Connectors / Integration
Sync Azure Active Directory with Salesforce to Automate Identity, Access & Revenue Operations
Connect your identity management layer directly to your CRM so user provisioning, role assignments, and account data stay aligned — automatically.
Azure Active Directory + Salesforce integration
Azure Active Directory (Azure AD) is how enterprises control who gets into what — applications, roles, data, all of it. Salesforce is where your customer relationships, pipeline, and revenue workflows live. When these two platforms don't talk to each other, IT teams spend hours manually provisioning users, chasing down access for departed employees, and reconciling account data — work that's tedious, slow, and prone to mistakes. Integrating Azure AD with Salesforce cuts that overhead, so identity changes flow directly into the right CRM permissions and customer data stays consistent across both platforms.
The business case for connecting Azure Active Directory with Salesforce comes down to security, efficiency, and data integrity. When a new sales rep joins, their Salesforce profile, role, and account assignments should match what's defined in Azure AD — no IT ticket required. When someone leaves, their Salesforce access should be cut the moment their Azure AD account is disabled, not days later when someone notices. Beyond user lifecycle management, syncing organizational hierarchy and group membership from Azure AD into Salesforce means sales territories, opportunity visibility, and reporting structures reflect how your business actually operates right now. For enterprises running both Microsoft 365 and Salesforce, a live integration between these systems isn't a nice-to-have — it's a compliance and operational requirement.
Automate & integrate Azure Active Directory + Salesforce
Automating Azure Active Directory and Salesforce business processes or integrating data is made easy with Tray.ai.
Use case
Automated User Provisioning from Azure AD to Salesforce
When a new employee is added to an Azure AD group — say, 'Sales Team West' or 'Account Executives' — tray.ai automatically creates a matching Salesforce user with the correct profile, role, and permission sets. IT and Salesforce admins don't have to manually set up CRM access for every new hire, which cuts onboarding time from days to minutes.
- New hires get Salesforce access within minutes of Azure AD provisioning
- Role and profile assignment stays consistent, based on Azure AD group membership
- Fewer IT tickets for Salesforce user setup requests
Use case
Automatic Salesforce Access Revocation on Azure AD Deactivation
When an employee's Azure AD account is disabled or deleted — termination, role change, leave of absence — tray.ai immediately deactivates the corresponding Salesforce user and can reassign their open opportunities, leads, or cases to a designated manager. This closes a real security gap: former employees retaining CRM access long after they've left.
- No more orphaned Salesforce accounts belonging to departed employees
- Reduced insider threat risk, with support for SOC 2 and ISO 27001 compliance
- CRM records get reassigned automatically so pipeline data doesn't go dark
Use case
Role and Permission Sync Based on Azure AD Group Changes
When employees are promoted, change teams, or shift territories, their Azure AD group memberships update to reflect the new position. tray.ai picks up those changes and updates Salesforce roles, profiles, and permission sets accordingly, so each rep only sees the data and capabilities that match their current function.
- Salesforce permissions always reflect the current organizational hierarchy
- Over-permissioned users don't hold onto access to sensitive opportunity data
- Dynamic sales territory management works at scale
Use case
Single Sign-On User Attribute Sync
Azure AD is the identity provider for Salesforce SSO in most enterprise environments, but attribute mismatches between the two systems — different email formats, department codes, manager fields — can break SSO flows and corrupt CRM records. tray.ai continuously reconciles user attributes between Azure AD and Salesforce, keeping fields like department, title, phone number, and manager in sync so SSO works reliably and CRM data stays accurate.
- No SSO authentication failures from attribute drift between systems
- Salesforce user profiles stay accurate without manual admin updates
- Better data quality for Salesforce reports and dashboards that depend on user attributes
Use case
Account and Contact Enrichment from Azure AD Organization Data
Azure AD stores organizational metadata — department structures, cost centers, office locations, reporting lines — that can enrich Salesforce account and contact records. tray.ai maps this data from Azure AD into custom Salesforce fields, giving sales reps and account managers a fuller picture of their customers' internal structures without anyone duplicating data entry.
- Salesforce contact records get live org chart data pulled from Azure AD
- No manual data entry for department and reporting-line fields
- Better segmentation and targeting based on organizational attributes
Use case
Compliance Reporting and Access Audit Trail
Regulated industries need documented proof that CRM access is granted and revoked according to identity governance policies. tray.ai logs every provisioning and deprovisioning event triggered by Azure AD changes, building a structured audit trail in a data warehouse, Salesforce custom object, or SIEM platform that's ready when compliance reviews and access audits come around.
