Azure SCIM 2.0 User Provisioning enables you to connect your Azure Active Directory to your Phriendly Phishing account. When an individual is configured in your Active Directory (AD) they will automatically be synchronised in your Phriendly Phishing account as a Learner. When an individual is removed from your Azure AD, the individual will be removed from your Phriendly Phishing account.
This article will take you through how to:
- Create a New Enterprise Application
- Provision Your Enterprise Application
- Map Attributes and Assign Provisioning Scope
- Configure with Phriendly Phishing account
- What are the required steps to switch from Email to ID as the Unique Identifier (applicable for existing SCIM set-up)
Important: Please confirm with Support what attribute is used to store your primary email addresses in Azure AD.
1. Create a New Enterprise Application in Azure AD
a. Sign into the Azure Active Directory Portal.
b. Select Enterprise applications.
c. Select New Application and then Create your own application.
d. Enter a name for your application, choose the option "integrate any other application you
don't find in the gallery" and select Create to add the new application.
2. Provision Your Enterprise Application
a. You will need details from the Phriendly Phishing Portal to configure the application.
b. Log into your account, select Settings then User Synchronisation.
c. Select Azure SCIM then expand 'Azure SCIM synchronisation'. This will show you the URL and token that is required in step 3.
d. On the Overview page of the application you created, select Provisioning in the left panel.
e. Select Get Started > Connect your application
f. Fill in the Tenant URL and Secret token you retrieved in from the Phriendly Phishing platform. Test Connection and Create.
3. Mapping required attributes and Assigning Provisioning Scope
a. On the Overview page of the application you created, select Provisioning > Get Started > Edit Attributes.
b. Select Provision Microsoft Entra ID Users
c. Tick Show advanced options > Edit attribute list for customappsso and add below custom Attributes (String). Hit Save
Default Attributes(Required)
-
-
- First name of learner =urn:ietf:params:scim:schemas:extension:PH2:2.0:User:givenName
- Surname of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:surName
- Email of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:mail
-
Additional Attributes (optional)
If you wish to add additional attributes the name must follow the pattern shown in the example
below. The “CustomAttribute" can be customised to what you want shown in the portal.
urn:ietf:params:scim:schemas:extension:PH2:2.0:User:CustomAttribute
Examples:
-
-
- urn:ietf:params:scim:schemas:extension:PH2:2.0:User:Department
- urn:ietf:params:scim:schemas:extension:PH2:2.0:User:location
- urn:ietf:params:scim:schemas:extension:PH2:2.0:User:jobTitle
-
d. Adjust the mappings so they match the following screenshot.
This can be done by selecting the AD Attribute and clicking Edit button. Note: Target Attribute is the customappsso Attribute
e. Once complete, select Save and then Yes.
f. Go back to Overview Page Provisioning tab, Expand 'Settings' and assign scope to be Sync Only assigned Users and Group.
g. On the Overview page of the application, select Users and Groups.
h. Select Add user/group.
i. Select User and Groups to search the group(s) you want to assign.
j. Select Assign.
k. Start Provisioning - In the Overview page of the application, select Start Provisioning.
l. Once 100% complete, go back to the Platform and proceed to next steps.
4. Configuring Phriendly Phishing Platform
a. In the platform where you retrieved the URL and token, add the group name/s that you previously assigned and select Save.
Important Things to Note:
- It is crucial to have the correct name of the group for the sync to work, if the group isn't being identified there could be a ' ' (space) at the end of a group name.
- Users from nested groups are not recognised. If you do have users in nest groups you will need to specify those groups in the configuration too.
- The AD security group name will be shown as a Segment under the Learners page.
We recommend using External ID as the unique identifier as it will update learners if their email address changes.
b. Select Trigger Sync.
c. In the preview section you can download the process CSV to review the user that will be synchronised and ensure it is correct.
d. Once you have confirmed the user list you can enable Azure SCIM Synchronisation to apply it.
e. You can select the notifications icon to see the summary of the sync.
What are the required steps to switch from Email to ID as the Unique Identifier (applicable for existing SCIM set-up)
-
- Disable the User Synchronisation > Learner Synchronisation button
- Switch the mapping value from Email to Unique Identifier and Save Settings
- Click Trigger Sync button (via button or by pushing new data from ADFS script)
- Preview processed data and if learners are being erroneously removed, contact support to remediate.
You have now completed the implementation of Azure SCIM Provisioning!
Comments
0 comments
Please sign in to leave a comment.