Microsoft Azure AD Provisioning with SCIM

Modified on Wed, Feb 15, 2023 at 2:35 PM

With the SCIM provisioning, you can automatically import user accounts based on the group memberships from the source system - Azure AD to your target Wellness 360 SCIM application. 

 

For existing user profiles, the SCIM provisioning ensures automatic synchronization between both systems when a change to the user data is detected in the source system. The attribute mapping capability can also be used to customize and match the user attributes that are exchanged during the provisioning process between Azure AD and the SCIM application.

 

Click here for information on –

 Set-Up SSO with Microsoft Azure AD

Setup SSO with Microsoft Office 365/Azure

 

Features

Wellness 360/Azure provisioning integration supports features like:

  • Creates users in Wellness 360

  • Updates user attributes (display name in Wellness 360)

  • Deletes users (terminate users in Wellness 360)

 

When provisioning users, Azure AD is mapped to a single Wellness 360 node. Azure creates or update users in the  Wellness 360 administrative portal.

 

Note: If you have already set up Wellness 360 SSO or you don't have the need for SSO, proceed to Step 2, in the Configuration Steps below.


Creating and configuration of an enterprise application


Note: You need to be a Microsoft Azure AD administrator to complete the steps below. 

 

Step 1 - Creating a new enterprise application in your Microsoft Azure Active Directory (Azure AD) tenant.

 

  1. Log in as an administrator to your account in the Azure AD portal.

  2. Go to the Azure Active Directory (AD).

  3. In the Azure AD navigation menu, select Enterprise Applications.

  4. The All applications page displays enterprise applications created in your Azure AD tenant.

  5. In All applications, click New application (+).

  6. You are redirected to the Azure AD gallery that displays the available application templates.

  7. In Browse Azure AD Gallery (Preview), click Create your own application (+).

  8. Select Integrate any other application you don't find in the gallery, enter a unique name for your SCIM application, and click Create.


You will be redirected to the newly created enterprise application. The navigation menu on the left side lets you display and, if needed, configure the application properties.

 

9. In the application menu, go to Manage, and select Properties.

10. The Properties page allows you to view all configurable parameters of your enterprise application. Leave the default settings.

11. You've just created and configured an enterprise application in Microsoft AD.


The next step will tell about configuring the automatic user provisioning for the SCIM application.


 

Step 2 - Configure provisioning in Microsoft Azure

In this step, you configure the automatic provisioning of users in Microsoft Azure Active Directory. With this configuration, you can import and synchronize all identity and access data via SCIM.


  1. Log in as an administrator to your account in the Azure AD portal.

  2. Go to the Azure Active Directory (AD).

  3. In the Azure AD navigation menu, select Enterprise Applications and navigate to the enterprise application that you created in the previous step.

  4. In the navigation menu, select Provisioning and click Get Started.



5. Select Automatic from the listed options.

6. In a separate window, you will retrieve the Tenant URL and Secret Token from your account manager.

  1. In the Tenant URL, enter the Base URL that you received from the account manager.

  2. In Secret Token, enter the API token that you received from the account manager.

  3. Click Test Connection to verify the communication between Azure AD and the SCIM endpoint.

  4. Click Save if you receive a notification that the entered authentication credentials are correct.

7. In Settings, select On as Provisioning Status.

8. Click Save.


Once the settings saved, go to the Mappings section. 


The following steps will help to assign users to your SCIM application.



The Attribute Mapping page displays all existing attributes in a table with the following two main columns: Azure Active Directory Attribute that contains functions, and Custom Attribute (customappso Attribute) where your new custom attribute will display.

 

To configure your new alias attribute, you have to create the attribute and map it in Azure AD.

 

8.  To create the alias attribute, follow the below steps:

  1. On the Attribute Mapping page, select Show advanced options,, and click Edit attribute list for customappsso. This opens the existing attribute's configuration page.

  2. On the Edit Attribute List page, scroll down to the bottom of the attribute list, and define the following parameters for your attribute:

 1. In the Name column, define your custom attribute. For example, enter aliases[type eq "email"].value, where aliases refer to the Wellness 360 MFA custom attribute, and type eq "email" identifies a set of aliases provisioned for the user profile using the mapping logic that you will define in the following step. The right-hand side of the comparison with type can be changed as long as it is contained in quotation marks "".


2. In the Type column, verify if the String type is selected.

 

c. Click Save, and in Are you sure you want to make these changes, click Yes.

9.  To set up the mapping for your newly defined alias attribute, follow the below steps:

  1. On the Attribute Mapping page, click Add New Mapping.

  2. In Edit Attribute, provide the following information:

  1. In Mapping type, select Expression. This parameter lets you configure the mapping by means of a script-like expression.

  2. In Expression, enter manually the mapping expression using the Append function. For example, enter Append([userPrincipalName], "@wellness360.co"), where Append refers to the function type that lets you add Wellness360 email address to the userPrincipalName attribute.

  3. In Target attribute, enter manually the expression that you defined on the Edit Attribute List page (see step 8b).

  4. Click Ok.

10. Click Save.

11. In the Save changes dialog, click Yes.

 

Your custom attribute has been added and saved to the list of existing attributes.


You just set up alias provisioning that will automatically import users’ aliases to corresponding users’ accounts in Wellness 360 MFA the next time the users are synced.

 

Go to the following step to assign users to your SCIM application.

 

Assign users  in Microsoft Azure

In the last step of the integration, you assign groups to your SCIM application.


1. In the directory navigation menu, select Users and groups.

2. Click Add user.

3. The Add Assignment dialog opens.

4. In the Add Assignment dialog, click Users and groups to unfold a dialog with a list of available users.

5. In the Users and groups dialog, select a user or group you want to assign and click Select.

6. Click Assign.

 


 

You’ve just enabled the immediate transfer of the selected memberships from the Microsoft AD. Users and their privileges are now overwritten in Wellness 360 MFA.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article