1. Purpose

This document outlines the specific tasks required to configure an Entra ID Enterprise application for provisioning user identities to the MyCompliance portal.

Once configured, user provisioning in MyCompliance will be automated and controlled by the AAD Enterprise application.

2. Entra ID Auto User Provisioning

In AAD, the term 'app provisioning' refers to the process of automatically creating user identities and roles in cloud (SaaS) applications to which users require access.

In addition to creating user identities, automatic provisioning also involves maintaining and removing them as their status or roles change.

3. Configuration

The user responsible for creating and configuring the Non-gallery Enterprise application must be a Global Administrator of the specific Entra ID tenant or have the equivalent RBAC roles to develop Enterprise applications.

3.1 Create the Enterprise Application

• From the Azure Portal, select Microsoft Entra ID.

• Within Microsoft Entra ID, select Enterprise Applications, then click Create your own application.

• Enter a name for the application and confirm that the option Integrate any other application you don't find in the gallery (Non-gallery) is selected.
• Click Create.

3.2 Configure the Enterprise Application

• Once the Enterprise application has been created, you will be taken to the application Overview section.
• On the left-hand menu, select Provisioning.

• Next, select Get started.

• Change Provisioning Mode from Manual to Automatic.
• Enter the Tenant URL provided by your MetaCompliance technical representative. The URL will be in the format: https://scim.metacompliance.com/scim/uniquecompanykeyguid.
• Click Test Connection, and once successful, click Save.

⚠️ Important: 

• Add users and groups before starting provisioning. 
• The provisioning schedule runs on a 40-minute cycle. If no users/groups are added, once enabled, it will take 40 minutes for them to be provisioned to the MyCompliance portal.

3.3 Provision Users and Groups

• Return to the initial application start page, and on the left-hand side, select Users and groups.
• Select Add user/group, then select the users and/or groups you want to provision to the MyCompliance portal.

3.4 Remove Unsupported Attributes

• On the left-hand menu, select Provisioning and click Edit attribute mappings.
• Expand Mappings and select Provision Entra ID Users.
• Delete the following Attribute Mappings:
  • displayName
  • telephoneNumber
  • mobile
  • facsimileTelephoneNumber
  • employeeid

• Confirm the Attribute Mappings match the above and select Save in the upper-left corner.

3.5 Add Scoping Filter

• Under Source Object Scope, click All records.

• Select Add Scoping Filter and add the scope as below:

• Click OK.

3.6 Advanced Settings – Update Required Attributes

• At the bottom of the User Attribute Mapping section, tick Show advanced options and click Edit attribute list for customappsso.

• Confirm that Required is ticked against the following fields:
  • id
  • emails[type eq "work"].value
  • userName
  • givenName
  • familyName
  • externalid.
• Select Save.

3.7 Update Group Member Configuration

• On the left-hand menu, select Provisioning and click Edit attribute mappings.
• Expand Mappings and select Provision Entra ID Directory Groups.
• Scroll to the bottom; tick Show advanced options and select Edit attribute list for customappsso.
• Select the attribute name 'members' and click the Reference Object Attribute drop-down.
• Untick the option urn:ietf.params:scim:schemas:core:2.0:Group.
  • You should only have the value selected urn:ietf.params:scim:schemas:extension:enterprise:2.0:User.

• Select Save, followed by Restart provisioning.

3.8 Turn on Automatic User Provisioning

• Return to the Provisioning section of the Enterprise application and select Start provisioning.

• At this point, AAD Auto User Provisioning is configured. After approximately 15 minutes, your users and groups will be successfully provisioned to the MyCompliance portal.

4 Sync information

4.1 User and Group Mappings

Within the Enterprise application, customers can output values of different attributes to the expected SCIM API value. The essential qualities are discussed in more detail in the SCIM API Design document.

It is recommended to keep the mappings as default; however, they can be customised to meet the customer's requirements. 

• In the Enterprise app, select Provisioning on the left-hand menu and expand Mappings.
• By selecting either Users or Groups mappings, you can map attribute values and output them as the values the SCIM API expects. 
  • ⚠️ Important: Please consult your MetaCompliance technical representative before making changes, as this may impact usability for administrators on the frontend.
• For further information, please refer to: Tutorial - Customize Microsoft Entra attribute mappings in Application Provisioning (Microsoft Learn).

4.2 Dynamic Groups

Most organisations will have a valid group structure to add to the MyCompliance Enterprise app. However, it is important to note the benefits of dynamic groups.

• Microsoft Entra ID allows you to create complex attribute-based rules to enable dynamic memberships for groups.
• Dynamic group membership reduces the administrative overhead of adding and removing users (subject to correct licensing).
• For further information, please refer to: Rules for dynamically populated groups membership (Microsoft Learn).

4.3 Sync Schedule

When the Provisioning Status is turned on, the operation starts the initial synchronisation cycle of all users and groups defined in the Scope.

• The initial cycle takes longer than subsequent cycles. 
• Subsequent cycles occur approximately every 40 minutes, provided the Entra ID provisioning service is running.

4.4 Sync Time Estimations

More info: Find out when a specific user can access an app in Microsoft Entra Application Provisioning | Microsoft Learn

4.5 View Next Sync Run

• Expand View provisioning details to check the timestamp of the last completed cycle.
• Add 40 minutes to this time to determine when the next sync will trigger.

4.6 View Audit Logs

• Any user or group objects that cannot be validated will fail. For more information, review the audit logs.

Further troubleshooting: Problem configuring user provisioning to a Microsoft Entra Gallery app | Microsoft Learn

4.7 View Provisioning Logs

• To see which users and groups were successfully created in the MyCompliance portal, select Provisioning logs (Preview) in Entra ID under the Monitoring section.

For more info: Provisioning logs in Microsoft Entra ID | Microsoft Learn

5. Single Sign-On

• To configure SSO for Entra ID, please refer to the following documentation: Configuring SSO with Entra ID
• ⚠️ Please note: This needs to be a separate application from the user provisioning application that has just been created.

⚠️ Important

• For existing customers looking to migrate to Entra ID Auto User Provisioning, please contact your account manager or your MetaCompliance technical representative.
• You can also contact Support at any time for further assistance: support@metacompliance.com