Microsoft Entra ID (Azure AD) SCIM
- Jon Espen Ingvaldsen (Unlicensed)
- Steinar Line
- Ole Kristian Aune (Unlicensed)
Follow the instructions below to set up provisioning of users from Microsoft Entra ID (Azure AD). Note, a Premium subscription is required for SCIM provisioning to be available. You also need a global administrator to enable provisioning. Read more in Microsoft's official SCIM documentation.
When configuring SAML or OIDC later, you will want to use the non-gallery SCIM app you just created instead of the Kantega SSO SAML gallery app (the latter does not yet support SCIM). The SAML/OIDC steps should otherwise be identical. Make sure to select “accounts already exist” for the SAML/OIDC provisioning option.
To begin the SCIM configuration, select Cloud user provisioning, then select Entra ID under the SCIM header from the Add directory dropdown.
Introduction and network preparation
Tenant configuration
Configure SCIM in Microsoft Entra ID
1. Open the Azure admin portal at https://portal.azure.com
Go to Microsoft Entra ID
Open the Enterprise applications menu
2. Add a new application
Click the new application button (plus button at the top)
Select Create your own application
Give the application a suitable name. If you, as most enterprises do, have many enterprise applications it could be wise to add in the name something that links back to Kantega SSO like “
Kantega SSO SCIM for Jira, tenantId: XXXXXXXXXXX”, where XXXXXXXXXXX could be the tenantId found in your SCIM setup in Kantega SSO. This makes it also easier to search for this enterprise application in Entra ID later.
Click Create and wait a few seconds for the app to be created.
3. Enable automatic provisioning
Open the Provisioning menu, and change the provisioning option from Manual to Automatic. This will make several new options appear, but it won't be able to save yet.
4. Configure admin credentials
Expand the Admin credentials drawer if it isn't already open. Copy the tenant URL and application secret for Kantega SSO Enterprise into Microsoft Entra, as shown in the below screenshot.
After filling in the required fields, click the Test Connection button. If everything is working, you should get a notification, and the Save button should become available.
5. Set the provisioning scope
Go back and select Provisioning again. Aet the provisioning scope to only assigned users and groups. Rarely would you want to provision the entire company. Leave provisioning status to OFF for now. Finally, click Save to persist the settings so far.
6. Configure attribute mappings
Mappings control the user account attributes that flow from Mirosoft Entra to Kantega SSO Enterprise. Under Provisioning settings, expand the Mappings drawer, then click Provision Azure Active Directory Users / Provisioning Microsoft Entra ID .
Some mappings needs to be changed and some mappings are unused and can be deleted.
You should now see a list of default attribute mappings. Leave the following as they are by default:
userPrincipalNameactivegivenNamesurname
Change the Mapping type for some attributes to Expression. See info box below how to edit to using Expression and the table below what these expressions should contain. Attributes are:
emails[type eq "work"].value,displayNamename.formatted
Edit the mapping types to using Expression and use the expressions in the table below.
The need for this change is since Atlassian accounts require a non-empty username, displayName, and email address, so you will need to provide a mapping that assures values for all of these, or provisioning of certain users may consistently fail.
Attribute mappings table
Attribute Mapping | Microsoft Entra ID Attribute expression | Comment |
|---|---|---|
userName | userPrincipalName |
|
active | Switch([IsSoftDeleted], , "False", "True", "True", "False") | Default Expression in Entra ID |
displayName | Switch(IsPresent([displayName]), , "True", [displayName], "False", Join(" ", [givenName], [surname])) | This expression prefers displayName when present. but uses givenName and surname when displayName is not available. |
emails[type eq "work"].value | Switch(IsPresent([mail]), , "True", [mail], "False", [userPrincipalName]) | This expression will use userPrincipalName instead of mail for users that don't have [mail]. You can leave this on default if all your users have an Outlook license. You may use a different fallback source than userPrincipalName, too, but you must supply a non-empty value, or provisioning will consistently fail for affected accounts. |
name.givenName | givenName |
|
name.familiyName | surname |
|
name.formatted | Switch(IsPresent([displayName]), , "True", [displayName], "False", Join(" ", [givenName], [surname])) | This expression sets name.formatted to the exact same value as displayName. |
externalId | objectId | OPTIONAL: This can be used in case of getting 409 response code USER_ALREADY_EXISTS errors to provide unique id for looking up users in SCIM directory. See the the setting in K-SSO_ “Advanced SCIM settings → User linking on creation”. |
We suggest also adding the externalId attribute to have a more exact match during sync over time. Lastly, delete the remaining attributes than the below mentioned and then click Save.
You should end up with something like these 8 attributes in the list:
7. Enable provisioning and save
Return to Provisioning settings. set Provisioning status to On, then click save. For resync and non-immediate changes, Azure AD works on a 40-minute timer, so any changes or error corrections you need to test can require considerable waiting.
Assign users and groups
Go to Users and groups and assign the users and groups that should be able to use the application and need provisioning. Note that the set of users being provisioned can be further limited/filtered in provisioning settings.
For further details on how to map attributes, please refer to Microsoft’s documentation on this: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/functions-for-customizing-application-data.
Notes
You may reset/reprovision the SCIM directory in its entirety from the Entra ID Provisioning settings. There is no way to reprovision specific groups or users.
Entra ID SCIM works on a 40-minute timer. While assignment changes can be instant once you have a stable sync state, any changes that require a resync or re-init, for example, a manually forced resync or mapping change, won’t happen immediately. You will need to wait for the next sync pass, i.e., up to 40 minutes from when the change is made.