Configuring SCIM Provisioning in the Azure Portal for a Custom Enterprise Application
This guide provides step-by-step instructions for configuring SCIM provisioning in the Azure Portal for a custom Enterprise Application. Follow these steps to integrate Azure AD with your Blameless instance for automated user provisioning.
Prerequisites
Before you begin, ensure you have:
- Access to the Azure Portal with appropriate administrative privileges.
- The SCIM tenant URL for your Blameless instance in the format:
https://<blameless-instance>.blameless.io/api/scim/v2
- A valid API Key fetched from the Key Management in Blameless Settings.
https://<blameless-instance>.blameless.io/identity-management/key-management
Step 1: Create the Custom Enterprise Application
- Log in to the Azure Portal.
- Navigate to Azure Active Directory > Enterprise applications.
- Click on New application.
- Select Create your own application.
- Enter a name for your application, e.g., "Blameless SCIM Provisioning", and select Integrate any other application you don’t find in the gallery. Click Create.
Step 2: Configure SCIM Provisioning
- After creating the application, go to the application’s overview page.
- Click on Provisioning in the left-hand menu.
- Click on Get started.
Provisioning Mode
- In the Provisioning Mode dropdown, select Automatic.
Admin Credentials
- In the Tenant URL field, enter the SCIM tenant URL for your Blameless instance in the format:
https://<blameless-instance>.blameless.io/api/scim/v2
. - In the Secret Token field, enter the SCIM token you fetched from the Key Management in Blameless Settings.
- Click Test Connection to ensure Azure AD can communicate with your SCIM endpoint. If the test is successful, click Save.
Mappings
- After saving, you’ll be redirected to the Mappings section.
- Review the mappings and make sure you have mappings specified for Users and Groups.
- Adjust the mappings for Users to match the following:
-
Blameless Attribute Entra ID Attribute userName userPrincipalName displayName IIF(IsPresent([displayName]), [displayName], [userPrincipalName]) name.givenName givenName name.familyNamesurname - Adjust the mappings for Groups to match the following:
-
Blameless Attribute Entra ID Attribute displayName displayName members members
Scope and Settings
- Go back to the Provisioning section.
- In the Settings tab, configure the scope of the provisioning (e.g., sync all users and groups, or sync only assigned users and groups).
- Configure the synchronization interval and any other relevant settings.
- Click Save.
Step 3: Assign Users and Groups
- Go to the Users and groups section of your application.
- Click on Add user/group.
- Select the users and groups you want to provision to Blameless and click Assign.
Step 4: Start Provisioning
- Return to the Provisioning section.
- Click on Start provisioning to begin the synchronization process.
Monitoring and Troubleshooting
- After provisioning starts, you can monitor the synchronization status and logs in the Provisioning section.
- Review any errors or warnings and address them as necessary. Logs provide detailed information about the provisioning operations.
Conclusion
You've now successfully configured SCIM provisioning for your custom Enterprise Application in the Azure Portal. This setup ensures that your users and groups are automatically provisioned and deprovisioned in Blameless, streamlining your identity management process.
For further assistance or troubleshooting, refer to the Azure AD SCIM Provisioning Documentation or contact Blameless Support.
Comments
0 comments
Please sign in to leave a comment.