SCIM Provisioning with Azure AD

This article describes how to provision users with an Azure Active Directory (AAD) custom System for Cross-domain Identity Management (SCIM), an open standard that allows for automated user provisioning.

Before you begin, you must configure an Azure as an Identity Provider.

Step 1: Generating an Endpoint and SCIM Token

To synchronize users and groups provisioned for the Axis Security application, Azure requires two pieces of information:

• An Endpoint to which AAD makes requests.
• A Bearer token for AAD to authenticate its endpoint requests.

To Generate an Endpoint and a SCIM Bearer Token:

1. In the Management Console, go to the Settings-> Identity Providers  screen.
2. Hover over theAzure Identity Provider and select edit. 
3. Navigate to Advanced Settings.

4. Go to User Auto-Provisioning (SCIM).
5. Click Generate new token.

6. Copy the SCIM Service Provider Endpoint and SCIM Provisioning Token and paste them into a text editor. You will need them for Step 3: Configuring the Integration.

Step 2: Creating an Azure Application

To create an Azure Application:

1. Log in to the Azure Active Directory Admin Center Dashboard. 
2. Select Enterprise applications from the list of Azure services.

3. Select New Application

4. Select Create your own application.

 5. In the What’s the name of your app? field, enter the name of your application.

6. Select Integrate any other application you don't find in the gallery (Non-gallery)
7. Click Create.

Step 3: Configuring the Integration

1. In Azure, go to the navigation menu.  
2. In the Manage section, select Provisioning.

3. Click the Get Started button.

4. Under Provisioning Mode, select Automatic.

5. Under Admin Credentials enter the Tenant URL and Secret Token obtained from the Axis SCIM configuration (step 1):

• Paste the SCIM Service Provider Endpoint in the Tenant URL field. 
• Paste the SCIM Provisioning Token in the Secret Token field. 

6. Click Test Connection to confirm that the connection is set up correctly. 
7. Click Save. 

Step 4: Setting and Enabling Attribute Mappings

To set and enable attribute mappings in Azure:

1. Expand the Mappings section.

2. In the Attribute Mappings section, enable group and user attribute mappings. 

Note: Make sure the user mapping only maps the attributes below, otherwise you will not be able to complete the provisioning.

• Mail
• givenName
• Department
• Surname
• switch(deleted)
• uuidPrinciaplName

Disable Nested Groups Provisioning

1. Go to Your application-> Provisioning-> Edit Provisioning.

2. Go to Groups Mapping-> Provision Azure Active Directory Groups.

3. Select Show advanced options and Edit attribute list for customappsso.

4. In Members-> Reference deselect the Group scheme as seen below to prevent the provision of nested groups.

5. Click Save. 

Step 5: Assigning users and groups to the application

To sync users and groups, you must assign them to the AAD SCIM application. 
To assign users and groups to the AAD SCIM application:

1. Go to Manage in the navigation menu.
2. Select Users and groups. 

3. Select Add user/group

4. Under Users and Groups, select None selected.

5. In the Users and Groups window, select the users and groups you want to add to the SCIM application. 
6. Click Select. 
7. Select Assign at the bottom of the screen.
8. In the Users and groups area, add the selected users and groups to the SCIM Application.

Step 6: Enabling provisioning for the SCIM application

1. Set Scope to Sync only assigned users and groups
2. Set Provisioning Status to On.

Revoking the Auto-Provisioning Token

To revoke an Auto-Provisioning token:

1. Go to Settings -> Identity Providers  
2. Hover over the relevant Azure AD IdP and click Edit .

The Edit Azure Active Directory IdP window appears.

1. Navigate to the Advanced settings section.
2. In the User Auto-Provisioning (SCIM) section, click Revoke Auto-Provisioning Token.