Skip to main content
arrow-left Back to Docusign.com
Question

Problem with DocuSign Entra Provisioning (Not JIT)

  • April 1, 2025
  • 1 reply
  • 37 views
T
Newcomer
Forum|alt.badge.img

Hi all,

We have configured a DocuSign Enterprise App in Entra. SSO is already working but now I have tried to configure the provisioning and here I am facing a problem. The problem is the switch expression that is needed to assign the correct permission profile to the DocuSign users.

In the first step we configured for 2 of the groups a role in the App registration. Then we assigned this role to the groups

 

Now its the step where we have a problem. If we open the expression build and copy the expression from the official guide we always get a NULL as output. The user that we are using for the test is assigned to Entra group Advanced so there should be a result shown. The role Advanced is enabled and the value is set to “Advanced” and this is what we are using in the expression.

Switch(SingleAppRoleAssignment([appRoleAssignments]), "XXXXXX", "Advanced", "YYYYYY")

 

 

We also set the scope for provisioning to “Sync only assigned users and groups.

Does anyone have an idea what the problem is and how to fix it?

 

1 reply

M
Community Moderator
Forum|alt.badge.img+2
  • Ma.CubioCommunity Moderator
  • Community Moderator
  • 21 replies
  • April 2, 2025

Hello ​@THPG,

Thank you for reaching out here in the DocuSign Community and for bringing this to our attention. I apologize for the inconvenience this has caused you.
Upon checking, you are trying to use Azure/Entra's User Provisioning API integration. The integration is ancient, and it can't do most of what it claims (because it relies on features that we deprecated years ago as security issues). The long-and-short is that you will not be able to use that integration to manage preexisting users. Even if you manage to overcome the issue they've reported, the best you will be able to accomplish is that every time you try to update an existing user in our system, that integration will close that user and provision a new one with the desired settings. Doing this will cut off the user from any envelopes or special configurations they had in their original seat (because they've just been given a brand new one).
The integration tries to give our customer SCIM functionality. But we don't (yet) support SCIM. We've almost finished building out support for SCIM, and we're currently targeting the end of May for releasing it. What we highly recommend is for you to set this aside and wait it out for a couple of months, you will have a much better solution available by then.

Please let us know if you require any further assistance. Thank you!

 

Best regards,

Ma. Cassandra | Docusign Community Moderator

"Select as Best" below if you find the answer a valid solution to your issue

Reply


Most helpful members this week

Code of Conduct

Docusign Community

Code of Conduct