SCIM User Provisioning (EntraID/AzureAD)

Introduction

With SCIM Provisioning, you can automatically provision users to GoBright from your EntraID/Azure AD.

You can provision users and groups of users, as well as map certain users/groups to specific User Roles in GoBright.

The Provisioning of Users will run every 40 minutes which is the default option set by Microsoft.

Note: The GoBright SCIM User Provisioning Tool is currently in "BETA".

Follow the steps below to install and configure the integration!

Step 1

Enable SCIM in GoBright

To integrate SCIM, you need to go to the Admin Center in GoBright and to the Integrations.

Open your already created O365 Integration and on the bottom, you can find Processing Settings.

Under Processing Settings, we need to enable Automatic User Creation and SCIM.

When you enable Automatic User Creation, you need to select a User Role. This role will be applied to all the synced users with SCIM if you don't use Role Mapping (Step 5). If you will use Role Mapping with your SCIM configuration, it doesn't matter which User Role you choose in the Automatic User Creation. 

 

2024-04-11 08_43_03-.png

Under SCIM, you would need the Provisioning / Tenant URL copied somewhere as it will be used later.

Next, you need to Generate a Token by pressing on the Generate button. This will trigger a prompt asking to add the expiration time of the token. By default, it is set to 24 months, and it can go up to 48 months. After the expiry you will have to regenerate the token.

When Generated, copy the token somewhere as it will be used later.

SCIM2.pngSCIM15.png

After the Token is generated, close and Save the Integration!

Step 2

Creating the SCIM Enterprise Application

Go to EntraID/Azure to the Enterprise Applications section and Press the “Create your own application” button on the top.

SCIM3.png

Write the name of how you want the SCIM application to be called and select “Integrate any other application you don’t find in the gallery”.

SCIM4.png

Step 3

Adding Users/Groups for Provisioning

Now that the Application is created, you must Open the created SCIM application.

Go to Users and Groups on the left side of the application and press the Add user/group button on the top.

SCIM11.png

You can select as many Users and Groups as you want and Assign them at the end.

Note: Nested Groups (Group within a Group) cannot be provisioned with SCIM.

When you have a leaver employee or you need to remove someone from using GoBright, please note that there are couple of scenarios you need to look for:

  • When the user is Deleted from GoBright – User won’t be Deleted from SCIM and will be recreated in GoBright when the next SCIM sync interval happens.
  • When the user is Removed from the assigned users for provisioning in SCIM or from the Group that is assigned in SCIM – User will be Disabled in GoBright.
  • When the user is Deleted from EntraID/AzureAD, but it is still in the Deleted Users Section in EntraID/AzureAD – User won’t be Disabled or Deleted from GoBright for 30 Days until the user is automatically permanently Deleted from EntraID/AzureAD after the 30 days retention period.
  • When the user is permanently Deleted from EntraID/AzureAD – User will be Deleted in GoBright.
  • When the user is Disabled in EntraID/AzureAD – User will be Disabled in GoBright.
  • When the user is Disabled in EntraID/AzureAD and then Deleted – User will be Disabled for 30 Days until the user is automatically permanently Deleted from EntraID/AzureAD after the 30 days retention period and will be Deleted in GoBright as well.

Step 4

Configuring the Provisioning

After adding the users/groups you want to provision, you need to configure the Provisioning.

Go to the Provisioning tab on the left side of the Application.

When in the Provisioning tab you must press the “Get started” blue button in the middle of the screen.

SCIM5.png

You will be taken to configure the Provisioning, select as following:

  • Provisioning Mode is Automatic

SCIM6.png

  • Admin Credentials are the Tenant URL and Token that you generated and copied before in the GoBright Portal. You also have an option to Test the Connection, if all was configured properly it should say “The supplied credentials are authorized to enable provisioning”  

2024-04-11 09_01_04-SCIM7.png ‎- Photos.png SCIM8.png

  • Press Save on the top

 

You will need to open the Provisioning tab once again as you will need to make changes to the Mappings and the Settings.

Under the Mappings tab, first you must click to open the “Provision Microsoft Entra ID Groups”. Here you must change the Enabled Status to NO and save it.

Entra ID Groups - NO.png

After that, you must click to open the “Provision Microsoft Entra ID Users”. Under Attribute Mappings you will have to delete several Attributes and only leave a couple as shown.

You only need to leave:

  • username
  • active
  • displayName
  • emails[type eq "work"].value
  • phoneNumbers[type eq "mobile"].value
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
  • Press Save after you have the right Attributes.

SCIM14.png

Under the Settings tab, if you want you can enable the “Send an email notification” option that will send an email when there is a failure with the provisioning, and you can add whichever email address you need.

SCIM9.png

At the end enable Provisioning Status to “ON” at the bottom of the Provisioning Tab.

SCIM101.png

Step 5

Role Mapping

If you want to map certain Users or Groups to certain User Roles in GoBright, you can do that with the Role Mapping option with SCIM.

You can do that by following the steps:

  • Creating the number of User Roles needed in the SCIM App Registration

In Azure you must go to App Registrations and to All Applications, here you need to open the App Registration for your SCIM application.

