Microsoft Entra ID (Azure AD)
Last updated
Last updated
Copyright © 2023 configure8, Inc. All rights reserved.
Azure app configuration
To enable automated provisioning, you need to enable SSO and SCIM in configure8 dashboard and create an app in your Azure organization.
Follow instructions How to set up SSO in Entra ID.
Log in to you Configure8 account as admin.
On the same page of SSO configuration (Settings -> Identity Management) click on the gear on the side of SCIM and hit Enable.
Go to your Configure8 dashboard and create new API key with Write scope and Admin Role. Please make sure the created key doesn't have expiration. API key specification.
In your configure8 Azure application go to Provisioning menu and activate provisioning using Automatic provisioning mode. Provide Tenant url https://app.configure8.io/public/v2/scim and API key as Secret token. Now you can test connection.
After successfully Test Connection, hit SAVE.
After saving, in the same screen it will enable the Mappings Section. Expand it and set up mapping for Group.
Next step is mappings for User. Set attribute settings as on the screen below and click Edit attribute list.
Please make sure the active attribute is expression with this value: Switch([IsSoftDeleted], , "False", "True", "True", "False").
Also emails field should map to userPrincipalName.
Opt in Required checkboxes for specified attributes and set ID as primary key.
Go back to Provisioning tab and click Start provisioning.
Once you have set up the SCIM integration between Azure and Configure8, administrators can perform the following actions in Azure:
Adding, removing, and editing group members. Group membership must be managed in Azure.
Renaming user groups. Groups can only be renamed in Azure.
Deleting user groups. Groups, created in Azure, can only be deleted in Azure.
Editing user attributes (considering to user map above).
You can't edit these user details (names, email) in Configure8 if the user was provisioned as part of an Azure-provisioned user group.
User group membership can be edited only in Azure.
You must use Azure to delete provisioned users.
If an Azure-provisioned user group has the same name as an existing user group in Configure8, Configure8 retains both groups. To prevent confusion, you can rename the existing Configure8 group.
Be noticed, users and groups management, authorization and password management should be part of Azure identity provider. Next will be available as a part of SCIM provisioning:
Role, resource group assignments. permissions can not be provisioned. You must assign permissions to user groups in Configure8.
Provisioning
To provision users and groups, you must assign entities to Configure8 application. Azure runs provisioning every ~3 hours. It means all updates in Azure eco system won't be provisioned immediately in Configure8. However, there is option Provision on demand (see screenshot below), but it has some limitations (max 5 users per group, etc.) and it doesn't sync all update types.
RBAC
By default, provisioned users have User role in Configure8. To change a role you should use Configure8 dashboard and your Administrator account.
Configure8 Admins are still available to manage group owners and visibility control directly in Configure admin panel.
