Azure Active Directory + Salesforce
Sync Azure Active Directory with Salesforce to Automate Identity, Access & Revenue Operations
Connect your identity management layer directly to your CRM so user provisioning, role assignments, and account data stay aligned — automatically.
Why integrate Azure Active Directory and Salesforce?
Azure Active Directory (Azure AD) is how enterprises control who gets into what — applications, roles, data, all of it. Salesforce is where your customer relationships, pipeline, and revenue workflows live. When these two platforms don't talk to each other, IT teams spend hours manually provisioning users, chasing down access for departed employees, and reconciling account data — work that's tedious, slow, and prone to mistakes. Integrating Azure AD with Salesforce cuts that overhead, so identity changes flow directly into the right CRM permissions and customer data stays consistent across both platforms.
Automate & integrate Azure Active Directory & Salesforce
Use case
Automated User Provisioning from Azure AD to Salesforce
When a new employee is added to an Azure AD group — say, 'Sales Team West' or 'Account Executives' — tray.ai automatically creates a matching Salesforce user with the correct profile, role, and permission sets. IT and Salesforce admins don't have to manually set up CRM access for every new hire, which cuts onboarding time from days to minutes.
Use case
Automatic Salesforce Access Revocation on Azure AD Deactivation
When an employee's Azure AD account is disabled or deleted — termination, role change, leave of absence — tray.ai immediately deactivates the corresponding Salesforce user and can reassign their open opportunities, leads, or cases to a designated manager. This closes a real security gap: former employees retaining CRM access long after they've left.
Use case
Role and Permission Sync Based on Azure AD Group Changes
When employees are promoted, change teams, or shift territories, their Azure AD group memberships update to reflect the new position. tray.ai picks up those changes and updates Salesforce roles, profiles, and permission sets accordingly, so each rep only sees the data and capabilities that match their current function.
Use case
Single Sign-On User Attribute Sync
Azure AD is the identity provider for Salesforce SSO in most enterprise environments, but attribute mismatches between the two systems — different email formats, department codes, manager fields — can break SSO flows and corrupt CRM records. tray.ai continuously reconciles user attributes between Azure AD and Salesforce, keeping fields like department, title, phone number, and manager in sync so SSO works reliably and CRM data stays accurate.
Use case
Account and Contact Enrichment from Azure AD Organization Data
Azure AD stores organizational metadata — department structures, cost centers, office locations, reporting lines — that can enrich Salesforce account and contact records. tray.ai maps this data from Azure AD into custom Salesforce fields, giving sales reps and account managers a fuller picture of their customers' internal structures without anyone duplicating data entry.
Use case
Compliance Reporting and Access Audit Trail
Regulated industries need documented proof that CRM access is granted and revoked according to identity governance policies. tray.ai logs every provisioning and deprovisioning event triggered by Azure AD changes, building a structured audit trail in a data warehouse, Salesforce custom object, or SIEM platform that's ready when compliance reviews and access audits come around.
Use case
New Customer Account Creation Triggered by Azure AD B2B Invitations
When your organization uses Azure AD B2B to invite external partners, distributors, or clients into your tenant, tray.ai can automatically create or update the corresponding Salesforce Account and Contact records for those external users. This connects partner identity management to your CRM, so external collaborators show up as active relationships in Salesforce from day one.
Get started with Azure Active Directory & Salesforce integration today
Azure Active Directory & Salesforce Challenges
What challenges are there when working with Azure Active Directory & Salesforce and how will using Tray.ai help?
Challenge
Mapping Azure AD Groups to Salesforce Roles and Profiles at Scale
Enterprises often have dozens or hundreds of Azure AD security groups representing different teams, regions, and job functions. Translating that group hierarchy into the right combination of Salesforce profiles, roles, and permission sets is highly org-specific — and keeping it accurate as directory structures and CRM configurations change is genuinely hard to do manually.
How Tray.ai Can Help:
tray.ai includes a configurable mapping layer within workflows that lets admins define and update the translation logic between Azure AD groups and Salesforce entitlements without writing code. The mapping table can live in a Google Sheet, Airtable, or custom configuration object and gets referenced dynamically by the workflow, so updates as your org chart changes don't require touching the automation itself.
Challenge
Handling Partial Deprovisioning and Record Ownership Transitions
When a Salesforce user is deactivated following an Azure AD offboarding event, every record they own — opportunities, leads, accounts, cases, custom objects — needs to be reassigned. Finding the right new owner and handling edge cases like shared ownership or team selling adds real complexity to offboarding automation.
How Tray.ai Can Help:
tray.ai workflows include conditional logic and looping that can query all record types owned by a departing user, apply configurable reassignment rules (assign to direct manager, round-robin to the team, or move to a queue), handle exceptions gracefully, and log every reassignment for audit and compliance.
Challenge
Avoiding Duplicate User Records Across Systems
When Azure AD and Salesforce have been managed separately for years, discrepancies in email formats, employee IDs, or naming conventions make it hard to reliably match records between the two systems. Running integration workflows against mismatched data risks creating duplicate Salesforce users or updating the wrong existing record.
How Tray.ai Can Help:
tray.ai supports multi-field matching logic that cross-references Azure AD Object IDs, UPNs, email addresses, and employee numbers against Salesforce user records to confirm the right match before taking any action. Records that don't match get routed to a review queue or logged for manual reconciliation rather than triggering an automated action that could make things worse.
