How to use the the SCIM-based connector to migrate a legacy Dropbox app

The newest version of the Dropbox for Business application allows users and groups managed by Azure Active Directory to be automatically assigned with Dropbox accounts.

What’s different about the new version?

• You’ll now be able to see your Azure AD groups in Dropbox
• When a user’s assignment of Dropbox is removed in Azure, the user will now go into a 30-day suspension period before being removed from the team (instead of being immediately deleted)

Step 1: Test the new connector before migration

We recommend you test the new connector before migrating to the new version of the Dropbox for Business application. 

1. Sign in to the Azure portal.
2. In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
3. Under Manage, click Provisioning.
4. Under Settings, toggle Provisioning Status to Off.

4. In the Azure Active Directory, click Enterprise Applications.
5. Click New Application.
6. Add a new Dropbox application instance to your Azure tenant. This application will contain the new Dropbox SCIM-based user provisioning job.
7. Configure the new Dropbox application for provisioning to your current Azure tenant and enable provisioning to test the new Dropbox SCIM-based user provisioning job.

Step 2: Pause the old synchronization job.

To pause the old synchronization job:

1. In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
2. Under Manage, click Provisioning.
3. Under Settings, toggle Provisioning Status to Off.

You can also pause the old synchronization job with Microsoft Graph Explorer.

Step 3: Create a new SCIM-based synchronization job using the Graph Explorer

1. In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
2. Under Manage, click Properties.
3. Copy the Object ID.

4. In a new web browser window, go to Graph Explorer and log in as the administrator for the Azure AD tenant where your app is added.
5. Run the command below with the Object ID copied from step 3 to create a new SCIM-based synchronization job.

Note: You can pause and restart synchronization jobs associated to your application whenever needed. To do so:

1. Run the command below to see a list of all the existing synchronization jobs which can either be disabled, activated or paused.

2. In the results, copy the full "ID" string that belongs to the job.
   • Jobs starting with DropboxOutDelta belong to the old synchronization job
   • Jobs starting with DropboxSCIMOutDelta belong to the SCIM-based synchronization job 
3. Run either of the following commands using the same [object-id] as before, and replace [job-id] with the provisioning job ID from step 2.

To pause a job:

Step 4: Reconfigure mappings

User and group mappings will not automatically import when you update. To reconfigure mappings:

1. In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
2. Under Manage, click Provisioning.

3. Under Mappings, configure your user and group mappings.
4. Verify your provisioning configuration and re-enable provisioning.

How to switch back to the legacy Dropbox provisioning job

If you’d like to switch back to the legacy Dropbox provisioning job, you need to pause the SCIM provisioning job and restart the old sync job.  If this doesn’t work, you may need to delete the SCIM provisioning job by running the following script: