Migrate Built-In Named User accounts to Enterprise Named User accounts (Active Directory/SAML) in ArcGIS Enterprise/ArcGIS Online

@JakeSkinner great script! I think there might be one minor thing you've overlooked: the user's Group role (Member or Group Manager) in a group. For example, in "ArcGIS Online - Migrating User Content and Groups.py", around line 175, you would want to check the group role of the user's built-in online account, and assign the same group role to the user's enterprise account when you add them to the group (usernames = Member and admins = Group Manager.)

Also, for anyone using this script to process a very large lists of accounts, you run the risk of exceeding the operations rate limit, and the possibility of the script failing part way through processing a user. For such a case, I would highly recommend sticking a 5-second sleep in between processing each user.

@PeterKnoop good catch on adding the users to Groups.  I've updated the scripts to add them as either users/managers.

@JakeSkinner  Thank you for the script!

We are coming across issues connecting to our Enterprise portal in the Get Built-In Users Script. We tested several variations of our portal's url but we have been getting errors. We are trying to run the script on a virtual machine in our ArcGIS Enterprise environment. When using our portal url and portal admin credentials we are getting this error:  "Exception: User not allowed for this account (Error Code: 403)". We tried adding the ':7443' port to the url and it times out and gives us the same error. 

Example of what we have been using: gis = GIS(url="https://gis.organization.com/portal", username="username", password="password", verify_cert=False)

We also tried to add portal server's IP address in combination with the port number which looks something like :

gis = GIS(url="https://Portal IP Address:7443/arcgis", username="username", password="password", verify_cert=False)

but we get the following error:

"Exception: A general error occurred: Could not login. Please ensure you have valid credentials and set your security login question."

Any guidance or suggestions would be greatly appreciated as we cannot seem to get past the initial step of connecting to the portal url in the built-in users script that you have shared. 

@ErikNelson1 what type of account are you using to connect to Portal?  Do you know if it's a built-in, active directory, or SAML?  SAML is not currently supported.

@JakeSkinner we are using a built-in admin account to connect to the Portal. 

@ErikNelson1 do you have a security question set for the built-in account you are using?

@JakeSkinner yes, we do have a security question set for the built-in account we're using

@ErikNelson1 ,

1.  Are you able to sign into Portal with the credentials you are providing in the script?

2.  Do you have any reverse proxies in place?

3.  Is there another built-in admin account you can try?

@JakeSkinner 

• Yes, we are able to sign into our Portal with the admin credentials we've entered in the script.
• We do not have reverse proxies in place.
• We tested creating another built-in Portal admin account, setting the security question, and using those admin credentials in the script but we're still encountering the same errors. 

@ErikNelson1 can you test the below code on another machine that has ArcGIS Pro installed:

from arcgis.gis import GIS
gis = GIS(url="https://gis.organization.com/portal", username="username", password="password", verify_cert=False)

@JakeSkinner  we determined that our python environment did not match our 10.9 Portal version. 

The script ran successfully after running it in a python environment that was compatible with our Enterprise version. 

Thank you so much for the video and scripts.

We are preparing to move to IAMOnline authentication. 

When I ran the script to get the users for Portal. I noticed the Apps column is empty!

Could you please help me?

Best regards,

--------------------------------------------------

Tarig Ahmed, GISP | GIS Administrator

SHARP DSHS-IT Analytics Team

tarig.ahmed@hhs.texas.gov |  469-261-0849

DSHS ArcGIS Online | DSHS ArcGIS Enterprise Portal

@TarigAhmedTXHSDS,

This column should be populated if you have any Application licenses (i.e. ArcGIS Pro, Insights, Field Maps, etc) assigned to the user.  Ex:

@JakeSkinner I am trying to use the scripts to create a new user in AGOL and transfer the contents.

Step1. Created the built-in user list successfully. Used a built-in admin user account

Step2. Tried to create a new user ID from the list, for one user. However it failed. The message is:

Creating new standard user with id: firstname.surname@email.com_agol_shortname
Unable to create firstname.surname@email.com_agol_shortname

Tried with variations of the new username, but no success.

What could be the issue?

@Thomas_Puthusserry are you able to manually create the user firstname.surname@email.com_agol_shortname?

Yes, that works manually

@JakeSkinner 

I just tested this and it worked. I assume there is no restriction in the length of the user name?

@Thomas_Puthusserry within the CSV, remove the agol shortname from the new username.  See if that works.

@JakeSkinner That was something I tried. Couple of different combinations, but nothing seems working (used a short email: surname@email.com) but same error

@JakeSkinner The main idea behind using your script is to move the users to SAML authentication. However the AGOL org where I tried your script, the SAML authentication part is not yet configured. Wonder whether there is any such requirements  prior to migrating users?

@Thomas_Puthusserry yes, I believe this may be a requirement for you to successfully create the SAML account.

@JakeSkinner After enabling SAML in the AGOL, the script is running and new user is created and all items / groups  transferred to the new account. However the new user cannot login: get this error:

However, if I add a new user to connect via SAML then it works, which means the setup is correct. So why is that the user id created with script is not enabled to login?

@Thomas_Puthusserry do you see any differences with the user accounts created from the script, and the one created manually?  A customer I'm working with ran the same script last week and noticed the SAML account created via the script did not append the _agolshortname to the SAML account since they did not have that specified in the CSV.  However, the account still worked without the shortname.  This may be different for different SAML IDPs, though.

@JakeSkinner  thanks for the quick response, appreciated.

Obviously, when I created the account via script, the agolshortname was appened (email_agolshortname) after the email and therefore the account is fine. 

The account created manually, when the user email is given in the 'User Identifier' field, in the next screen it automatically adds the agolshortname. With that the user can login via SAML

Now I have tested what you said above: Created a new built-in user with agolshortname appended. In the csv, didn't add the agolshortname (just email). Ran the script which created the new user with just email and assigned to groups etc. This user can login via SAML. However I got some traceback error related to old user, but nothing an issue.

Does this mean that the IDPusername (email) cannot be used in another AGOL account?