Challenge
Real-Time Event Delivery and Latency Management
Access revocation is time-sensitive — a deactivated Azure AD account shouldn't keep working in Salesforce for hours. Polling-based integrations introduce latency, and webhook delivery from Azure AD can be unreliable without proper retry and error-handling infrastructure in place.
How Tray.ai Can Help:
tray.ai supports event-driven triggers via Azure AD webhooks and Microsoft Graph API subscriptions, enabling near-real-time responses to identity events. Built-in retry logic, dead-letter queuing, and alerting make sure critical deprovisioning events aren't silently dropped, so security teams can trust that access revocation happens within seconds of an Azure AD change.
Challenge
Managing API Rate Limits During Large-Scale Sync Operations
Bulk synchronization — an initial full reconciliation of thousands of users, or a batch update after an organizational restructuring — can exhaust both the Microsoft Graph API and Salesforce API rate limits fast, causing workflows to fail partway through and leaving systems in an inconsistent state.
How Tray.ai Can Help:
tray.ai includes built-in rate limit handling and adaptive throttling that automatically paces API calls to stay within the limits of both Microsoft Graph and Salesforce. Large batch operations are broken into configurable chunk sizes with delays between batches, and failed records are queued for automatic retry so bulk syncs complete reliably even across very large user populations.
Start using our pre-built Azure Active Directory & Salesforce templates today
Start from scratch or use one of our pre-built Azure Active Directory & Salesforce templates to quickly solve your most common use cases.
Azure Active Directory & Salesforce Templates
Find pre-built Azure Active Directory & Salesforce solutions for common use cases
Template
New Azure AD User → Create Salesforce User with Role & Profile
Monitors Azure AD for newly created or group-assigned users and automatically provisions a matching Salesforce user, assigning the correct profile, role, and permission sets based on the employee's Azure AD group membership and job attributes.
Steps:
- Trigger: Detect new user creation or group assignment event in Azure Active Directory
- Lookup: Map Azure AD group and job title to the corresponding Salesforce profile and role using a configurable mapping table
- Action: Create Salesforce user with correct profile, role, license type, and attribute fields populated from Azure AD
Connectors Used: Azure Active Directory, Salesforce
Template
Azure AD User Deactivation → Deactivate Salesforce User & Reassign Records
Listens for account disable or deletion events in Azure AD and immediately deactivates the corresponding Salesforce user, then reassigns their open leads, opportunities, and cases to a predefined manager or queue to prevent record loss.
Steps:
- Trigger: Detect user account disabled or deleted event in Azure Active Directory
- Lookup: Find the matching active Salesforce user by email or Azure AD Object ID
- Action: Deactivate Salesforce user and bulk-reassign open opportunities, leads, and cases to the user's manager or a designated fallback owner
Connectors Used: Azure Active Directory, Salesforce
Template
Azure AD Group Change → Update Salesforce Role & Permissions
Monitors Azure AD group membership changes and updates the corresponding Salesforce user's role, profile, or permission sets to reflect their new position, team, or territory.
Steps:
- Trigger: Detect group membership add or remove event in Azure Active Directory
- Logic: Evaluate the new group membership combination against the Salesforce role and permission mapping configuration
- Action: Update Salesforce user record with the new role, profile, or permission set changes and log the modification for audit purposes
Connectors Used: Azure Active Directory, Salesforce
Template
Scheduled Azure AD → Salesforce User Attribute Reconciliation
Runs on a schedule to compare user attributes between Azure AD and Salesforce — including email, phone, department, title, and manager — and updates Salesforce records where the authoritative Azure AD source has changed.
Steps:
- Trigger: Run on a scheduled interval (e.g., every 4 hours or nightly)
- Compare: Fetch all active users from Azure AD and their corresponding Salesforce records, then diff attribute fields to identify mismatches
- Action: Batch-update Salesforce user and contact records where attribute values have drifted from Azure AD, and generate a reconciliation report
Connectors Used: Azure Active Directory, Salesforce
Template
Azure AD B2B Guest Invitation → Create Salesforce Account & Contact
Detects when an external user is invited to the Azure AD tenant via B2B invitation and automatically creates or updates the corresponding Salesforce Account and Contact records, tagging them with the partner or client relationship type.
Steps:
- Trigger: Detect new B2B guest user invitation or acceptance event in Azure Active Directory
- Lookup: Search Salesforce for an existing Account matching the guest user's domain; create a new Account if none exists
- Action: Create or update a Salesforce Contact linked to the Account with the guest user's name, email, company, and relationship type
Connectors Used: Azure Active Directory, Salesforce
Template
Salesforce New User Request → Provision Azure AD Account & Group Assignment
When a Salesforce admin or HR system submits a new user request through a Salesforce form or record, tray.ai provisions the corresponding Azure AD account, assigns it to the appropriate security groups, and writes the new user's credentials or onboarding status back to the originating Salesforce record.
Steps:
- Trigger: New user request record created or status updated in Salesforce (e.g., custom User Provisioning Request object)
- Action: Create Azure AD user account with attributes sourced from the Salesforce request record and assign to the specified security groups
- Update: Write the Azure AD Object ID, account status, and provisioning timestamp back to the originating Salesforce record and notify the requester
Connectors Used: Salesforce, Azure Active Directory