Set up a SCIM Provisioning App in Microsoft Entra ID
Last modified on August 26, 2024
User provisioning provides you with the ability to continue to manage your organization’s users in one place, and have those users populate into StrongDM. Provisioning prevents the need to create a duplicate set of users in StrongDM that already exist in your identity management service. When provisioning users, the users are set up in the external service and are then synced to StrongDM. The provisioned users are not able to be individually edited within StrongDM. Changes to provisioned users are made at the source and are synced to StrongDM afterward. These users in StrongDM are given access to resources in the same manner as native users: by assigning them to roles that contain the desired access permissions.
This guide will show you how to set up a Microsoft Entra ID (formerly Azure AD) enterprise app with System for Cross-domain Identity Management (SCIM) provisioning. When done, you will have enabled an enterprise app with provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation, between Microsoft Entra ID and StrongDM.
Prerequisites
Before you begin, ensure that you have the appropriate roles:
- In Microsoft Entra ID (formerly Azure AD), you must be assigned one of the following roles: Application Administrator, Cloud Application Administrator, or Global Administrator.
- In StrongDM, you must be an Account Administrator.
Microsoft Entra ID SCIM Application Setup Guide
Create an enterprise application
- Log in to the Azure portal.
- Go to Manage > Enterprise Applications in the left pane, and click + New application to create a new enterprise application.
- Click + Create your own application.
- Enter a descriptive name for your app, and then select Integrate any other application you don’t find in the gallery (Non-gallery) because you’ll be creating your own application instead of using a published gallery app.
Set up provisioning
Go to the app’s Provisioning section.
Click Get Started.
In the provisioning properties, set the following:
Provisioning Mode: Set to Automatic.
Tenant URL: Set
https://app.strongdm.com/provisioning/azure/v2
Secret Token: Get the StrongDM SCIM token by following these steps:
- Go to the StrongDM Admin UI’s Settings > User Management > Provisioning section.
- Set the SCIM Provider option to Azure.
- Click Activate SCIM and then copy and save the token generated. The token displays one time only.
- Go back to your Azure console and fill the Secret Token field with the token you copied.
For example:
aabb12fjfl445...jkhksjhf98345un
In this step, you are using the HTTP Header authentication method and providing a bearer token to access your SCIM implementation.
Click Test Connection to test whether the new app can connect to your SCIM API. If there are errors, make sure your tenant URL and secret token are correct and try again.
Click Save.
You also need to decide how you want your user information to sync with StrongDM. Under Provisioning > Settings > Scope are the choices Sync all users and groups and Sync only assigned users and groups.
Sync all users and groups syncs your entire Active Directory with StrongDM, and no users or groups need to be configured within this app.
Sync only assigned users and groups is the default behavior, and requires you to create the relevant groups under Users and Groups within this app. With this option selected, only the entities that are listed in Users and Groups are synced.
If you are using both SSO and SCIM, and separate Entra apps for each, you only have to create groups in the SCIM app.
Customize user provisioning attribute mappings
- Go back to the app’s Provisioning blade, and expand Mappings to view and edit the User attributes that flow between Microsoft Entra ID (formerly Azure AD) and the target application.
- Edit the User Mappings one by one by deleting all attributes except for the following:
- userName
- active
- name.givenName
- name.familyName
- name.formatted
- Edit the Group Mappings in the same way by deleting all attributes except for the following:
- displayName
- members
- Set Provisioning Status to On.
Manual SCIM provisioning setup is now complete.
Identity Aliases
If you intend to use Identity Aliases for your users, you can send multiple Identity Alias values from Entra ID. This section describes how to set up Entra ID to pass Identity Set and Identity Alias values for users when they are provisioned.
To set up Identity Aliases for your users, follow these steps.
- In Entra ID, create a custom attribute for the value(s) of Identity Aliases (
IdentityAliases
). This will be a delimited list of Identity Sets and Identity Aliases, in a single string attribute. - Add the application attribute. This is done via the “Edit attribute” list for your application in the advanced options of the user mapping page. The values of the application attribute should be the following:
- Name:
urn:ietf:params:scim:schemas:extension:strongdm:2.0:User:identityAliases
- Type:
String
- Primary Key?:
False
- Required?:
False
- Multi-Value?:
True
- Exact Case?:
False
- Name:
- Add the mapping between the values of these attributes. When adding the custom attribute, for Mapping type, choose Expression.
- For Expression, enter the expression in the format
Split([extension_<APPLICATION_ID>_IdentityAliases], "<DELIMITER>")
(for example,Split([extension_12345678abc_IdentityAliases], "|")
). The delimiter can be a pipe (|
) or some other arbitrarly chosen value.This custom attribute allows you to fill in values for multiple Identity Sets into a single field, based on the number of Identity Sets that your organization needs. The expression breaks the given string into an array with multiple values, each a comma-delimited set that consists of the Identity Set name and the Identity Alias for that Identity Set (for example, the expression would separate the string"identity-set-1,identity-alias-1|identity-set-2,identity-alias-2|identity-set-3,identity-alias-3"
into multiple strings"identity-set-1,identity-alias-1"
,"identity-set-2,identity-alias-2"
, and"identity-set-3,identity-alias-3"
). - For Target attribute, set the SCIM schema:
urn:ietf:params:scim:schemas:extension:strongdm:2.0:User:identityAliases
. - For Match objects using this attribute, choose No.
- For Apply this mapping, choose Always.
- Once the attribute is created, go to a user profile and enter a value for the new Identity Aliases array that you just created. The value of Identity Aliases must be entered as a comma-delimited set in the format
<IDENTITY_SET_NAME>,<NAME_OF_IDENTITY_ALIAS_IN_THAT_IDENTITY_SET>
(for example,identity-set-1
,identity-alias-1). Multiple comma-delimited sets may be separated with a pipe (
|`), for example.
When provisioned, the user in StrongDM will have those Identity Aliases, in those Identity Sets, in their user profile.
Information About User Management in StrongDM
In addition to managing Users and Roles through Microsoft Entra ID (formerly Azure AD), you have the flexibility to continue managing your Users and Roles directly through StrongDM.
Here’s what you can do:
- Manually create Users, Service Accounts, and Roles within StrongDM—these will be identified with the sdm badge in the Admin UI indicating that they are “StrongDM Managed.”
- Attach StrongDM-managed Users and Service Accounts to Roles managed by both StrongDM and Microsoft Entra ID from within StrongDM.
- Attach Users managed by Microsoft Entra ID to StrongDM-managed Roles from within StrongDM.
- Set Permission Levels for Users within the Admin UI for users managed by both StrongDM and Microsoft Entra ID.
- Grant access through Roles and Temporary Access for Users from within StrongDM.
Caveats and limitations
Due to the nature of how Microsoft Entra ID (formerly Azure AD) integrates through SCIM 2.0, there are a few limitations to be aware of.
If a User is deleted in Microsoft Entra ID, the following will happen:
- The User will be suspended in StrongDM.
- The User will be unassigned from all Roles.
If that same User is restored in Microsoft Entra ID, the following will happen:
- The User’s status will change from “suspended” to “active” within StrongDM.
- The User will be assigned to any Roles that are assigned to them in Microsoft Entra ID.
- The User’s Permission Level will be restored to “User.”
Options to avoid
Entra ID (formerly Azure AD) does not support syncing Users contained within a nested group. The result of doing so will be that the group will sync into a Role within StrongDM but any Users in the Microsoft Entra ID nested group will not be created in StrongDM.