How to enable Microsoft Entra Automated User Provisioning with SCIM for Azion

Enabling Automated User Provisioning streamlines identity and access management by automatically creating, updating, and deleting user accounts across applications based on changes in Microsoft Entra ID. These changes are reflected on Azion’s platform users and teams, once the feature is enabled. The automation uses the SCIM protocol, making the provisioning process both scalable and secure.

It reduces manual work and enhances security and compliance, ensuring users have appropriate access to the resources as needed.

This guide will cover how to enable Microsoft Entra Automated User Provisioning for Azion’s platform with SCIM (System for Cross-domain Identity Management).

Activating SCIM protocol usage

1. Go to your preferred API development and testing tool. For example, Postman or Swagger.
2. Run the following GET request, replacing [Token value] with your Azion personal token, to obtain the current status of your IdP and its identifier on Azion.

curl --location 'https://api.azionapi.net/iam/identity_providers' \
--header 'Accept: application/json' \
--header 'Authorization: Token [Token value]'

3. You’ll receive a response similar to this:

{
  "name": "Microsoft Entra IdP",
"is_active": true,
"protocol": "SAML",
  "uuid": "1234abc4567",
  "login_url": "https://api.azion.com/v4/users/scim/<idp_uuid>/login",
"scim_integration": false,
"scim_url": null
}

• is_active is a boolean confirming if the idP is active and uuid is the IdP identifier on Azion.
• Copy the uuid to use it in the next steps.

4. Run the following GET request, replacing [Token value] with your Azion personal token and the uuid with the identifier you got in the previous steps, to obtain more information about the IdP integration on Azion.

curl --location 'https://api.azionapi.net/iam/identity_providers/saml2/<uuid>' \
--header 'Accept: application/json' \
--header 'Authorization: Token [Token value]'

5. You’ll receive a response similar to this:

{
 "uuid": "1234abc4567",
  "name": "Microsoft Entra IdP",
"is_active": true,
 "sign_in_url": "https://login.microsoftonline/123abc/saml2",
 "entity_id_url": "https://sts.windows.net/123abc/saml2",
  "login_url": "https://sso.azion.com/api/saml2v4/users/scim/<idp_uuid>/login",
  "acs_url": "https://sso.azion.com/api/saml2v4/users/scim/<idp_uuid>/login",
"signature_algorithm": "sha-256",
"scim_integration": false,
"scim_url": null
}

• scim_integration refers to the current status of the SCIM protocol activation. In this case, false indicates that the protocol isn’t active yet to work with the IdP.

6. Run the following PATCH request, replacing [Token value] with your Azion personal token and the uuid with the identifier you got in the previous steps, to update the status of your IdP SCIM integration.

curl --location 'https://api.azionapi.net/iam/identity_providers/saml2/<uuid>' \
--header 'Accept: application/json' \
--header 'Authorization: Token [Token value]'
--data '{
    "scim_integration": true
}'

7. You’ll receive a response similar to this:

{
 "uuid": "1234abc4567",
  "name": "Microsoft Entra IdP",
"is_active": true,
 "sign_in_url": "https://login.microsoftonline/123abc/saml2",
 "entity_id_url": "https://sts.windows.net/123abc/saml2",
  "login_url": "https://sso.azion.com/api/saml2v4/users/scim/<idp_uuid>/login",
  "acs_url": "https://sso.azion.com/api/saml2v4/users/scim/<idp_uuid>/login",
"signature_algorithm": "sha-256",
"scim_integration": true,
  "scim_url": "https://api.azion.com/v4/users/scim/<idp_uuid>/Users"
}

Enabling Provisioning

1. Access Microsoft Entra admin center.
2. Select the card of the record you created to use Microsoft Entra as IdP for Azion.
3. In the left menu, Provisioning in the Manage section.
4. In the Provisioning mode field, select Automatic.
5. In the Admin Credentials section:
   • In the Tenant URL, copy the link in the “scim_url” field you get in the previous step.
   • In Secret Token, enter an Account Owner personal token or a token for a user with SCIM protocol integration permissions.
6. Click Test Connection to test if it’s working. You’ll receive a message indicating the test was successful.
7. Click the Save button.

Now, you must map the users and groups you want to provision across the accounts, as explained in the following section.

Mapping users

Still in the Provisioning configuration page:

1. Open the Mappings sections.
2. Select the “Provision Microsoft Entra ID Users”.
3. In Attribute Mappings, just leave the following fields: userName, active, namegivenName, and name.familyName.
4. Delete the rest of the attributes.

5. Guarantee the Enable switch is on the Yes option.
6. Click Save.

Mapping groups

Still in the Provisioning configuration page:

1. Open the Mappings sections.
2. Select the “Provision Microsoft Entra ID Groups”.
3. Guarantee the Enable switch is on the Yes option.
4. Click Save.

Provisioning users between Microsoft Entra and Azion

Once you’ve created your provisioning configuration and mapped users and groups, you can start the provisioning process. To do so:

1. Access Microsoft Entra admin center.
2. Select the card of the record you created to use Microsoft Entra as IdP for Azion.
3. Select the Overview option in the menu.

In this section, you can check the provision details about the default settings for provisioning. In this case, Microsoft Entra has a fixed interval of 40 minutes to execute a new provisioning cycle.

Manually provisioning users

Alternatively, you can execute a manual provisioning, if necessary. To manually execute it, still in the Provisioning configuration page:

1. Go to the Provision on demand option in the left menu.
2. Select the user or group you want to provision.
3. Click the Provision button.

To check if the provisioning was successful:

1. Access Real-Time Manager (RTM).
2. On the upper-right corner of the page, select the avatar menu. This is the Account menu.
3. Select the Users Management to check if your user list has been updated.