Set up Microsoft Entra ID for SCIM

Available from Version: 8.10 

Required Permissions: IT Admin 

SCIM is an acronym for System for Cross-Domain Identity Management.

This is a standard method that is used to provide user information automatically.

In contrast to the Directory Sync, information is not requested actively but it is provided automatically as soon as there are changes to the transferred information.

SCIM offers the following advantages:

  • empower® does not need any access rights to the user directory.

  • The filters are managed in the directory service itself.

  • The directory service is not loaded regularly as long as no changes are made.

Important

Before setting up Microsoft Entra ID for the usage of SCIM as provisioning method, the app registration in Microsoft Entra ID must be performed.

For this app registration, use the script that is provided by empower. To do so, follow the instructions on the following page:

Script for App Registration in Microsoft Entra ID 

Make sure to set the setting useSCIM to true.

Adjust the App Registration for SCIM

To use SCIM, the existing app registration needs to be adjusted.

For SCIM, the app registration requires a different set of permissions in comparison to the Directory Sync.

If you have used the script provided by empower to set up the app registration and if you have set the setting useSCIM to true, the permissions should already be set correctly after executing the script.

Important

The app registration must be performed before the empower® Backend is installed.

To check if the permissions have been set correctly, follow the following steps:

  1. Under App registrations, select the app registration that you have created for empower®.

  2. Navigate to the tab API permissions.

  3. Under Configured Permissions, check if the permission User.Read with the type Delegated is set.

    1. If there are additional permissions set, remove them.

Important

Check the permissions before the empower® Backend installation.

If you are not hosting in the empower® Cloud, you can then proceed by installing the empower® Backend.

For further information regarding the installation of the empower® Backend, see Install the empower® Backend (Version >= 9.7).

If you are hosting in the empower® Cloud, empower® Support will take care of the backend installation.

Note

The user interface in the Azure Portal may change any time. If you are unsure about an aspect, refer to Microsoft documentation.

Adjust Additional Settings for SCIM

After the app registration has been performed and the empower® Backend has been installed, you need to make additional settings in Microsoft Entra ID.

Important

The following settings must only be adjusted after the empower® Backend has been installed.

To make these adjustments, follow the following steps:

  1. Navigate to the application-specific overview.

  2. Open the tab Provisioning.

  3. In the drop-down menu next to Provisioning Mode, choose the option Automatic.

    This is the recommended setting. Your setting may vary depending on your company's requirements.

  4. In the input field next to Tenant URL, enter the URL of the SCIM endpoint.

    This endpoint has been generated during the installation of the empower® Backend.

    It has the following format:

    https://[DNS NAME]/empower/scimapi/scim   

    Replace the placeholder for the DNS name. If you are hosting in the empower® Cloud, the DNS name has been provided by empower®.

  5. In the input field next to Secret Token, enter the token that was generated during the installation of the empower® Backend.

  6. To test the connection, click on the button Test Connection.

    If the test fails, an error message is displayed.

    1. If the test fails, check the values and correct them if required.

  7. If the test is successful, click on the button Save.

Your enterprise application and the included app registration should now be set up for SCIM.

Note

The user interface in the Azure Portal may change any time. If you are unsure about an aspect, refer to Microsoft documentation.

Adjust Mappings for SCIM

To set up SCIM, the attribute mappings need to be adapted.

In the section Mappings, there are two attribute mappings: one for users and one for groups. To use empower®, the standard mappings for users need to be adapted.

To do so, follow the following steps:

  1. In section Manage Provisioning under Provisioning, click on Edit Mappings.

  2. Then, in the section Mappings, click on the link Provision Azure Directory Users.

  3. Switch the mapping for externalId and objectId.

    An e-mail prefix is usually used as a default value for externalId.

    1. To do so, click on the button Edit for the respective mapping.

    2. Then, set objectId as source attribute and externalId as target attribute.

    3. Click on the button Ok.

  4. After the configuration, set the Provisioning Status to On.

  5. To activate the Entra ID provisioning service, click on the button Save.

Note

The user interface in the Azure Portal may change any time. If you are unsure about an aspect, refer to Microsoft documentation.

The instructions above refer to the English user interface in the Azure Portal.

Was this article helpful?

/

Comments

0 comments

Article is closed for comments.