Get instant support with our search!
SCIM - Azure AD Configuration
Table of Contents
2. Azure AD Auto User Provisioning
1 Purpose
This document details the specific tasks required to configure an Azure AD (AAD) Enterprise application to provision user identities to the MyCompliance portal.
Once configured, the provisioning of users within MyCompliance will be automated and controlled by the AAD Enterprise Application.
2 Azure AD Auto User Provisioning
In AAD, the term 'App Provisioning' refers to automatically creating user identities and roles in cloud (SaaS) applications to which users require access. In addition to creating user identities, Automatic Provisioning includes the maintenance and removal of user identities as status or roles change.
3 Configuration
The user responsible for creating and configuring the Non-gallery Enterprise Application must be a global
administrator of the specific Azure AD tenant, or have the equivalent RBAC roles to create Enterprise Applications.
3.1 Create the Enterprise Application
- From the Azure portal, select Azure Active Directory.
- Within 'Azure Active Directory' (AAD), select Enterprise Applications and then select Create your own application.
- Enter a name for the application and confirm the 'Integrate any other application you don't find in the gallery (Non-gallery)' option is selected.
- Click Create.
3.2 Configure Enterprise Application
Once the Enterprise application is created, you are taken to the Application Overview section.
- On the left-hand side, select Provisioning.
- Click Get started.
- Change Provisioning Mode from 'Manual' to 'Automatic'.
- Enter the URL, provided to you by your MetaCompliance technical representative, in the tenant URL. The URL will be in the format of:
- Click the Test Connection button, and click Save once the test is successful.
- Note: It is important to add users and groups prior to starting provisioning. The provisioning schedule works on a 40-minute occurrence; once enabled, if there are no users/groups added, it will take 40 minutes before the users/groups are provisioned to the MyCompliance portal.
3.3 Provision Users and Groups
- Return to the initial application start page and, on the left-hand side, select Users and groups.
- Select Add user/group and, from here, select the users and/or groups you want to provision to the MyCompliance portal.
3.4 Edit Mappings
On the left-hand side, select Provisioning and click Edit attribute mappings.
- Expand Mappings, and select Provision Azure Active Directory Users.
- Delete the following Attribute Mappings.
- displayName
- telephoneNumber
- mobile
- facsimileTelephoneNumber
- employeeid
- Confirm 'Attribute Mappings' match the above, and select Save on the top left.
3.5 Advanced Settings
At the bottom of the 'User Attribute Mapping' section, tick the 'Show advanced options' box, and click Edit attribute list for customappsso.
- Confirm Required is ticked against the following fields: id, emails[type eq "work"].value, userName,
givenName, familyName and externalid and select Save.
3.6 Turn on Automatic User Provisioning
- Return to the 'Provisioning' section of the Enterprise Application, and select Start provisioning.
- At this point, the AAD Auto User Provisioning is configured. After about 15 minutes, you will find your users and groups successfully provisioned to the MyCompliance portal.
4 Sync information
4.1 User and Group Mappings
Within the 'Enterprise Application', customers can output values of different attributes to the expected SCIM API value. The essential attributes are discussed, in more detail, in the SCIM API Design document.
It is recommended to keep the mappings as default, but they can be altered to meet the customer's needs. An example might be if the 'Department' attribute is not populated correctly, and the user would like to set the ‘City’ value in AAD to the Department value in MetaCompliance.
- Within the Enterprise App, select Provisioning on the left-hand side, and expand Mappings.
- By selecting either Users or Groups mappings, you can map attribute values and output them as the values the SCIM API expects. Please discuss this with your MetaCompliance technical representative as it could affect usability for the end administrator on the front end.
- More Info here: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes
4.2 Dynamic Groups
Although most organisations will have a valid group structure to add to the MyCompliance Enterprise App, it is important to note the power of dynamic groups.
AAD allows you to create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users, dependent on correct licensing.
More Info here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
4.3 Sync Schedule
When the Provisioning status is enabled, the operation starts the initial synchronisation cycle of all users and groups defined in the Scope. The initial cycle takes longer to perform than subsequent cycles, which occurs approximately every 40 minutes (assuming the Azure AD provisioning service is running).
4.4 Sync Time Estimations
Scope configuration |
Users, groups, and members in scope |
Initial cycle time |
Incremental cycle time |
Sync assigned users and groups only |
< 1,000 |
< 30 minutes |
< 30 minutes |
Sync assigned users and groups only |
1,000 - 10,000 |
142 - 708 minutes |
< 30 minutes |
Sync assigned users and groups only |
10,000 - 100,000 |
1,170 - 2,340 minutes |
< 30 minutes |
Sync all users and groups in Azure AD |
< 1,000 |
< 30 minutes |
< 30 minutes |
Sync all users and groups in Azure AD |
1,000 - 10,000 |
< 30 - 120 minutes |
< 30 minutes |
Sync all users and groups in Azure AD |
10,000 - 100,000 |
713 - 1,425 minutes |
< 30 minutes |
Sync all users in Azure AD |
< 1,000 |
< 30 minutes |
< 30 minutes |
Sync all users in Azure AD |
1,000 - 10,000 |
43 - 86 minutes |
< 30 minutes |
4.5 View Next Sync Run
Expand View provisioning details to check last completed cycle timestamp; 40 minutes can be added to this time to confirm the next time the Sync will trigger
4.6 View Audit Logs
Any user or group objects which cannot be validated will fail; for more information on this, you can check the audit logs.
Further troubleshooting can be found here: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioningconfig-problem
4.7 View Provisioning Logs
For more information on which users and groups were successfully created in the MyCompliance portal, select Provisioning Logs (Preview) in Azure Active Directory under the 'Monitoring' section.
5 Single Sign-On
5.1 Adding Single Sign-On
Upon successful completion of a user sync, you must then facilitate the logon process by permitting SSO for your users.
There are two methods of adding this functionality: (a) 'Application Consent' and (b) via the Microsoft App Gallery.
Both methods ultimately result in the registration of the MyCompliance app within the 'App Registrations' section of your Azure AD tenancy.
5.2 Method 1 – Application Consent
Once your technical representative has enabled SSO on your MyCompliance tenant, an Azure Global admin (who has successfully synced) can log in to MyCompliance (https://cloud.metacompliance.com) and simply accept the Application Consent Form on behalf of their organisation, (see screenshot below).
This will register the MyCompliance SSO app within their Azure tenancy. Once the consent form has been accepted, users will no longer see this prompt.
5.3 Method 2 – Microsoft App Gallery
SSO can be enabled by registering the MyCompliance application within your Azure AD tenancy. Following the below path, you can search for MyCompliance and register the application.
- Azure AD > Enterprise Applications > New application > Add from the gallery > Search for MyCompliance (See below)
- Select the MyCompliance Application, followed by clicking on Add. Your users should now be able to log in to MyCompliance.
6 Notes
- For any current customers looking to migrate to Azure AD Auto User Provisioning, please contact your Account Manager or your MetaCompliance technical representative.
- You can also contact Support at any time for further information: support@metacompliance.com.