Configuring SCIM User Provisioning With Azure Active Directory

In this article, you will learn how to set up SCIM using Azure AD as the identity provider.

System for Cross-domain Identity Management (SCIM) allows you to provision users to the Staffbase platform using an identity provider. Learn more.

• The SCIM feature is activated for your organization. If not, contact your Customer Success Manager.
• You have an Azure AD tenant.
• You have one of the following permissions to configure provisioning in Azure AD:
  • Application Administrator
  • Cloud Application Administrator
  • Global Administrator
• You have the SCIM endpoint URL for your Staffbase platform.
  The URL has the following format: https://<your-domain>/scim
• You have generated an API token with administrative access via the Staffbase Studio.

You need to create an enterprise application to manage your user provisioning.

1. In Microsoft Azure, under Azure services, click Azure Active Directory.
   
2. Navigate to Enterprise applications.
3. Click New application.
4. Click Create your own application.
   The Create your own application dialog opens.
   
5. Provide a name for the application. For example, Staffbase User Provisioning or something similar to help you instantly identify the application.
6. Select the option Integrate any other application you don't find in the gallery (Non-gallery).
7. Click Create.
   You have created an application to provision users using SCIM.

Once you have created the application, you need to establish a connection from Azure AD to your Staffbase platform in order to start automatic user accounts provisioning using the application. Learn how application provisioning works in Azure AD.

1. In the enterprise application you created, navigate to Overview.
2. Under Provision User Accounts, click Get started.
   
   
   The Provisioning page opens.
3. Click Get started.
4. From the Provisioning Mode dropdown menu, select Automatic.
   
5. Under Tenant URL, paste your SCIM endpoint URL for your Staffbase platform.
   For example, the URL uses the following format: of https://<your-domain>/scim
6. Under Secret Token, paste the API token with administrative access.
7. Click Test Connection.

8. Click Save once the connection is successfully created.
   The Mappings and Settings tabs open. You have created automatic provisioning for the application. Now, you need to define the mapping for user provisioning.

After creating automatic user provisioning, you need to define the mapping for the provisioning by mapping the source attribute to the target attribute. In this, the source attribute is the attribute of the user in Azure AD. The target attribute is the attribute of the user that is sent from Azure to the Staffbase platform.
Learn more about how to customize user provisioning attribute-mappings in Azure Active Directory.

1. Expand the Mappings section in the enterprise application you created and click Provision Azure Active Directory Users.
   
2. Keep the following source attributes and delete the rest:
   • userPrincipalName
   • Switch([IsSoftDeleted], , "False", "True", "True", "False")
   • mail
   • givenName
   • surname
     After deleting attributes that are not required, the resulting mapping will look like this:
     
3. Click userPrincipalName.
   The Edit Attribute opens.
4. From the Target Attribute dropdown menu, select externalID.
   
   

5. Click OK.

6. Click Save.

   Ensure to save the changes after you add each mapping.

7. Click mail.
   The Edit Attribute opens.

8. From the Source Attribute dropdown menu, select userPrincipalName.

9. Click OK.
10. Click Save.
    The final result will look like this:
    

You have created the minimum mapping required to get you started with provisioning users.

After mapping, you can assign users and prepare them for provisioning.
Learn more about how to assign users and groups to an enterprise application in Azure Active Directory.

1. In the enterprise application you created, click Users and groups.
   
   
   

The Users and groups page opens.

2. Click Add user/group.

   

3. Click None Selected.
   The Users and groups dialog opens.

4. Search for the user or group you want to add and click Select.

   

5. Click Assign.
   You have assigned users or groups to the application.

After assigning users, provision one or two users on-demand to see if it works as expected.
Learn more about on-demand provisioning in Azure Active Directory.

1. In the enterprise application you created, click Provisioning.
   The Provisioning page opens.
2. Click Provision on demand.
   The Provision on demand page opens.

4. Click Provision.
   

You have provisioned the user to the Staffbase platform.

Test with on-demand provisioning to ensure everything works as expected. You can configure more mappings depending on your business requirements. Learn more about it here. After testing it again, you can configure automatic provisioning.

1. In the enterprise application you created, click Provisioning.
   The Provisioning page opens.
2. Click Start provisioning.

You have automatically provisioned users added to the application.

• SCIM Protocol
• How Application Provisioning Works in Azure Active Directory
• Overview Azure AD built-in Roles
• Customize user provisioning attribute-mappings in Azure Active Directory
• Assign users and groups to an enterprise application in Azure Active Directory
• On-demand provisioning in Azure Active Directory
• Provisioning logs in Azure Active Directory
• How long will it take to provision users with Azure Active Directory
• Enable accidental deletions prevention in the Azure AD provisioning service
• Troubleshooting
  • Known issues for application provisioning in Azure Active Directory
  • Problem configuring user provisioning to an Azure AD Gallery application
  • Application provisioning in quarantine status
  • No users are being provisioned
  • Missing source attribute