Azure SCIM User Provisioning

Azure SCIM 2.0 User Provisioning enables you to connect your Azure Active Directory to your Phriendly Phishing account. When an individual is configured in your Active Directory (AD) they will automatically be synchronised in your Phriendly Phishing account as a Learner. When an individual is removed from your Azure AD, the individual will be removed from your Phriendly Phishing account.

This article will take you through how to:

• Create a New Enterprise Application
• Provision Your Enterprise Application
• Mapping Attributes and Assigning Provisioning Scope
• Configure with Phriendly Phishing account

Important: Please confirm with Support what attribute is used to store your primary email addresses in Azure AD. 

1. Create a New Enterprise Application in Azure AD

       a. Sign into the Azure Active Directory Portal.

       b. Select Enterprise applications.

     c. Select New Application and then Create your own application.

      d. Enter a name for your application, choose the option "integrate any other application you
         don't find in the gallery" and select Create to add the new application. Once added it should open             up to the application overview.

 

2. Provision Your Enterprise Application

       a. You will need details from the Phriendly Phishing Portal to configure the application.

       b. Log into your account, select Settings then User Synchronisation.

        c. Select Azure SCIM then expand 'Azure SCIM synchronisation'. This will show you the URL and                    token that is required in step 3.

      d. On the Overview page of the application you created, select Provisioning in the left panel.

 

      e. Select Get Started

    f. Set Provisioning Mode to 'Automatic' and under Admin Credentials enter the tenant URL and Secret          token you retrieved in step 2 from the Phriendly Phishing Portal. 

      g. Select Test Connection, then if the connection is successful, select Save.

3. Mapping required attributes and Assigning Provisioning Scope

      a. Select the Provisioning tab, then Edit Attribute Mapping.

     b. Expand 'Mappings' then select Provision Azure Active Directory Users. 

     c. Scroll to the bottom and select Show Advanced Options, then Edit Attribute List for                               Customerappsso.

     d. At the bottom of the list, enter these custom attributes in the Name column, leaving
          defaults for the other columns. (see the below screenshot)

          Default Attributes(Required)

• • • First name of learner =urn:ietf:params:scim:schemas:extension:PH2:2.0:User:givenName
    • Surname of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:surName
    • Email of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:mail

           Additional Attributes (optional)

          If you wish to add additional attributes the name must follow the pattern shown in the example
          below. The “CustomAttribute" can be customised to what you want shown in the portal.

          urn:ietf:params:scim:schemas:extension:PH2:2.0:User:CustomAttribute

          Examples:

• • • urn:ietf:params:scim:schemas:extension:PH2:2.0:User:Department
    • urn:ietf:params:scim:schemas:extension:PH2:2.0:User:location
    • urn:ietf:params:scim:schemas:extension:PH2:2.0:User:jobTitle

       e. Once all have been added select Save, then Yes.

       f. Adjust the mappings so they match the following screenshot.

This can be done by selecting the AD Attribute, editing the Target Attribute then selecting Ok.  If you added additional attributes in the previous step, map them to the associated AD attribute, eg. Department in the example below.

g. You will also need to set the Matching Precedence value for Objectid to 1. You can do this by        editing the attribute, set Match object using this attribute to Yes, then enter the value 1. Then select Ok

Note: You may be required to edit the matching precedence for UserPrincipalName as only a single attribute can be set to 1.

Steps below on how to set the Matching Precedence value for Objectid to1:

• • Select the attribute that has customappsso attribute as "externalId"

• • Edit the source attribute to "objectId" and select "Yes" for Match objects using this attribute and "2" for matching precedence and OK to save (As matching precedence is default mapped to userPrincipalName)

• • Select userPrincipalName and edit Match objects using this attribute to "No" and Matching precedence to "0"

• • Again, select objectId and edit Matching precedence to "1"

h. Once complete, select Save and then Yes.

i. Expand 'Settings' and assign scope to be Sync Only assigned Users and Group.

 

4. Assigning Groups to Provisioning

     a. On the Overview page of the application, select Users and Groups.

   b. Select Add user/group.

c. Select User and Groups to search the group(s) you want to assign. 

   d. Select Assign.

5. Start Provisioning 

    a. In the Overview page of the application, select Provisioning then Start Provisioning. 

6. Configuring Phriendly Phishing Platform

     a. In the portal where you retrieved the URL and token, add the group name/s that you previously                 assigned and select Save. Important: It should be an exact match to the group name in your Azure AD. 

          Note that the AD security group name will be shown as a Segment under the Learners page.

          We recommend using External ID as the unique identifier as it will update learners if their email address changes.

    b. Select Trigger Sync.

 

     c. In the preview section you can download the process CSV to review the user that will be         synchronised and ensure it is correct. 

    d. Once you have confirmed the user list you can enable Azure SCIM Synchronisation to apply it.

     e. You can select the notifications icon to see the summary of the sync.

 

You have now completed the implementation of Azure SCIM Provisioning!