Facebook at Work provisioning using "built-in" Azure SCIM

Facebook at Work (https://work.fb.com/) is the business variant of Facebook. This gives enterprises the possibility to own, manage and use Facebook in a Enterprise context. As Facebook at Work is born in the cloud it comes with modern API's for user manangement and also exists in the Microsoft Azure Marketplace (link).

When integrating Facebook at Work into Azure you get two pre-built options from Microsoft;

  • Single Sing On (using Azure AD)
  • User Provisioning (using a pre-built Azure AD SCIM connector to facebook)

Configure Single Sign On

Below is a short guide for setting up Single Sign On between Facebook and Azure AD:

  1. Create a Azure AD user (with email) facebook@yourdomain.com
  2. Create a Facebook user with username facebook@yourdomain.com
    (make this user a global admin)
  3. Logon to Facebook at Work and Azure with your newly created users
    (there will be a match check when setting up
  4. Logon to your Facebook at Work instance
    1. Community Center > Settings
    2. Note down information under SAML configuration
      • Audience URL
      • Recipient URL
      • ACS URL
  5. Open Azure AD
    1. Add Azure application: Facebook  at Work
    2. Assign the Azure facebook@yourdomain.com as a user to Facebook at Work app
    3. Setup SSO
      1. Sign on URL = Tenant URL for Facebook (https://yourcompany.facebook.com)
      2. Identifier = Audience URL (from above)
      3. Reply URL = ACS URL (from above)
      4. Certificate; create a new 3 year certificate
      5. Store information from Azuire
        • Download the certificate file
        • Note down the SAML SSO URL
        • Note down the SAML Issure URI
  6. Back to the Facebook at Work
    1. Community > Settings
    2. SSO settings
      1. Change to SSO logon: SSO Only
      2. Expire setting: 3 weeks
      3. Certificate = Open the cert-file downloaded and paste the text
      4. SAML URL = SAML SSO URL from Azure
      5. SAML Issuer URI = SAML Issuer URI from Azure
      6. Click "TEST SSO"
        SSO should now work and be successful. Save settings. Remember that now must all authentication go through the Azure AD (not possible with multiple authentication providers in Facebook at Work at the moment). 
  7. Back to Azure AD (finish the settings)
    1. Add a notification email (for errors on certificate)

SCIM provisioning

It's also easy to setup SCIM provisioning to Facebook. 
  1. Logon to Facebook at Work
    1. Community > Settings
      1. Note down Access token
      2. Note down SCIM URL
      3. Note down Community ID
  2. Azure AD > Applications > Facebook at Work > Configure
    1. Setup provisioning
      1. User Security Token = Facebook Access token
      2. Facebook at Work Tenant URL = SCIM URL
    2. Test the connection
    3. Setup notification email (for errors on provisioning)

Username vs. E-mail address

Facebook as a cloud service provider expects that the users logon name and e-mail address are the same (at the moment). In a standard configuration Azure will create users with [UserPrincipalName] and expect these to work. You can suppressEmail (however not recommended as the service uses e-mail for driving engagement and remind users to check posts in Facebook AtWork).

E-mail invitation 

When new users are provisioned by Azure (using the SCIM integration) the service will send a invite e-mail to the newly provisioned user. This is to quickly get the user onboarded and active on the Facebook AtWork social platform.

Prevent e-mail invitation (and e-mail communication): Facebook at Work have a property suppressEmail that will stop Facebook from sending e-mails to the user. 


This is possible to configure using the Azure provisioning engine. The settings are changed in the Azure > Applications > Facebook AtWork > Attributes > Provisioning:

To add the "SuppressEmail" click on "add attribute mapping", choose "suppressEmail" (in the Facebook AtWork attribute) and then you have two options.

  • Suppress all email communications for all users (using Constant = true)
  • Suppress email communications for e-mail less users - no mail attribute in Azure AD(and allow for users with mail)

    This will check the mail attribute on the users in Azure AD, if present set suppressEmail to "false" and if blank set it to "true". My little piece of magic! 


Unknown said...

Thanks for posting this - both the FB and MS docs are out of date and examples were missing.

I was able to get the SSO on the FB @ Work side to test out ok with this, but the .cer text pasted in gives an error "Incorrect certificate file format." when I hit "save". So still blocked on this...

Any ideas? when I clicked on the fb workplace application in azure I believe it automatically created this cert for me and I didn't see any options to change the type.

lollicup store said...
This comment has been removed by a blog administrator.
fabacq said...

Hi, is it possible to provision user accounts in Facebook at Work from two different Azure AD tenants? In order word, does exists a 1:1 relation between Facebook at work instance and Azure AD tenant to which this is federated with?
Thank you


RikardStrand said...

Hi fabacq,

It's possible to sync users from multiple sources without any issues. However - you can only configure one SSO provider in Workplace - so you cannot route traffic to two different Azure tenants directly from Workplace.

A possible workaround is to add all users in B-tenant as guest users in A-tenant and configure SSO Workplace <> A-tenant. It's working (but not simple to automatically add users from B-tenant as guest users automatically). A simpler way is to have a "custom" SSO in front of both Azure AD's (like identityserver.io) - but this might not suit your identity strategy.