Role12.png

When the SCIM App Registration is opened, you need to open the App Roles from the left side panel.

Here you would need to create as many roles as you would use as User Roles in GoBright. The Roles can be created one by one, or you can create 999 Roles with a PowerShell script.

These Roles with their corresponding number will need to be matched with the User Roles in GoBright.

Roles13.png

To Create a role, you need to press the Create app role button at the top.

  • Display name can be same as the value or a description of the Role, e.g. GB Admins.
  • Allowed member types needs to be Users/Groups.
  • Value must be role001-999 , e.g. role001
  • Description can be filled with whatever suits you
  • Check to Enable the role

2024-06-11 15_30_00-Create app role - Microsoft Azure and 8 more pages - Work - Microsoft​ Edge.png

The PowerShell script to add 999 Roles in the SCIM App Registration:

Connect-AzureAD
Install-Module -Name AzureAD -Scope CurrentUser -Force
        
# Create an Azure AD role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.MSGraph.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add(“User”);
# $appRole.AllowedMemberTypes.Add(“Application”);
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
} # ObjectId for application from App Registrations in your AzureAD
$appObjectId = “ed919fd1-a146-4ce0-93b5-5603db6e30cb”
$app = Get-AzureADMSApplication -ObjectId $appObjectId Write-Host “App Roles before addition of new role..”
Write-Host $appRoles $appRoles = $app.AppRoles
for (($i = 1); $i -lt 1000; $i++) { $rolename = "role" + '{0:d3}' -f $i
$newRole = CreateAppRole -name $rolename -description $rolename if (!($appRoles | where { $_.Value -eq $newRole.Value })) {
$appRoles.Add($newRole)
}
} Set-AzureADMSApplication -ObjectId $app.Id -AppRoles $appRoles
  • Add Role Attribute in SCIM Enterprise APP

Next step is to enable the Role Attribute in the SCIM Enterprise APP.

In order to do this, you must open the SCIM App and go to Provisioning. Under Provisioning, you must click Provisioning again on the left and select Mappings. Under Mappings you must choose Provision Microsoft Entra ID Users.

First, you must click and expand the Show Advanced Options checkbox at the bottom of the page and open Edit attribute list for customappsso.

Roles14.png

In the Edit Attributes List you must scroll to the bottom and on the First empty field to write:

  • "roles",
  • leave Reference to be String
  • check the 3rd checkbox on the right, as in the image:

Roles15.png

Then press Save on the top and you will be brought back to the Attribute Mapping.

Now, under Attribute Mappings you need to select Add New Mapping.

Roles16.png

  • Mapping Type: Expression
  • Expression: AssertiveAppRoleAssignmentsComplex([appRoleAssignments])
  • Default Value: "leave empty"
  • Target Attribute: roles
  • Match objects: No
  • Apply this mapping: Always

roles8.png

Press OK on the bottom.

  • Creating/Modifying the User Role in GoBright

Next step is to create/modify the GoBright User Role.

Go to the GoBright portal, press on the Settings tab, press on Users and choose Roles from the left panel.

Roles1.png

If you need to create a new User Role to be used as a SCIM Role, you can press the Add button to create a new User Role.

Or, you can select an already created User Role and modify the SCIM Matching.

To enable the SCIM Matching, you have to scroll down to the bottom of the Role you are creating/modifying and check the box under SCIM that says Enable Role Matching.

When that is enabled, you must select a Matching Value (Role with a number e.g. 001).

The value that you select here must be remembered under which User Role name was saved as the Role Value must correspond to the Role selected in the SCIM Azure Enterprise Application for the selected user or group (next point).

The values that you choose at this step correspond to the Roles you created on the previous steps in the App Registration.

Role2.png

 

  • Mapping a Role to a User or a Group in SCIM

The final step is to add the Role to a User or a Group you want to have Role Mapping.

You must open the SCIM Enterprise Application in Azure/Entra and go to Users and Groups from the left side panel.

Select with the Checkbox in front of the name a user or a group you want to add a certain Role to and select Edit Assignment from the top panel.

Roles666.png

From the Edit Assignment tab you must select the Select a Role option where it says None Selected and chose a Role from the right side panel.

NOTE that this role corresponds with the User Role in GoBright and matches the value that you selected for that User Role.

Roles999.png

When the Role is selected you can press Assign on the bottom and next time the Provisioning runs the Group or User will be updated/created with the Role in GoBright that you matched with the Role in SCIM.

For Multiple User Roles in GoBright for a certain group of users, you will have to create multiple groups and map them to the corresponding matched Roles in GoBright.

SCIM doesn't have the ability to map multiple roles for individual User or Group.

 

Step 6

Provisioning Status

Now that you have the application configured, it is also very important to check whether the actual provisioning has started.

You can do that by going to the overview of your created SCIM application.

Go to the Provisioning tab on the left and you will see the option to Start, Stop or Restart the provisioning.

2024-04-11 13_11_25-O365 Integration SCIM - Microsoft Azure and 5 more pages - Work - Microsoft​ Edg.png

You can also see the option to Provision on demand, when you select that option, you can provision a User or a Group at the very moment without waiting for the next sync interval.

4 out of 4 found this helpful