Converting authentication from unique ArcGIS online users to Enterprise Azure AD users

05-26-2021 12:00 PM
New Contributor

Currently we're using ArcGIS online and using our domain email addresses with unique passwords to login. We're attempting to convert to Azure AD authentication. I'd like to match the Enterprise usernames to the usernames we're currently using, however I'm not sure what/where I need to do this.

I've gotten the SAML link to work in the Azure AD Enterprise Apps, however when logging into ArcGIS enterprise with my AD creds, I get an error:

"Unable to sign in, logins are by invitation only. Please contact the administrator of this web site to access this site. IdpUsername: '' Username: 'user@mydomain.com_MyCompanyShortname'" is an existing user account in ArcGIS online. I assume I need to update the User attributes & claims in my Azure AD Enterprise App to pass along this info? I'm not sure what I need to do and the help documentation isn't entirely clear. 

Help documentation in question:

Any help would be greatly appreciated!

4 Replies
Occasional Contributor II

Did you ever come up with a solution? We're going through this process now and running into pretty much the same issue. Our existing Enterprise users are all in the format doej@domain (or domain\\doej), but Azure sends the username as If we allow users to create an account without invitation, they are able to login, but it creates a brand new username. If push comes to shove, we can just get rid of all the old users and add new ones, but it would be nice if we can avoid that.

0 Kudos
New Contributor

I am currently going through the exact same issue as the original post, and I agree there is virtually no supporting documentation for how to resolve this issue. @ChipSmith09 were you able to get this working? I'd love to know how to get it resolved.

Occasional Contributor III

You can't link them.  You need to recreate each user, as a SAML2 user, transfer any permissions/content and then deprecate the old user.  I believe there are example scripts online and also potentially third party admin tools that can help with the migration.

Scott Tansley
Consulting Architect (ArcGIS Enterprise)
Occasional Contributor II

I agree with @Scott_Tansley . We ended up doing it in batches, so I wrote a script that took the old username, email address, first name, and last name as a csv input. It created each new user with the email address, then transferred items, groups, permissions, etc. to the new user, and finally deleted the old user. It wasn't too hard to set up, and a good opportunity to get to know the admin module of the Python API.