With the newest version of the Dropbox for Business application, you’ll be able to see your Azure AD groups in Dropbox, and when a user’s assignment of Dropbox is removed in Azure, the user will now go into a 30-day suspension period before being removed from the team.
This article describes how to set up the Dropbox SCIM-based application by configuring a new Dropbox Enterprise Application in Azure AD. There are two ways to do so:
- Standard update: Recommended for customers who can afford some downtime with their Dropbox application and don’t have a large number of active users.
- Advanced update: Recommended for customers who cannot afford any downtime with their Dropbox application and have a large number of active users.
Standard update
Step 1: Test the new application
We recommend you test the new application before migrating to the new Dropbox for Business application. To do so:
- Sign in to the Azure portal.
- In Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
- Under Manage, click Provisioning.
- Under Settings, toggle Provisioning Status to Off.
- In Azure Active Directory, click Enterprise Applications.
- Click New Application.
- Add a new Dropbox application instance to your Azure tenant. This application will use the new Dropbox SCIM-based provisioning integration.
- Configure the new Dropbox application for provisioning from your Azure tenant and enable provisioning to start the new Dropbox SCIM-based application.
- Under Manage, click Users and groups.
- Assign one or more users or groups to start your test of provisioning users.
- Once you’re done testing, under Manage, click Properties, then Delete to remove the test application.
Step 2: Create a new application
Once you’ve finished testing you’ll need to create your new Dropbox for Business application. To do so:
- In Azure Active Directory, click Enterprise Applications.
- Click New Application.
- Add a new Dropbox Enterprise Application to your Azure tenant. This application will use the new Dropbox SCIM-based provisioning integration. You may want to rename the application to differentiate from your old application.
Step 3: Configure the new application
Once you’ve created the new application, you’ll need to disable single sign-on for the old application and configure your settings and preferences to match the old application. It’s helpful to reference the old application as you do this.
To disable single sign-on for the old application:
- In Azure Active Directory, click Enterprise Applications and choose your old Dropbox Business application.
- Under Manage, click Single sign-on.
- From the top, click Change single sign-on mode.
- Click Disabled to turn off single sign-on.
To configure your new application:
- In Azure Active Directory, click Enterprise Applications.
- Choose your new Dropbox Business application.
- Under Manage, click Users and groups. Mirror old application settings in new application. Keep in mind while configuring, the new application allows for provisioning of groups to Dropbox.
- Under Manage, click Single sign-on. Reconfigure single sign-on settings.
- Under Manage, click Provisioning. Set mode to automatic.
- Authorize the Dropbox connection and click Save.
- Under Mappings, configure your user and group mappings to mirror old application. Under Settings keep Provisioning Status to Off.
- Configure any other additional settings under Manage and Security.
- Review and finalize all settings in new application.
Step 4: Switch provisioning to the new application
Once you’ve configured your new application, you can safely switch over to the newly created application by turning off provisioning on the old application and turning on provisioning on the new application. To do so:
- In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
- Under Manage, click Provisioning.
- Under Settings, toggle Provisioning Status to Off.
- Navigate to your newly created and configured application.
- Under Manage, click Provisioning.
- Under Settings, toggle Provisioning Status to On.
How to switch back to the legacy Dropbox application
If you experience any issues or need to switch back to the legacy Dropbox application, you can pause provisioning on the new connector and restart provisioning on the legacy application.
Advanced update
Step 1: Test the new connector before migration
We recommend you test the new connector before migrating to the new version of the Dropbox for Business application.
- Sign in to the Azure portal.
- In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
- Under Manage, click Provisioning.
- Under Settings, toggle Provisioning Status to Off.
- In the Azure Active Directory, click Enterprise Applications.
- Click New Application.
- Add a new Dropbox application instance to your Azure tenant. This application will contain the new Dropbox SCIM-based user provisioning job.
- Configure the new Dropbox application for provisioning to your current Azure tenant and enable provisioning to test the new Dropbox SCIM-based user provisioning job.
Step 2: Pause the old synchronization job
To pause the old synchronization job:
- In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
- Under Manage, click Provisioning.
- Under Settings, toggle Provisioning Status to Off.
You can also pause the old synchronization job with Microsoft Graph Explorer.
Step 3: Create a new SCIM-based synchronization job using the Graph Explorer
- In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
- Under Manage, click Properties.
- Copy the Object ID.
- In a new web browser window, go to Graph Explorer and log in as the administrator for the Azure AD tenant where your app is added.
- Run the command below with the Object ID copied from step 3 to create a new SCIM-based synchronization job.
POST https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs
Request Body: { templateId: "DropboxSCIMOutDelta" }
It should look like this in the Graph Explorer:
Note: You can pause and restart synchronization jobs associated to your application whenever needed. To do so:
- Run the command below to see a list of all the existing synchronization jobs which can either be disabled, activated or paused.
GET https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/
- In the results, copy the full "ID" string that belongs to the job.
- Jobs starting with DropboxOutDelta belong to the old synchronization job
- Jobs starting with DropboxSCIMOutDelta belong to the SCIM-based synchronization job
- Run either of the following commands using the same [object-id] as before, and replace [job-id] with the provisioning job ID from step 2.
To pause a job:
POST https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/[job-id]/pause
To restart a job:
POST https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/[job-id]/start
Step 4: Reconfigure mappings
User and group mappings will not automatically import when you update. To reconfigure mappings:
- In the Azure Active Directory, click Enterprise Applications and select your existing Dropbox application.
- Under Manage, click Provisioning.
- Under Mappings, configure your user and group mappings.
- Verify your provisioning configuration and re-enable provisioning.
How to switch back to the legacy Dropbox provisioning job
If you’d like to switch back to the legacy Dropbox provisioning job, you need to pause the SCIM provisioning job and restart the old sync job. If this doesn’t work, you may need to delete the SCIM provisioning job by running the following script:
DELETE https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/[job-id]