Set up a SCIM Provisioning App in Azure Active Directory
This guide will show you how to set up an Azure Active Directory (AD) enterprise app with System for Cross-domain Identity Management (SCIM) provisioning. When done, you will have enabled an enterprise app with provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation, between Azure AD and strongDM.
Before You Begin
Ensure that you have the appropriate roles:
- In Azure AD, you must be assigned one of the following roles: Application Administrator, Cloud Application Administrator, or Global Administrator.
- In strongDM, you must be an Account Administrator.
Azure does not support the provisioning of nested roles via SCIM.
Azure AD SCIM Application Setup Guide
Create an enterprise application
- Log in to the Azure Active Directory portal.
- Go to Manage > Enterprise Applications in the left pane, and click + New application to create a new enterprise application.
- Click + Create your own application.
- Enter a descriptive name for your app, and then select Integrate any other application you don't find in the gallery (Non-gallery) because you’ll be creating your own application instead of using a published gallery app.
Set up provisioning
Go to the app’s Provisioning section.
Click Get Started.
In the provisioning properties, set the following:
Provisioning Mode: Set to Automatic.
Tenant URL: Set
Secret Token: Get the strongDM SCIM token by following these steps:
Go to the strongDM Admin UI’s Settings > User Management > Provisioning section.
Set the SCIM Provider option to Azure.
Click Activate SCIM and then copy and save the token generated.
Go back to your Azure console and fill the Secret Token field with the token you copied.
In this step, you’re using the HTTP Header authentication method and providing a bearer token to access your SCIM implementation.
The token is generated when provisioning is turned on for your strongDM instance, and it is shown one time only. To enable provisioning, please contact email@example.com.
Click Test Connection to test whether the new app can connect to your SCIM API. If there are errors, make sure your tenant URL and secret token are correct and try again.
Customize user provisioning attribute mappings
- Go back to the app’s Provisioning blade, and expand Mappings to view and edit the User attributes that flow between Azure AD and the target application.
- Edit the User Mappings one by one by deleting all attributes except for the following:
- Edit the Group Mappings in the same way by deleting all attributes except for the following:
- Set Provisioning Status to On.
Manual SCIM provisioning setup is now complete.
Due to an Azure limitation, syncs may occur from Azure at 40 minute intervals, so there may be changes or additions made in Azure that are not immediately reflected in strongDM (until the next sync).
Information About User Management in strongDM
In addition to managing Users and Roles through Azure AD, you have the flexibility to continue managing your Users and Roles directly through strongDM.
Here's what you can do:
- Manually create Users, Service Accounts, and Roles within strongDM—these will be identified with the sdm badge in the Admin UI indicating that they are "strongDM Managed."
- Attach strongDM-managed Users and Service Accounts to both strongDM-managed Roles and Azure AD-managed Roles from within strongDM.
- Attach Azure AD-managed Users to strongDM-managed Roles from within strongDM.
- Set Permission Levels for Users within the Admin UI for both strongDM-managed and Azure AD-managed users.
- Grant access through Roles and Temporary Access for Users from within strongDM.
Caveats and limitations
Due to the nature of how Azure AD integrates through SCIM 2.0, there are a few limitations to be aware of.
If a User is deleted in Azure AD, the following will happen:
- The User will be suspended in strongDM.
- The User will be unassigned from all Roles.
If that same User is restored in Azure AD, the following will happen:
- The User's status will change from "suspended" to "active" within strongDM.
- The User will be assigned to any Roles that are assigned to them in Azure AD.
- The User's Permission Level will be restored to "User."
Options to avoid
Azure AD does not support syncing Users contained within a nested group. The result of doing so will be that the group will sync into a Role within strongDM but any Users in the Azure AD-nested group will not be created in strongDM.
If you have any issues with your implementation, please contact firstname.lastname@example.org.