Azure SCIM 2.0 User Provisioning enables you to connect your Azure Active Directory to your Phriendly Phishing account. When an individual is configured in your Active Directory (AD) then they will automatically synchronise this new staff member in your Phriendly Phishing account. When an individual has been removed from your Azure AD then the individual will be removed from your Phriendly Phishing account.
This article will take you through how to:
- Create a New Enterprise Application
- Provision Your Enterprise Application
- Mapping Attributes and Assigning Provisioning Scope
- Configure with Phriendly Phishing account
Important: Please confirm with Support what attribute is used to store your primary email addresses in Azure AD.
1. Create a New Enterprise Application in Azure AD
a. Sign in to the Azure Active Directory Portal.
b. Select Enterprise applications.
c. Select New Application and then Create your own application.
d. Enter a name for your application, choose the option "integrate any other application you
don't find in the gallery" and select Create to add the new application. Once added it should open up to the application overview.
2. Provision Your Enterprise Application
a. You will need details from the Phriendly Phishing Portal to configure the application.
Log into your account, select Settings then User Synchronisation.
b. Select Azure SCIM then expand 'Azure SCIM synchronisation'.
This will show you the URL and token that is required in step 3.
c. On the Overview page of the application you created, select Provisioning in the left panel.
d. Select Get Started
e. Set Provisioning Mode to 'Automatic' and under Admin Credentials enter the tenant URL and Secret token you retrieved in step 2 from the Phriendly Phishing Portal.
f. Select Test Connection, then if the connection is successful, select Save.
3. Mapping required attributes and Assigning Provisioning Scope
a. Select the Provisioning tab, then Edit Attribute Mapping.
b. Expand 'Mappings' then select Provision Azure Active Directory Users.
c. Scroll to the bottom and select Show Advanced Options, then Edit Attribute List for Customerappsso.
d. At the bottom of the list, enter these custom attributes in the Name column, leaving
defaults for the other columns. (see the below screenshot)
Default Attributes(Required)
First name of learner
▪ urn:ietf:params:scim:schemas:extension:PH2:2.0:User:givenName
Surname of learner
▪ urn:ietf:params:scim:schemas:extension:PH2:2.0:User:surName
Email of learner
▪ urn:ietf:params:scim:schemas:extension:PH2:2.0:User:mail
Additional Attributes (optional)
If you wish to add additional attributes the name must follow the pattern shown in the example
below. The “CustomAttribute" can be customised to what you want shown in the portal.
urn:ietf:params:scim:schemas:extension:PH2:2.0:User:CustomAttribute
Examples:
urn:ietf:params:scim:schemas:extension:PH2:2.0:User:Department
urn:ietf:params:scim:schemas:extension:PH2:2.0:User:location
urn:ietf:params:scim:schemas:extension:PH2:2.0:User:jobTitle
e. Once all have been added select Save, then Yes.
f. Adjust the mappings so they match the following screenshot.
This can be done by selecting the AD Attribute, editing the Target Attribute then selecting Ok.
If you added additional attributes in the previous step, map them to the associated AD attribute, eg. Department in the example below.
g. You will also need to set the Matching Precedence value for Objectid to 1.
You can do this by editing the attribute, set Match object using this attribute to Yes, then enter the value 1. Then select Ok
Note: You may be required to edit the matching precedence for UserPrincipalName as only a single attribute can be set to 1.
h. Once complete, select Save and then Yes.
i. Expand 'Settings' and assign scope to be Sync Only assigned Users and Group.
4. Assigning Groups to Provisioning
a. On the Overview page of the application, select Users and Groups.
b. Select Add user/group.
c. Select User and Groups to search the group(s) you want to assign.
d. Select Assign.
5. Start Provisioning
a. In the Overview page of the application, select Provisioning then Start Provisioning.
6. Configuring Phriendly Phishing Portal
a. In the portal where you retrieved the URL and token, add the group name/s that you previously assigned and select Save.
Note: it will need to be an exact match to the group name in your Azure AD.
We recommend using External ID as the unique identifier as it will update learners if their email address changes.
b. Select Trigger Sync.
c. In the preview section you can download the process CSV to review the user that will be synchronised and ensure it is correct.
d. Once you have confirmed the user list you can enable Azure SCIM Synchronisation to apply it.
e. You can select the notifications icon to see the summary of the sync.
You have now completed the implementation of Azure SCIM Provisioning!
Comments
0 comments
Please sign in to leave a comment.