Configure SCIM provisioning for Azure AD

Before you start

The SCIM provisioning for Microsoft Azure AD guide is written for Azure Active Directory administrators configuring user provisioning for Condeco using Condeco SCIM API. It assumes familiarity with Azure AD, basic identity management concepts, and the SCIM standard.

Learn more about the prerequisites and supported actions.

How to configure SCIM for Condeco in Azure Active Directory

1. Sign in to the Azure portal and open Azure Active Directory.

2. Select Enterprise applications.
   

3. Click New application.
   

4. Click Create your own application.
   

5. Enter a name for the new application i.e. ‘CondecoScimApplication’ and select Integrate any other application you don’t find in the gallery. Click Create.
   

6. From the Overview page for your new application, click Provision User Accounts.
   

7. Click Get started.
   

8. On the Provisioning page, click the Provisioning Mode drop-down and select Automatic.
   

9. Add the Admin Credentials:
   1. Tenant URL: enter the Condeco SCIM URL i.e. https:///scim/api/V1/
   2. Secret Token: enter the token from your token provider. Learn how to generation a token
      

10. Click Test connection and if successful, click Save to save your new application.
    

11. Still on the Provisioning page, expand the Mappings section and click Provision Azure Active Directory Users.
    

12. The Attribute Mapping table must only contain the following customappsso attributes:

Mandatory attributes:

• userName
• active
• emails[type eq “work”].value
• name.givenName
• name.familyName
• externalId

Optional attributes:

• phoneNumbers[type eq “work”].value
• phoneNumbers[type eq “mobile”].value

Click Delete to delete mappings not listed above. The image shows only the required mappings.

Learn more about SCIM User attributes and the associated Condeco User attributes

13. Still on the Attribute Mapping page, click “externalId” mapping from the customappsso Attribute column and change the values as follows:

Mapping type: Direct
Source attribute: objectId
Default value if null (optional): leave blank
Target attribute: externalId
Match objects using this attribute: No
Apply this mapping: Always

14. Click OK to save the values.

15. Click Save to save the Attribute Mappings and click Yes to confirm.

16. Expand the Mappings section and click Provision Azure Active Directory Groups.
    

17. Click Yes to enable Provision Azure Active Directory Groups, then click Save.
    
18. The Attribute Mapping page is displayed. Edit the group attributes as follows:
    1. Click the group attribute “displayname” to open the Edit Attribute page. Change Matching precendence to 2.
       
    2. Click OK to save and return to the Attribute Mapping page.
    3. Click the group attribute “objectId” to open the Edit Attribute page. Click Match object using this attribute and select Yes. Check the Matching precedence value is 1.
       
    4. Click OK to save and return to the Attribute Mapping page.
    5. Click the group attribute “displayname” again to open the Edit Attribute page. Click Match object using this attribute and select No. Check the Matching precedence value is now 0.
       

19. Click OK to save and return to the Attribute Mapping page.
    

20. Click Save to save the Attribute Mappings and click Yes to confirm.

21. Click X to close Attribute Mapping and return to the Provisioning Page.

22. Expand Settings, click the Scope drop-down list and select Sync all users and groups.
    Note: If the Scope drop-down list is not visible, close the Provisioning page and click Edit Provisioning to reopen.
    

23. Set the Provisioning Status button to On.
    

24. Click Save to complete the SCIM application provisioning.

Current cycle status

In the Manage navigation menu select Provisioning to view the status of the current or initial incremental cycle. Use the buttons at the top to manually start or stop provisioning, and click View Provision details to check the schedule for the next run.