Subscribe to Help Center RSS FeedStreamline lifecycle management for your organization by connecting Entra ID with ̽»¨´óÉñ through a real-time user import SCIM integration. This integration lets you manage your organization’s user identities in Entra ID, and easily connect users to all of the IT resources they need through ̽»¨´óÉñ. After you connect Entra ID with ̽»¨´óÉñ through our SCIM server, depending on the integration settings you choose, users are seamlessly created, updated, and deleted in ̽»¨´óÉñ according to the actions you take on users in Entra ID.
Your organization can now also enable RADIUS access with user's Entra ID credentials. See RADIUS Configuration and Authentication.
Prerequisites
- A ̽»¨´óÉñ Administrator API key
Considerations
- The must be added to the Tenant URL for user updates and deprovisioning to be supported.
- Only new users will be created if this flag is not added
- Real-time Group import isn’t currently supported
- If a user is inactive in the source application, the user will not be created in ̽»¨´óÉñ. If you would like the user to exist in ̽»¨´óÉñ, you must create the user manually
Attribute Considerations
- The manager attribute isn’t supported
Integrating Entra ID with the ̽»¨´óÉñ SCIM Server
- Log in your .
- Click on Enterprise applications to create a custom app.
- Click New application > Create your own application.
̽»¨´óÉñ isn’t in the Entra application Gallery.
- Under What’s the name of your app? Enter a name to distinguish the ̽»¨´óÉñ integration.
- Next, answer the question, What are you looking to do with your application? with the multiple choice answer, Integrate any other application you don’t find in the gallery (Non-gallery). Click Create.
- Now, you can see your application dashboard. In the left navigation menu, click on Single sign-on.
̽»¨´óÉñ doesn’t have SAML access, so select from the options Disabled or Password-based.
- If you select the Password-based option, the Sign-on URL needs to be provided. Copy/Paste the ̽»¨´óÉñ user console URL link into the designated field and click Save.
- In the left navigation menu, click Provisioning.
- Under the Provisioning Mode dropdown menu, select Automatic. This will power the real-time sync using the SCIM server.
- Under Admin Credentials, there are two fields required to connect the real-time ̽»¨´óÉñ import’s API and synchronize your user data.
- Tenant URL: For ̽»¨´óÉñ, this is a SCIM-based URL: https://api.jumpcloud.com/scim/v2/?aadOptscim062020
- Secret Token: A ̽»¨´óÉñ API key should be used to authorize this integration. The API key in ̽»¨´óÉñ is associated with an admin account. Use an admin account that has a role of Admin with Billing, Administrator, or Manager that will be a long lived admin account for your organization. See Generating a New API Key.
- Click Test Connection. You will receive a notification that the authorization was successful. Click Save.
- Under Mappings, click on Provision Microsoft Entra ID (formerly Active Directory) Groups. The default option will be enabled to Yes.
̽»¨´óÉñ doesn’t currently support the real-time import of Groups just yet, so this option needs to be toggled to No, then click Save. You will be prompted to confirm you want to save your changes, click Yes.
- Now, go back to the Provisioning dashboard > Mappings section and click on the next option, Provision Microsoft Entra ID (formerly Active Directory) Users. Leave this option enabled to Yes.
- Under Target Object Actions, there are three available capabilities; Create, Update and Delete. You can choose which options you’d like.
For Attribute Mappings, not all of the Entra ID attributes are available or supported within ̽»¨´óÉñ. Any unsupported attributes that are left enabled in Entra ID can cause the provisioning to fail.
- Click on an attribute to edit it. The attribute mapped to userName needs to be adjusted to satisfy ̽»¨´óÉñ’s attribute validation. We suggest userPrincipalName, the default mapping, be edited to adjust the source attribute to mailNickname, this is typically the first.lastname. Click Ok.
- The attribute, mail needs to be edited to adjust the source attribute to userPrincipalName. The primary email in ̽»¨´óÉñ is the work email which serves as the userPrincipalName in Entra.
- From here, you can delete any attributes that you don’t want mapped. Take a look at the Attribute Mappings table below to see which attributes ̽»¨´óÉñ sends to Entra because not all attributes are supported.
- Once the Attribute Mappings are set, click Save. You will be prompted to confirm you want to save your changes, click Yes.
- Now, go back to the Provisioning dashboard > Settings section. There are options to Send email notifications if failures occur, in addition to Scope, which allows you to choose if you want to Sync all users and groups or only assigned users and groups.
- Leave the Provisioning Status toggled On.
- If any changes were made, click Save.
- Go back to the main dashboard > left navigation menu, click on Users and groups to assign users to the app.
- Click Add user/group > Users > None Selected to select Users to add. Search for the users you want to add and click Select, then Assign.
It takes ~40 minutes for users to be provisioned to ̽»¨´óÉñ. If you need to expedite this process, there is an option to Provision on demand.
- From the Provisioning dashboard, click Provision on demand, search for the user that needs to be added, select them and click Provision. This will push the new user to ̽»¨´óÉñ immediately.
- Notes:
- The user is added in a Password Pending status. Entra ID doesn’t pass the user’s password to ̽»¨´óÉñ.
- If changes are made to this user within ̽»¨´óÉñ, it won’t be reflected in Entra ID through this integration.
We recommend using a name like Real-time ̽»¨´óÉñ Import, or something similar.
̽»¨´óÉñ Supported SCIM Attribute Mappings
The following table lists attributes that the ̽»¨´óÉñ SCIM client will accept from this integration. Learn about ̽»¨´óÉñ Properties and how they work with systemusers in our .
| Recommended Entra Attribute Mappings | SCIM v2 Mapping | ̽»¨´óÉñ Property | ̽»¨´óÉñ UI | ̽»¨´óÉñ Validation | Type |
|---|---|---|---|---|---|
| mailNickname | userName | username | required, no special characters, (max length 1024). note: email may not be used as username. Some integrations leverage the email substring for the username | string | |
| givenName | name.givenName | firstname | First Name | max length 1024 | string |
| surname | name.familyName | lastname | Last Name | max length 1024 | |
| userPrincipalName | emails: value (primary) | Company Email | email, required, max length 1024 | string | |
| displayName | displayName | displayName | Display Name | - | string |
|
Switch([IsSoftDeleted], , "False", "True", "True", "False") |
active |
!suspended && !passwordExpired |
N/A | - | boolean |
| - | meta.created | N/A | N/A | - | string |
| - | meta.lastModified | N/A | N/A | - | string |
| jobTitle | title | jobTitle | Job Title | - | string |
| department |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:user:department |
department | Department | - | string |
| - | locale | location | Location | - | string |
| - | costCenter | costCenter | Cost Center | - | string |
| - | userType | employeeType | Employee Type | - | string |
| - | organization | company | Company | - | string |
| employeeID |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:user:employeeNumber |
employeeIdentifier | Employee ID | - | string |
In this Article
Learn More