SCIM - Azure AD Configuration

Table of Contents

1. Purpose

2. Azure AD Auto User Provisioning

3. Configuration

4. Sync Information

5. Single Sign-On

6. Notes

1 Purpose

This document details the specific tasks required to configure an Azure AD (AAD) Enterprise application to provision user identities to the MyCompliance portal.

Once configured, the provisioning of users within MyCompliance will be automated and controlled by the AAD Enterprise Application.

2 Azure AD Auto User Provisioning

In AAD, the term 'App Provisioning' refers to automatically creating user identities and roles in cloud (SaaS) applications to which users require access. In addition to creating user identities, Automatic Provisioning includes the maintenance and removal of user identities as status or roles change.

3 Configuration

The user responsible for creating and configuring the Non-gallery Enterprise Application must be a global
administrator of the specific Azure AD tenant, or have the equivalent RBAC roles to create Enterprise Applications.

3.1 Create the Enterprise Application

mceclip1.png

  • From the Azure portal, select Azure Active Directory.
  • Within 'Azure Active Directory' (AAD), select Enterprise Applications and then select Create your own application.

mceclip2.png

  • Enter a name for the application and confirm the 'Integrate any other application you don't find in the gallery (Non-gallery)' option is selected.
  • Click Create.

mceclip3.png

3.2 Configure Enterprise Application

Once the Enterprise application is created, you are taken to the Application Overview section.

  • On the left-hand side, select Provisioning.  

mceclip5.png

  • Click Get started.

mceclip6.png

  • Change Provisioning Mode from 'Manual' to 'Automatic'.
  • Enter the URL, provided to you by your MetaCompliance technical representative, in the tenant URL. The URL will be in the format of:
  • Click the Test Connection button, and click Save once the test is successful.

mceclip7.png

  • Note: It is important to add users and groups prior to starting provisioning. The provisioning schedule works on a 40-minute occurrence; once enabled, if there are no users/groups added, it will take 40 minutes before the users/groups are provisioned to the MyCompliance portal.

3.3 Provision Users and Groups

  • Return to the initial application start page and, on the left-hand side, select Users and groups.
  • Select Add user/group and, from here, select the users and/or groups you want to provision to the MyCompliance portal.

mceclip8.png

3.4 Edit Mappings

On the left-hand side, select Provisioning and click Edit attribute mappings.

  • Expand Mappings, and select Provision Azure Active Directory Users.
  • Delete the following Attribute Mappings.
    • displayName
    • telephoneNumber
    • mobile
    • facsimileTelephoneNumber
    • employeeid

mceclip9.png

  • Confirm 'Attribute Mappings' match the above, and select Save on the top left.

3.5 Advanced Settings

At the bottom of the 'User Attribute Mapping' section, tick the 'Show advanced options' box, and click Edit attribute list for customappsso.

mceclip10.png

  • Confirm Required is ticked against the following fields: id, emails[type eq "work"].value, userName,
    givenName, familyName and externalid and select Save.

mceclip11.png

3.6 Turn on Automatic User Provisioning

  • Return to the 'Provisioning' section of the Enterprise Application, and select Start provisioning.

mceclip12.png

  • At this point, the AAD Auto User Provisioning is configured. After about 15 minutes, you will find your users and groups successfully provisioned to the MyCompliance portal.

mceclip13.png

4 Sync information

4.1 User and Group Mappings

Within the 'Enterprise Application', customers can output values of different attributes to the expected SCIM API value. The essential attributes are discussed, in more detail, in the SCIM API Design document.

It is recommended to keep the mappings as default, but they can be altered to meet the customer's needs. An example might be if the 'Department' attribute is not populated correctly, and the user would like to set the ‘City’ value in AAD to the Department value in MetaCompliance.

  • Within the Enterprise App, select Provisioning on the left-hand side, and expand Mappings.

mceclip14.png

4.2 Dynamic Groups

Although most organisations will have a valid group structure to add to the MyCompliance Enterprise App, it is important to note the power of dynamic groups.

AAD allows you to create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users, dependent on correct licensing.
More Info here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

4.3 Sync Schedule

When the Provisioning status is enabled, the operation starts the initial synchronisation cycle of all users and groups defined in the Scope. The initial cycle takes longer to perform than subsequent cycles, which occurs approximately every 40 minutes (assuming the Azure AD provisioning service is running).

4.4 Sync Time Estimations

Scope configuration

Users, groups, and members in scope

Initial cycle time

Incremental cycle time

Sync assigned users and groups only

< 1,000

< 30 minutes

< 30 minutes

Sync assigned users and groups only

1,000 - 10,000

142 - 708 minutes

< 30 minutes

Sync assigned users and groups only

10,000 - 100,000

1,170 - 2,340

minutes

< 30 minutes

Sync all users and groups in Azure AD

< 1,000

< 30 minutes

< 30 minutes

Sync all users and groups in Azure AD

1,000 - 10,000

< 30 - 120 minutes

< 30 minutes

Sync all users and groups in Azure AD

10,000 - 100,000

713 - 1,425 minutes

< 30 minutes

Sync all users in Azure AD

< 1,000

< 30 minutes

< 30 minutes

Sync all users in Azure AD

1,000 - 10,000

43 - 86 minutes

< 30 minutes

More Info here: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-when-willprovisioning-finish-specific-user#how-long-will-it-take-to-provision-users

4.5 View Next Sync Run

Expand View provisioning details to check last completed cycle timestamp; 40 minutes can be added to this time to confirm the next time the Sync will trigger

mceclip15.png

4.6 View Audit Logs

Any user or group objects which cannot be validated will fail; for more information on this, you can check the audit logs.

mceclip16.png

Further troubleshooting can be found here: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioningconfig-problem

4.7 View Provisioning Logs

For more information on which users and groups were successfully created in the MyCompliance portal, select Provisioning Logs (Preview) in Azure Active Directory under the 'Monitoring' section.

mceclip17.png

More info here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-provisioninglogs?context=azure/active-directory/manage-apps/context/manage-apps-context

5 Single Sign-On

5.1 Adding Single Sign-On

Upon successful completion of a user sync, you must then facilitate the logon process by permitting SSO for your users.

There are two methods of adding this functionality: (a) 'Application Consent' and (b) via the Microsoft App Gallery.

Both methods ultimately result in the registration of the MyCompliance app within the 'App Registrations' section of your Azure AD tenancy.

5.2 Method 1 – Application Consent

Once your technical representative has enabled SSO on your MyCompliance tenant, an Azure Global admin (who has successfully synced) can log in to MyCompliance (https://cloud.metacompliance.com) and simply accept the Application Consent Form on behalf of their organisation, (see screenshot below).

This will register the MyCompliance SSO app within their Azure tenancy. Once the consent form has been accepted, users will no longer see this prompt.

mceclip18.png

5.3 Method 2 – Microsoft App Gallery

SSO can be enabled by registering the MyCompliance application within your Azure AD tenancy. Following the below path, you can search for MyCompliance and register the application.

  • Azure AD > Enterprise Applications > New application > Add from the gallery > Search for MyCompliance (See below)

mceclip19.png

  • Select the MyCompliance Application, followed by clicking on Add. Your users should now be able to log in to MyCompliance.

6 Notes

  • For any current customers looking to migrate to Azure AD Auto User Provisioning, please contact your Account Manager or your MetaCompliance technical representative.
  • You can also contact Support at any time for further information: support@metacompliance.com.
Back to all articles