Microsoft Entra ID SCIM Auto User Provisioning Integration

1. Purpose

This document details the specific tasks required to configure an Entra ID Enterprise application to provision user identities to the MyCompliance portal.

Once configured, the provisioning of users within MyCompliance will be automated and controlled by the AAD Enterprise application.

 

2. Entra ID Auto User Provisioning

In AAD, the term 'app provisioning' refers to automatically creating user identities and roles in cloud (SaaS) applications to which users require access.

In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change.

 

3. Configuration

The user responsible for creating and configuring the Non-gallery Enterprise application must be a global administrator of the specific Entra ID tenant or have the equivalent RBAC roles to create Enterprise applications.

Please note Entra have set prerequisites which must be met in order to avail of this functionality which can be found in the article below:

 

3.1 Create the Enterprise Application

  • From the Azure Portal, select Microsoft Entra ID:

  • Within 'Microsoft Entra ID', select Enterprise Applications and also Create your own application.

  • Enter a name for the application and confirm the 'Integrate any other application you don't find in the gallery (Non-gallery)' option is selected, and click Create.

3.2 Configure the Enterprise Application

  • Once the Enterprise application has been created, you are taken to the application 'Overview' section.
  • On the left-had side, select Provisioning.

  • Next, select Get started.

  • Change Provisioning Mode from Manual to Automatic.
  • Enter the URL provided to you by your MetaCompliance technical representative in the Tenant URL. The URL will be in the format of https://scim.metacompliance.com/scim/uniquecompanykeyguid
  • Click the 'Test Connection' button, and click Save once the test has been successful.

Info: It is important to add users and groups prior to starting provisioning. The provisioning schedule works on a 40-minute occurrence; if there are no users/groups added, once enabled, it will take 40 minutes before the users/groups are provisioned to the MyCompliance portal.

 

3.3 Provision Users and Groups

  • Return to the initial application start page and, on the left-hand side, select Users and groups.
  • Select Add user/group and, from here, select the Users and/or Groups you want to provision to the MyCompliance portal.

 

3.4 Remove Unsupported Attributes

  • On the left-hand side, select Provisioning and click Edit attribute mappings.
  • Expand Mappings and select Provision Entra ID Users.
  • Delete the following Attribute Mappings:
    • displayName
    • telephoneNumber
    • mobile
    • facsimileTelephoneNumber
    • employeeid

  • Confirm Attribute Mappings match the above, and select Save on the top left.

 

3.5 Add Scoping Filter

  • Under 'Source Object Scope', click All records.

  • Select Add Scoping Filter and add the scope as below:

  • Click OK.

 

3.6 Advanced Settings – Update Required Attributes

  • At the bottom of the 'User Attribute Mapping' section, tick the 'Show advanced options' box and click Edit attribute list for customappsso.

  • Confirm Required is ticked against the following fields:
    • id
    • emails[type eq "work"].value
    • userName
    • givenName
    • familyName
    • externalid.
  • Select Save.

 

3.7 Update Group Member Configuration

  • On the left-hand side, select Provisioning and click Edit attribute mappings.
  • Expand Mappings and select Provision Entra ID Directory Groups.
  • Scroll to the bottom and tick Show advanced options and select Edit attribute list for customappsso.
  • Select the attribute Name: 'members', and click the 'Reference Object Attribute' drop-down.
  • Untick the option urn:ietf.params:scim:schemas:core:2.0:Group.
  • You should only have value selected urn:ietf.params:scim:schemas:extension:enterprise:2.0:User.

  • Select Save followed by Restart provisioning.

 

3.8 Turn on Automatic User Provisioning

  • Return to the 'Provisioning' section of the Enterprise application, and select Start provisioning.

  • At this point, the AAD Auto User Provisioning is configured and, after about 15 minutes, you will find your Users and Groups successfully provisioned to the MyCompliance portal.

