Salesforce integrations at PWG

Salesforce integrations at PWG

Salesforce sits at the centre of a mesh of SaaS tools: identity upstream from Entra ID, content in Box, e-sign via DocuSign, PDFs via PDF Butler, payments via BPAY, KYC via bronID, and reporting downstream via Azure Data Factory → the PWG data platform.

Integration map

Inbound — who calls Salesforce

Caller	Mechanism	Purpose
Entra ID (Azure AD)	SCIM via aad.provision@pwg.com.au	User provisioning + deactivation
Azure Data Factory	PWGAzureDataFactory Connected App	Nightly extracts to data platform
Workato	Workato connector Connected App	iPaaS flows
Power Platform / Power Query	Microsoft Connected Apps	Ad-hoc reporting
DocuSign Connect	DocuSign Connect for Salesforce	Envelope status callbacks
Own for Salesforce	Own for Salesforce Connected App	Metadata + data backup
Data loaders (several)	dataloader.io, Dataloader Bulk	Bulk data ops
Claude MCP	JWT Bearer to automation@pwg.com.au	Read-only documentation + audits

Full list in docs/generated/integrations/connected-apps.md.

44 of 48 Connected Apps are not restricted to Admin-Approved Users (authorise-any). See docs/human/known-issues.md for the hardening backlog.

Outbound — what Salesforce calls

Handled through Named Credentials so auth is managed by the platform, not hand-rolled in Apex.

Named Credential	Endpoint	Auth Principal
BoxNamedCreds	https://api.box.com/2.0/	NamedUser
BPAYCRNGeneratorDEV	—	—
bronID	—	—
Mass_Action	https://partnerswealthgroup.my.salesforce.com	NamedUser
MSGraphAPI	—	—

What each one is for:

• BoxNamedCreds — document storage, client files.
• MSGraphAPI — Microsoft 365 integration (mail, users, Graph search).
• bronID — KYC / identity verification.
• BPAYCRNGeneratorDEV — CRN generation for payments.
• Mass_Action — self-callout for scheduled flow actions.

Source: docs/generated/integrations/named-credentials.md.

Single sign-on and identity

• Entra ID is the upstream identity provider for all human users. SSO flows through SAML/OpenID; provisioning flows through SCIM.
• The aad.provision@pwg.com.au integration user holds the SCIM permissions and accounts for roughly 97% of API traffic (confirmed 2026-04-24 to be one-off manual updates, not a runaway re-sync).
• 16 Auth Providers are configured (Box, DocuSign, LinkedIn, Google, Microsoft, Meta, Salesforce self-OAuth). Full list in docs/generated/integrations/auth-providers.md.

Content and documents

• Box is the primary document store, surfaced inside Salesforce via Box for Salesforce (Connected App + BoxNamedCreds + BoxAuth
  • BoxFedSearch for federated search).
• PDF Butler (APAC1 region with admin-approved-only) generates client-facing PDFs — advice documents, reviews, statements.
• DocuSign handles all e-signature flows. The DocuSign Connect Connected App writes envelope status back to Salesforce.

Microsoft 365 surface

• Copilot for Sales (admin-approved-only) exposes Salesforce context inside Outlook and Teams.
• PWG SharePoint Tools and Salesforce Integration with Microsoft Teams wire the org into PWG’s broader collaboration stack.
• Microsoft Enterprise Search PWG exposes Salesforce records to M365 search.

Data warehousing

• PWGAzureDataFactory (Azure Data Factory Connected App) extracts Salesforce data into Azure for the PWG data platform (Hex, Power BI, analytics).

Further reading

• docs/generated/integrations/INDEX.md — auto-generated inventory.
• docs/human/admin-procedures.md — how to add a new integration.
• docs/human/known-issues.md — Connected App hardening backlog.