Configuring SCIM User Provisioning With Azure Active Directory

Learn how you can configure SCIM with Azure AD for automatic user provisioning to snapADDY

This article will guide you through the steps for configuring Azure Active Directory as a SCIM-Client for snapADDY. This way you will be able to automatically provision and manage your users on a single place.

  Prerequisites 

  • You have an SCIM-API-Key configured in the Login & Security section of your organization
  • You have the permissions to configure User Provisioning in Azure AD (one of: Application Administrator, Cloud Application Administrator, Global Administrator)

We recommend to use SCIM along with either SAML or OpenID-Connect Single-SignOn and to disable login via username and password in the Login & Security section of your organization. Make sure to also disable the snapADDY invitation email for your users under Invitation & Onboarding. This way users will not be asked to configure a password for their account. 

 

Set up and Enterprise Application in Azure AD

If you have already configured an Enterprise Application for snapADDY or already use the snapADDY Single Sign On app in Azure AD you can skip this part and move on with Configure User Provisioning.

  1. Go to Enterprise Applications in Azure AD and choose New Application -> Create your own Application.
  2. On the right side of the screen choose: Integrate any other application you don't find in the gallery (Non-gallery).
  3. Provide a name for the application such as snapADDY User Provisioning or snapADDY Single SignOn if you intent to also configure SAML later on with the same application.

 

Configure User Provisioning

  1. Click on Provisioning in the left navigation bar of the Enterprise Application and then Get startet.
  2. Use the following settings
    1. Provisioning Mode: Automatic.
    2. Tenant URL: https://backend.snapaddy.com/auth/v1/scim?aadOptscim062020
  3. Click Test Connection and Save after a successful connection check.
  4. Now in the Mappings section, disable Provision Azure Active Directory Groups (we do not support Group Provisioning at the moment).

     
  5. Next configure the Attribute Mapping  for Provision Azure Active Directory Users. 

    Azure Active Directory Attribute snapADDY Attribute
    mail userName
    Switch([IsSoftDeleted], , "False", "True", "True", "False") active
    givenName name.givenName
    surname name.familyName
    telephoneNumber phoneNumbers[type eq "work"].value
    Mid([preferredLanguage], 1, 2) locale
    (set this optionally to your preferred value. This will be mapped to the CRM-User-ID property of the user in snapADDY) externalId

    Remove any other attributes and set the Matching precedence of the mail attribute to 1.

  6. Under Settings set Scope to Sync only assigned users and groups.
  7. Set Provisioning Status to On and Save your settings. 
  8. Go back to your Enterprise Application and choose Users and groups in the left navigation bar.
  9.  Add all users or groups of your organization that should have a snapADDY account provisioned. 

🎉 You are all set up. The initial provisioning cycle will run automatically. If any errors occur while user provisioning you can see them in the Provisioning Logs of your Enterprise Application.