Configuring SCIM User Provisioning With Azure Active Directory

Learn how to configure SCIM with Azure AD to provision users to your Staffbase platform automatically.

In this article, you will learn how to set up SCIM using Azure AD as the identity provider.

System for Cross-domain Identity Management (SCIM) allows you to provision users to the Staffbase platform using an identity provider. Learn more.

SCIM is optional for user management. You can choose an option based on your business requirements. Learn more about other options.

Prerequisites

  • The SCIM feature is activated for your organization. If not, contact your Customer Success Manager.
  • You have an Azure AD tenant.
  • You have one of the following permissions to configure provisioning in Azure AD:
    • Application Administrator
    • Cloud Application Administrator
    • Global Administrator
  • You have the SCIM endpoint URL for your Staffbase platform.
    The URL has the following format: https://<your-domain>/scim
  • You have generated an API token with administrative access via the Staffbase Studio.

Creating an Enterprise Application

You need to create an enterprise application to manage your user provisioning.

Staffbase recommends creating a dedicated application to maintain users for your Staffbase platform. You can use a single enterprise application for both SCIM and SSO for your user management.
  1. In Microsoft Azure, under Azure services, click Azure Active Directory.
    Azure AD Directory
  2. Navigate to Enterprise applications.
  3. Click New application.
  4. Click Create your own application.
    The Create your own application dialog opens.
    Create Your Own Application
  5. Provide a name for the application. For example, Staffbase User Provisioning or something similar to help you instantly identify the application.
  6. Select the option Integrate any other application you don't find in the gallery (Non-gallery).
  7. Click Create.
    You have created an application to provision users using SCIM.

Creating the Application Connection

Once you have created the application, you need to establish a connection from Azure AD to your Staffbase platform in order to start automatic user accounts provisioning using the application. Learn how application provisioning works in Azure AD.

  1. In the enterprise application you created, navigate to Overview.
  2. Under Provision User Accounts, click Get started.
    Provision User Accounts

    The Provisioning page opens.
  3. Click Get started.
  4. From the Provisioning Mode dropdown menu, select Automatic.
    Automatic
  5. Under Tenant URL, paste your SCIM endpoint URL for your Staffbase platform.
    For example, the URL uses the following format: of https://<your-domain>/scim
  6. Under Secret Token, paste the API token with administrative access.
  7. Click Test Connection.
If the connection does not work, ensure that:
  • the SCIM feature is enabled for your organization.
  • the SCIM endpoint URL is correct.
  • the API token is valid and has administrative access.
  1. Click Save once the connection is successfully created.
    The Mappings and Settings tabs open. You have created automatic provisioning for the application. Now, you need to define the mapping for user provisioning.

Defining the Mapping for User Provisioning

After creating automatic user provisioning, you need to define the mapping for the provisioning by mapping the source attribute to the target attribute. In this, the source attribute is the attribute of the user in Azure AD. The target attribute is the attribute of the user that is sent from Azure to the Staffbase platform.
Learn more about how to customize user provisioning attribute-mappings in Azure Active Directory.

Here, only a minimum mapping to get you started is shown. You can create more mappings based on your business needs.
  1. Expand the Mappings section in the enterprise application you created and click Provision Azure Active Directory Users.
    Mappings Section
  2. Keep the following source attributes and delete the rest:
    • userPrincipalName
    • Switch([IsSoftDeleted], , "False", "True", "True", "False")
    • mail
    • givenName
    • surname
      After deleting attributes that are not required, the resulting mapping will look like this:
      Mappings After Deleting
  3. Click userPrincipalName.
    The Edit Attribute opens.
  4. From the Target Attribute dropdown menu, select externalID.
    Target Attribute
You must include the identifier (externalId) as a target attribute, and it should have a Matching precedence of 1 in the mapping.

If you already have existing users in the platform, ensure the identifiers are set and match the set precedence.
Matching Precedence
The Source attribute for the externalId can be different depending on which value externalId should have in your Staffbase platform.
  1. Click OK.

  2. Click Save.

    Ensure to save the changes after you add each mapping.
  3. Click mail.
    The Edit Attribute opens.

  4. From the Source Attribute dropdown menu, select userPrincipalName.

You can also select a user field that contains the user's email address value.
Edit Attribute
  1. Click OK.
  2. Click Save.
    The final result will look like this:
    Final Mapping

You have created the minimum mapping required to get you started with provisioning users.

Assigning Users

After mapping, you can assign users and prepare them for provisioning.
Learn more about how to assign users and groups to an enterprise application in Azure Active Directory.

Staffbase recommends starting with on-demand provisioning of a few users to test everything works as expected.
  1. In the enterprise application you created, click Users and groups.
    Users and Groups

The Users and groups page opens.

  1. Click Add user/group.

    Add User
  2. Click None Selected.
    The Users and groups dialog opens.

  3. Search for the user or group you want to add and click Select.

    Search User
  4. Click Assign.
    You have assigned users or groups to the application.

Provisioning Users On-Demand

After assigning users, provision one or two users on-demand to see if it works as expected.
Learn more about on-demand provisioning in Azure Active Directory.

  1. In the enterprise application you created, click Provisioning.
    The Provisioning page opens.
  2. Click Provision on demand.
    The Provision on demand page opens.
Provision On Demand
3. Search and select the user you want to provision.
All users you added to the application can be provisioned.
  1. Click Provision.
    Provision

You have provisioned the user to the Staffbase platform.

You can find the provisioned user under the Registered Users section in the Staffbase Studio. If the provisioned user is new, you can find the user under Pending Users.

Test with on-demand provisioning to ensure everything works as expected. You can configure more mappings depending on your business requirements. Learn more about it here. After testing it again, you can configure automatic provisioning.

Provisioning Users Automatically

  1. In the enterprise application you created, click Provisioning.
    The Provisioning page opens.
  2. Click Start provisioning.
Provisioning cycles usually last 40 minutes. Click Refresh to see the provisioning status.
The provisioning logs might take some time to update after provisioning is complete.
Learn more about how long will it take to provision users.
The Azure AD provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in an application unexpectedly.
Learn more about accidental deletions prevention.

You have automatically provisioned users added to the application.

Additional Helpful Information