About SCIM Directory Integration with Microsoft Entra ID
SCIM Directory Integration with Microsoft Entra ID in Iru Endpoint allows you to set up SCIM-based user directory synchronization between Microsoft Entra ID and Iru Endpoint, enabling automatic user and group provisioning and deprovisioning.How It Works
The SCIM integration creates a secure connection between Microsoft Entra ID and Iru Endpoint, enabling automatic synchronization of user and group data. When users or groups are added, modified, or removed in Microsoft Entra ID, these changes are automatically reflected in Iru Endpoint through the SCIM protocol.Prerequisites
- Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Iru Endpoint tenant. You will need to obtain the SCIM access token and API URL.
- Copy and store the token provided outlined in the SCIM Directory Integration article. Once you click Done, the token will not be visible and will be required in a later step.
- Be sure to review the supported user and group attributes listed in the SCIM Directory Integration.
- Ensure that nested groups are not included with SCIM as Microsoft does not support this functionality.
Creating the SCIM Integration in Microsoft Entra ID
1
Access Microsoft Entra Admin Center
Sign in to the Microsoft Entra admin center.
2
Navigate to Entra ID
Open the portal menu and then select Entra ID.
3
Access Enterprise Apps
On the Entra ID menu, under select Enterprise apps.
4
View All Applications
In the Manage section, select All applications.
5
Create New Application
Select New application. If you have already created a SAML single sign-on application, you can select that application and add SCIM.
6
Choose Application Type
Select Create your own application.
7
Name the Application
Give the application a name.
8
Select Integration Type
Select Integrate any other application you don’t find in the gallery (Non-gallery).
9
Create Application
Click Create.
10
Access Provisioning
You will be taken to the Overview page for the newly created app.
Under Manage, select Provisioning.
11
Create New Configuration
Click New Configuration.
12
Configure SCIM Connection
Paste the Iru Endpoint SCIM API URL that you copied earlier into the Tenant URL field.
13
Add Secret Token
Paste the API token that you copied earlier into the Secret token field.
14
Test Connection
Click Test connection. You should see a successful test notification.
15
Create Configuration
Click Create.
16
Access Provisioning Settings
Click on the Provisioning in the Manage section.
17
Configure Mappings
Expand the Mappings reveal triangle and ensure that both Groups and Users are enabled.
18
Configure Settings
Expand the Settings reveal triangle.
19
Set Scope
For Scope, choose Sync only assigned users and groups.
20
Enable Provisioning
Set the Provisioning Status to On.
21
Save Configuration
Click Save.
22
Close Settings
Click the X in the upper-right corner to close the settings.
Assigning Users and Groups
1
Access Users and Groups
Under Manage, select Users and groups.
2
Add Users and Groups
On the menu, select Add user/group.
3
Select Users and Groups
On the Add Assignment dialog, select the link under Users and groups.
4
Choose from List
A list of users and security groups is displayed. You can search for a specific user or group or select multiple users and groups that appear in the list.
5
Select Assignments
Select the user(s) and group(s) you would like to be assigned.
6
Confirm Selection
Click Select.
7
Complete Assignment
Select Assign to finish assigning users and groups to the app.
8
Verify Assignment
Confirm that the users and groups you added appear in the Users and groups list.
If you see a message indicating that a free tier is being used, it means you can only add users (not groups) to the SCIM Enterprise App.
Considerations
AD CS Strong Certificate Mapping
When using Active Directory Certificate Services (AD CS), authentication will fail if a certificate can’t be strongly mapped to an Active Directory account. Follow the steps below to enable Strong Certificate Mapping for your directory integration. Access Your SCIM App1
Open Microsoft Entra ID Admin Portal
Go to the Microsoft Entra ID Admin Portal
2
Navigate to Enterprise Applications
Navigate to Applications > Enterprise Applications
3
Find SCIM App
Find and open the SCIM app you’re using with Iru Endpoint
1
Access Provisioning
Under Manage, click Provisioning
2
Open Attribute Mapping
Under Manage, click Attribute Mapping (Preview)
3
Select User Provisioning
Select Provision Microsoft Entra ID Users
1
Scroll to Advanced Options
Scroll to the bottom of the page
2
Show Advanced Options
Check the box to show advanced options
3
Edit Attribute List
Click Edit attribute list for <customappsso>
4
Add Security Identifier
Add a new field called
onPremisesSecurityIdentifier, leaving the default type as String.5
Save Changes
Click Save
1
Return to Attribute Mapping
Go back to the Attribute Mapping section
2
Add New Mapping
Scroll down and click Add New Mapping
3
Configure Mapping Type
Keep Mapping type set to Direct
4
Set Source Attribute
Set Source attribute to
onPremisesSecurityIdentifier5
Set Target Attribute
Set Target attribute to
onPremisesSecurityIdentifier6
Save Mapping
Click OK, then Save
onPremisesSecurityIdentifier will show up in your user attributes in Iru Endpoint after the next Entra SCIM sync (every 20-40 minutes).
Syncing
User syncing is one-way, meaning the Microsoft Entra ID SCIM app will send user information to Iru Endpoint only when new information is needed.If a user or group is added to the SCIM app in Microsoft Entra ID after the app was created, a sync will happen every 40 minutes (set by Microsoft Entra ID). If you want the sync to happen sooner, you can stop/start the provisioning in the SCIM app on the Microsoft Entra ID. This will not impact existing users/groups in Iru Endpoint.Removing Users
- If Entra ID sends sets a use to inactive, the user will be set as inactive in your Iru Endpoint tenant.
- If Entra ID deletes a user, the user will be deleted from your Iru Endpoint tenant.
Blueprint Conditional Logic
If you use Assignment Map conditional logic with groups, you must explicitly add each group you want to have provisioned in Iru Endpoint to the SCIM app. Groups will not sync automatically by adding users that happen to be members of the group.Microsoft Device Compliance
If you are using an Entra ID SCIM user directory integration and the Microsoft Device Compliance integration ensure that the user and group attribute mappings for the externalId attribute in your SCIM application map to objectId as listed below. The objectId is used by Iru Endpoint to map user and group resources in Intune.| User Attribute | User Value |
|---|---|
| externalId | objectId |
| Group Attribute | Group Value |
|---|---|
| externalId | objectId |
1
Access SCIM Application
Navigate to the SCIM enterprise application in the Microsoft Entra admin center.
2
Open Provisioning
Select Provisioning.
3
Access Attribute Mapping
Select the Attribute mapping (Preview) section.
4
Choose User or Group Mapping
If you are updating user attributes, click on Provision Microsoft Entra ID Users.
If you are updating group attributes, click on Provision Microsoft Entra ID Groups.
5
Verify External ID Mapping
Verify that externalId is mapped to objectId.
6
Update Mapping if Needed
If it is not, click the Edit button to the right of the attribute and select objectId from the list.
7
Save Changes
Click Save.
8
Return to Overview
Click the X to go back.
9
Restart Provisioning
Once back on the Provisioning overview page, if any values were changed, you need to push the updated values to Iru Endpoint immediately by stopping and then starting the provisioning service.
10
Pause Provisioning
Click the Pause provisioning button.
11
Start Provisioning
Click the Start provisioning button.