.All only)
Rotate client secrets on schedule (90-day minimum)
Store credentials in Azure Key Vault or server secrets file — never hardcode
Log all sync operations with timestamps + outcome

Conflict Handling

Define a unique key (UPN recommended) — don't use email (can change)
Handle name changes gracefully (update, not re-create)
Soft-delete vs. hard-delete: mark employees inactive in EV on account disable (don't delete — preserves ticket history)

Deprovisioning

Sync accountEnabled field from Azure — map to EV employee status
When Azure account disabled → set EasyVista employee to inactive
Retain historical data (EV records should never be deleted for users with ticket history)

Azure (Entra ID) → EasyVista User Sync

Overview

Option 1 — LDAP Pre-Import (Native EasyVista Integration)

What It Is

How It Works

Key Requirements

Required Fields for Employee Import

Full Attribute Mapping

Integration Models Needed

Scheduling

✅ Best For

⚠️ Caveats

Option 2 — SAML 2.0 / SSO (Authentication Only)

What It Is

Supported Protocols

How It Works

Key Notes

✅ Best For

Option 3 — Power Automate / Logic Apps (Microsoft Graph API + EV REST API)

What It Is

Architecture

EasyVista REST API — Employee Endpoints

Microsoft Graph API — Users Endpoint

Power Automate Flow Pattern

App Registration Required

✅ Best For

⚠️ Caveats

Option 4 — Custom Script / PowerShell (Graph API + EV REST API)

What It Is

Pattern

Scheduling Options

✅ Best For

Option 5 — Third-Party iPaaS (MuleSoft, Workato, etc.)

What It Is

Platforms with EasyVista Connectors

✅ Best For

⚠️ Caveats

Comparison Matrix

Recommended Approach (for Cody's Environment)

Best Practices

Data Quality

Security

Conflict Handling

Deprovisioning

Testing

Monitoring

References