Microsoft Entra ID (Azure AD) SCIM

Follow the instructions below to set up provisioning of users from Microsoft Entra ID (Azure AD). Note, a Premium subscription is required for SCIM provisioning to be available. You also need a global administrator to enable provisioning. Read more in Microsoft's official SCIM documentation.

 

When configuring SAML or OIDC later, you will want to use the non-gallery SCIM app you just created instead of the Kantega SSO SAML gallery app (the latter does not yet support SCIM). The SAML/OIDC steps should otherwise be identical. Make sure to select “accounts already exist” for the SAML/OIDC provisioning option.

To begin the SCIM configuration, select Cloud user provisioning, then select Entra ID under the SCIM header from the Add directory dropdown.

image-20240110-112516.png

 

Introduction and network preparation

Tenant configuration

 

Configure SCIM in Microsoft Entra ID

1. Open the Azure admin portal at https://portal.azure.com

  • Go to Microsoft Entra ID

  • Open the Enterprise applications menu

2. Add a new application

  • Click the new application button (plus button at the top)

  • Select Create your own application

 

  • Give the application a suitable name. If you, as most enterprises do, have many enterprise applications it could be wise to add in the name something that links back to Kantega SSO like “Kantega SSO SCIM for Jira, tenantId: XXXXXXXXXXX”, where XXXXXXXXXXX could be the tenantId found in your SCIM setup in Kantega SSO. This makes it also easier to search for this enterprise application in Entra ID later.

 

 

  • Click Create and wait a few seconds for the app to be created.

3. Enable automatic provisioning

  • Open the Provisioning menu, and change the provisioning option from Manual to Automatic. This will make several new options appear, but it won't be able to save yet.

 

4. Configure admin credentials

  • Expand the Admin credentials drawer if it isn't already open. Copy the tenant URL and application secret for Kantega SSO Enterprise into Microsoft Entra, as shown in the below screenshot.

 

  • After filling in the required fields, click the Test Connection button. If everything is working, you should get a notification, and the Save button should become available.

5. Set the provisioning scope

  • Go back and select Provisioning again. Aet the provisioning scope to only assigned users and groups. Rarely would you want to provision the entire company. Leave provisioning status to OFF for now. Finally, click Save to persist the settings so far.

6. Configure attribute mappings

  • Mappings control the user account attributes that flow from Mirosoft Entra to Kantega SSO Enterprise. Under Provisioning settings, expand the Mappings drawer, then click Provision Azure Active Directory Users / Provisioning Microsoft Entra ID .

  • Some mappings needs to be changed and some mappings are unused and can be deleted.

    You should now see a list of default attribute mappings. Leave the following as they are by default:

    • userPrincipalName

    • active

    • givenName

    • surname

  • Change the Mapping type for some attributes to Expression. See info box below how to edit to using Expression and the table below what these expressions should contain. Attributes are:

    • emails[type eq "work"].value,

    • displayName

    • name.formatted

Edit the mapping types to using Expression and use the expressions in the table below.

The need for this change is since Atlassian accounts require a non-empty username, displayName, and email address, so you will need to provide a mapping that assures values for all of these, or provisioning of certain users may consistently fail.

Attribute mappings table

Attribute Mapping

Microsoft Entra ID Attribute expression

Comment

Attribute Mapping

Microsoft Entra ID Attribute expression

Comment

userName

userPrincipalName

 

active

Switch([IsSoftDeleted], , "False", "True", "True", "False")

Default Expression in Entra ID

displayName

Switch(IsPresent([displayName]), , "True", [displayName], "False", Join(" ", [givenName], [surname]))

This expression prefers displayName when present. but uses givenName and surname when displayName is not available.

emails[type eq "work"].value

Switch(IsPresent([mail]), , "True", [mail], "False", [userPrincipalName])

This expression will use userPrincipalName instead of mail for users that don't have [mail]. You can leave this on default if all your users have an Outlook license. You may use a different fallback source than userPrincipalName, too, but you must supply a non-empty value, or provisioning will consistently fail for affected accounts.

name.givenName

givenName

 

name.familiyName

surname

 

name.formatted

Switch(IsPresent([displayName]), , "True", [displayName], "False", Join(" ", [givenName], [surname]))

This expression sets name.formatted to the exact same value as displayName.

externalId

objectId

OPTIONAL: This can be used in case of getting 409 response code USER_ALREADY_EXISTS errors to provide unique id for looking up users in SCIM directory. See the the setting in K-SSO_ “Advanced SCIM settings → User linking on creation”.
The mapping does not have to be to objectId, as long as it is unique. It is recommended to set the mapping only before the first sync and do not change it. If change is needed a new SCIM directory with a fresh sync is suggested.

We suggest also adding the externalId attribute to have a more exact match during sync over time. Lastly, delete the remaining attributes than the below mentioned and then click Save.

You should end up with something like these 8 attributes in the list:

7. Enable provisioning and save

  • Return to Provisioning settings. set Provisioning status to On, then click save. For resync and non-immediate changes, Azure AD works on a 40-minute timer, so any changes or error corrections you need to test can require considerable waiting.

  • Assign users and groups

  • Go to Users and groups and assign the users and groups that should be able to use the application and need provisioning. Note that the set of users being provisioned can be further limited/filtered in provisioning settings.

 

For further details on how to map attributes, please refer to Microsoft’s documentation on this: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/functions-for-customizing-application-data.

Notes

  • You may reset/reprovision the SCIM directory in its entirety from the Entra ID Provisioning settings. There is no way to reprovision specific groups or users.

  • Entra ID SCIM works on a 40-minute timer. While assignment changes can be instant once you have a stable sync state, any changes that require a resync or re-init, for example, a manually forced resync or mapping change, won’t happen immediately. You will need to wait for the next sync pass, i.e., up to 40 minutes from when the change is made.