- Timestamped audit log of all Salesforce access changes tied to Azure AD events
- Supports HIPAA, SOC 2, GDPR, and financial services compliance requirements
- Less time spent pulling manual access review reports during audits
Challenges Tray.ai solves
Common obstacles when integrating Azure Active Directory and Salesforce — and how Tray.ai handles them.
Challenge
Mapping Azure AD Groups to Salesforce Roles and Profiles at Scale
Enterprises often have dozens or hundreds of Azure AD security groups representing different teams, regions, and job functions. Translating that group hierarchy into the right combination of Salesforce profiles, roles, and permission sets is highly org-specific — and keeping it accurate as directory structures and CRM configurations change is genuinely hard to do manually.
How Tray.ai helps
tray.ai includes a configurable mapping layer within workflows that lets admins define and update the translation logic between Azure AD groups and Salesforce entitlements without writing code. The mapping table can live in a Google Sheet, Airtable, or custom configuration object and gets referenced dynamically by the workflow, so updates as your org chart changes don't require touching the automation itself.
Challenge
Handling Partial Deprovisioning and Record Ownership Transitions
When a Salesforce user is deactivated following an Azure AD offboarding event, every record they own — opportunities, leads, accounts, cases, custom objects — needs to be reassigned. Finding the right new owner and handling edge cases like shared ownership or team selling adds real complexity to offboarding automation.
How Tray.ai helps
tray.ai workflows include conditional logic and looping that can query all record types owned by a departing user, apply configurable reassignment rules (assign to direct manager, round-robin to the team, or move to a queue), handle exceptions gracefully, and log every reassignment for audit and compliance.
Challenge
Avoiding Duplicate User Records Across Systems
When Azure AD and Salesforce have been managed separately for years, discrepancies in email formats, employee IDs, or naming conventions make it hard to reliably match records between the two systems. Running integration workflows against mismatched data risks creating duplicate Salesforce users or updating the wrong existing record.
How Tray.ai helps
tray.ai supports multi-field matching logic that cross-references Azure AD Object IDs, UPNs, email addresses, and employee numbers against Salesforce user records to confirm the right match before taking any action. Records that don't match get routed to a review queue or logged for manual reconciliation rather than triggering an automated action that could make things worse.
Templates
Pre-built workflows for Azure Active Directory and Salesforce you can deploy in minutes.
New Azure AD User → Create Salesforce User with Role & Profile
Azure Active Directory 
Salesforce Monitors Azure AD for newly created or group-assigned users and automatically provisions a matching Salesforce user, assigning the correct profile, role, and permission sets based on the employee's Azure AD group membership and job attributes.
Azure AD User Deactivation → Deactivate Salesforce User & Reassign Records
Azure Active Directory Salesforce Listens for account disable or deletion events in Azure AD and immediately deactivates the corresponding Salesforce user, then reassigns their open leads, opportunities, and cases to a predefined manager or queue to prevent record loss.
Azure AD Group Change → Update Salesforce Role & Permissions
Azure Active Directory Salesforce Monitors Azure AD group membership changes and updates the corresponding Salesforce user's role, profile, or permission sets to reflect their new position, team, or territory.
Scheduled Azure AD → Salesforce User Attribute Reconciliation
Azure Active Directory Salesforce Runs on a schedule to compare user attributes between Azure AD and Salesforce — including email, phone, department, title, and manager — and updates Salesforce records where the authoritative Azure AD source has changed.
Azure AD B2B Guest Invitation → Create Salesforce Account & Contact
Azure Active Directory Salesforce Detects when an external user is invited to the Azure AD tenant via B2B invitation and automatically creates or updates the corresponding Salesforce Account and Contact records, tagging them with the partner or client relationship type.
Salesforce New User Request → Provision Azure AD Account & Group Assignment
Salesforce Azure Active Directory When a Salesforce admin or HR system submits a new user request through a Salesforce form or record, tray.ai provisions the corresponding Azure AD account, assigns it to the appropriate security groups, and writes the new user's credentials or onboarding status back to the originating Salesforce record.
How Tray.ai makes this work
Azure Active Directory + Salesforce runs on the full Tray.ai platform
Intelligent iPaaS
Integrate and automate across 700+ connectors with visual workflows, error handling, and observability.
Learn more →Agent Builder
Build AI agents that read, write, and take action in Azure Active Directory and Salesforce — with guardrails, audit, and human-in-the-loop.
Learn more →Agent Gateway for MCP
Expose Azure Active Directory + Salesforce actions as governed MCP tools — observable, rate-limited, authenticated.
Learn more →Ship your Azure Active Directory + Salesforce integration.
We'll walk through the exact integration you're imagining in a tailored demo.