Skip to main content

User Sychronisation : Microsoft Entra ID SCIM

Ian Finn
Updated

Microsoft Entra ID SCIM 2.0 User Provisioning enables you to connect your Microsoft Entra ID formerly Azure AD to your Phriendly Phishing account. When an individual is configured in your AD they will automatically be synchronised in your Phriendly Phishing account as a Learner. When an individual is removed from your AD, the individual will be removed from your Phriendly Phishing account.

This article takes you through the steps on how to sync your users to Phriendly Phishing:

Important:

Please confirm with Support what attribute is used to store your primary email addresses in Microsoft Entra ID.

1. Create a New Enterprise Application in Microsoft Entra ID

       a. Sign into Microsoft Azure and select Enterprise applications.

b. Select New application then Create your own application.

    AdminAPI2.png

c. Enter a name for your application and follow per screenshot below

 adminapi3.png

 

2. Provision Your Enterprise Application

     a. Log in to your Phriendly Phishing account. Go to Settings adminapi7.png and follow through per the screenshot below.

AdminSCIM1.png

b. Expand Admin Synchronisation then select Azure SCIM. Take note of the URL and token, these are required in succeeding steps.

AdminSCIM2.png

c. Go back to your Microsoft Entra ID and select the Enterprise Application created in Step 1. In the Overview page of the application you created, select Provisioning.

AdminSCIM3.png

d. Click Connect your application

AdminSCIM4.png

e. Enter the Tenant URL and Secret Token you retrieved in 2.b from the Phriendly Phishing platform. Follow through per screenshot below. 

AdminSCIM5.png

 

3. Map Required attributes

     a. In the Overview page of you application you created, select Provisioning > Provision Microsoft Entra ID Users.

AdminSCIM6.png

b. Feel fee to delete any of the attributes visible by default. Scroll down, tick Show Advanced Options > Edit Attribute list for customappsso.  

AdminSCIM7.png

c. At the bottom of the list, enter below attributes under column Name, column Type is String and leave the other columns as is or empty. Once done, hit AdminSCIM10.png. Refer to section The list of Required and Custom string attributes for entry in your SCIM Mapping.

AdminSCIM9.png

d. Adjust the mappings so they match the following screenshot (Manager attribute is optional). 

Reminder : It is important that below mapping is followed as it is for the synchronisation to be successful

SCIMLearner6.png

e. Go back to Overview Page > Provisioning tab, Expand 'Settings' and assign scope to be Sync Only assigned Users and Group.

SCIMLearner1.png

     

4. Assigning User Groups for Provisioning

a. In the Overview page of the application, select Users and Groups > Add User / Group. 

adminapi4.png

b. Select User and Groups to search the group/s you want to assign.

adminapi5.png

c. Select adminapi6.png

d. Once assigned, in the Overview page select Provisioning then Start Provisioning. Once 100% completed, go back to Phriendly Phishing platform and proceed with next steps. 

AdminSCIM12.png


5. Configure in Phriendly Phishing Platform

     a. Log in to your Phriendly Phishing account. Go to Settings adminapi7.png and follow through per the numbered steps in the screenshot below.

SCIMLearner2.png

Important Things to note:

  1. It is crucial to have the correct name of the group for the sync to work, if the group isn't being identified there could be a ' ' (space) at the end of a group name.
  2. Users from nested groups are not recognised. If you do have users in nest groups you will need to specify those groups in the configuration too.
  3. The AD security group name will be shown as a Segment under the Learners page.
  4. We recommend using External ID (# 5 in the image above) as the unique identifier as it will update learners if their email address changes.

        b. Trigger a sync.

alt

        c. Under Preview sample learners list, download the processed data to confirm learners who will be added and / or removed. 

SCIMLearner4.png

     d. Once you have confirmed the user list you can enable Azure SCIM Synchronisation button.

SCIMLearner5.png

     e. The newly synched Learners then appears under the notification bell.

AdminSCIM16.png

 

The list of Required and Custom string attributes for entry in your SCIM Mapping

Default Attributes (Required)

  1. First name of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:givenName
  2. Surname of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:surName
  3. Email of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:mail

Custom Attributes (optional)

  1. Department = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:Department
  2. Location = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:location
  3. Job Title = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:jobTitle
  4. Manager = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:Manager

 

Steps to take if you are switching from Email to ID as the Unique Identifier (applicable for existing SCIM set-up)

    1. Disable the User Synchronisation > Learner Synchronisation button
    2. Switch the mapping value from Email to Unique Identifier and Save Settings
    3. Click Trigger Sync button (via button or by pushing new data from ADFS script)
    4. Preview processed data (refer section 5.c) and if learners are being erroneously removed, contact support to remediate. 

You have now completed the implementation of Azure SCIM Provisioning!

 

Related to

Comments

0 comments

Please sign in to leave a comment.