 

4 Sync information

4.1 User and Group Mappings

  • Within the Enterprise application, customers can output values of different attributes to the expected SCIM API value. The essential attributes are discussed in more detail in the SCIM API Design document.
    • It is recommended to keep the mappings as default, but they can be altered to meet the customer's needs. An example might be if the department attribute is not populated correctly, and the user would like to set the ‘City’ value in Entra ID to the 'Department' value in MetaCompliance.
  • Within the Enterprise app, select Provisioning on the left-hand side and expand Mappings.
  • By selecting either Users or Groups mappings, you can map attribute values and output them as the values the SCIM API expects. Please discuss this with your MetaCompliance technical representative as it could affect usability for the end administrator on the frontend.
  • For further information, please refer to: Tutorial - Customize Microsoft Entra attribute mappings in Application Provisioning (Microsoft Learn)

 

4.2 Dynamic Groups

  • Although most organisations will have a valid group structure to add to the MyCompliance Enterprise app, it is important to note the power of dynamic groups.
    • Microsoft Entra ID allows you to create complex attribute-based rules to enable dynamic memberships for groups.
    • Dynamic group membership reduces the administrative overhead of adding and removing users. (Dependent on correct licensing.)
  • For further information, please refer to Rules for dynamically populated groups membership (Microsoft Learn)

 

4.3 Sync Schedule

  • When the Provisioning Status is turned on, the operation starts the initial synchronisation cycle of all users and groups defined in the Scope.
  • The initial cycle takes longer to perform than subsequent cycles, which occurs approximately every 40 minutes assuming the Entra ID provisioning service is running.

4.4 Sync Time Estimations

Scope configuration Users, groups, and members in scope Initial cycle time Incremental cycle time
Sync assigned users and groups only < 1,000 < 30 minutes  < 30 minutes
Sync assigned users and groups only 1,000 - 10,000 142 - 708 minutes  < 30 minutes
Sync assigned users and groups only 10,000 - 100,000 1,170 - 2,340 minutes  < 30 minutes
Sync all users and groups in Entra ID < 1,000 < 30 minutes  < 30 minutes
Sync all users and groups in Entra ID 1,000 - 10,000 < 30 - 120 minutes  < 30 minutes
Sync all users and groups in Entra ID 10,000 - 100,000 713 - 1,425 minutes  < 30 minutes
Sync all users in Entra ID < 1,000 < 30 minutes  < 30 minutes
Sync all users in Entra ID 1,000 - 10,000 43 - 86 minutes  < 30 minutes

More info: Find out when a specific user is able to access an app in Microsoft Entra Application Provisioning | Microsoft Learn

 

4.5 View Next Sync Run

  • Expand View provisioning details to check last completed cycle timestamp.
  • 40 minutes can be added to this time to confirm the next time the Sync will trigger.

 

4.6 View Audit Logs

  • Any user or group objects which cannot be validated will fail; for more information, you can check the audit logs.

Further troubleshooting: Problem configuring user provisioning to a Microsoft Entra Gallery app | Microsoft Learn

4.7 View Provisioning Logs

  • For more information on which users and groups that were successfully created in the MyCompliance portal, select Provisioning logs (Preview) in Entra ID under the 'Monitoring' section.

 

For more info: Provisioning logs in Microsoft Entra ID | Microsoft Learn

5 Single Sign-On

5.1 Adding Single Sign-On

  • Upon successful completion of a user sync, you must then facilitate the logon process by permitting SSO for your users. There are two methods of adding this functionality, Application Consent and via the Microsoft app gallery. Both methods ultimately result in the registration of the MyCompliance app within the 'App Registrations' section of your Entra ID tenancy.

5.2 Method 1 – Application Consent

  • Once your technical representative has enabled SSO on your MyCompliance tenant, an Azure global admin, who has successfully synced, can log in to MyCompliance (https://cloud.metacompliance.com) and simply accept the application consent form on behalf of their organisation - see screenshot below. This will register the MyCompliance SSO app within their Azure tenancy.
  • Once the consent form has been accepted, users will no longer see this prompt.

 

5.3 Method 2 – Microsoft App Gallery

SSO can be enabled by registering the MyCompliance application within your Entra ID tenancy. Following the below path, you can search for MyCompliance and register the application.

  • Entra ID > Enterprise Applications > New application > Add from the gallery > Search for MyCompliance. (See below)

  • Select the MyCompliance application, and then click on Add.
  • Your users should now be able to log in to MyCompliance.

6 Notes

For any current customers looking to migrate to Entra ID Auto User Provisioning, please contact your account manager or your MetaCompliance technical representative.

You can also contact Support at any time for further information: support@metacompliance.com

Back to all articles