This document provides information on how to integrate the Cloud Security platform with Azure AD, so that administrators can provision, query, and manage platform users automatically via SCIM 2.0 integration, avoiding manual processes, scaling identity governance, and ensuring compliance with security best practices.
- This guide details the step-by-step configuration using Microsoft Entra ID (Azure AD). Since Cloud Security is compatible with the SCIM 2.0 protocol, you can use other providers, such as Okta or GCP. If you use another provider, the target attributes listed in the mapping step are the standard required by our API. However, the interface navigation, source attributes, and expression syntax vary according to the rules of the chosen provider.
- Users provisioned via SCIM will be created in the Cloud Security platform using the same email address registered in Azure AD.
Requirements
- A service account with the SCIM Management role configured in Cloud Security. More information in How to create a service account.
- The Client ID and Client Secret generated for this service account.
- Administrator access to your Microsoft Entra ID (Azure AD) portal.
Step 1: Create an enterprise application
The first step is to create an enterprise application in Azure AD. This application will act as the bridge between your Azure directory and Cloud Security.
- Access the Azure platform.
- Login to your Azure account.
- Locate the Microsoft Entra ID service.
- In the side menu, select Enterprise applications.
- On the Enterprise applications screen, in the side menu, select Manage > All applications.
- Click New application.
- Click Create your own application.
- Enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery).
- Click Create.
Step 2: Configure the provisioning credentials
In order for Azure AD to send user data to Cloud Security, you must establish a secure connection. In this step, you will use the access key generated for your service account to authenticate the integration.
- In your enterprise application, in the side menu, select Manage > Provisioning.
- On the Provisioning screen, in the Provisioning Mode field, select Automatic.
- In the Admin Credentials tab, complete the following fields:
- Authentication Method: select OAuth2 Client Credentials Grant.
- Tenant URL *: enter the platform’s SCIM base URL. Example:
https://<your-tenant>/scim/v2. - Token Endpoint *: enter the Cloud Security token endpoint. Example:
https://<your-tenant>/realms/zarya/protocol/openid-connect/token. - Client Identifier *: enter the Client ID obtained from the service account access key.
- Client Secret *: enter the Client Secret obtained from the service account access key.
Info
For security reasons, the Client Secret is displayed only once during the service account access key creation. If you did not save it, you must generate a new access key in the Cloud Security platform. More information in How to create a service account.
- Click Test Connection to validate the connection with Cloud Security. Azure sends a request to the platform to validate the credentials and the token endpoint.
- Upon a successful test, click Save at the top of the screen to display the Mappings section.
- In the Mappings section, click Provision Microsoft Entra ID Groups and toggle the Enabled switch to No.
- Click Save.
Step 3: Configure the attribute mapping
By default, Azure AD maps some attributes that are not required by Cloud Security. See the following steps to configure the attribute list:
- In your enterprise application, in the side menu, select Manage > Attribute mapping.
- On the Attribute mapping screen, click Provision Microsoft Entra ID Users.
- In the Attribute Mapping table, delete the following attributes:
title.emails[type eq "work"].value.name.formatted.- All
addressesandphoneNumbersattributes. - All attributes starting with
urn:.
- Edit the
externalIdattribute:- Source attribute: enter
objectId. - Click Ok.
- Source attribute: enter
- Select the Show advanced options checkbox and click Edit attribute list for customappsso.
- In the new window, create a new target attribute to receive the platform roles:
- Name: enter
roles. - Type: select
String. - Multi-Value?: select the checkbox.
- Click Save and confirm the changes.
- Name: enter
- In the Attribute Mappings table, ensure your configuration matches exactly with the table below. Edit existing attributes or click Add new mapping as needed:
| Mapping type | Source attribute | Target attribute |
|---|---|---|
| Direct | userPrincipalName |
userName |
| Expression | Switch([isSoftDeleted], , "False", "True", "True", "False") |
active |
| Direct | displayName |
displayName |
| Direct | preferredLanguage |
preferredLanguage |
| Direct | givenName |
name.givenName |
| Direct | surname |
name.familyName |
| Direct | objectId |
externalId |
| Expression | AssertiveAppRoleAssignmentsComplex([appRoleAssignments]) |
roles |
- Click Save at the top of the screen and return to the main provisioning menu.
Step 4: Create and assign roles
To ensure users receive the correct permissions, you must replicate the Cloud Security roles within your Azure application. Once created, you will assign these roles to the users or groups you want to provision.
- On the App registrations screen, open the application created under the same name as your enterprise application and select Manage > App roles.
- Click Create app role.
- On the Create app role screen, complete the following fields:
- Display name *: enter a name for the role. Example:
[Cloud Entitlements] Tenant Administrator. - Allowed member types *: select the User/Groups option.
- Value *: enter the same role name as registered in the Cloud Security platform. Example:
Platform.Tenant.Admin.AttentionThe Value * field must exactly match the internal role name registered in Cloud Security. If the values don’t match, the synchronization will fail to assign the correct permissions to the user.
- Description *: enter a brief description for the role.
- Display name *: enter a name for the role. Example:
- Click Apply.
- In your enterprise application, in the side menu, select Manage > Users and groups.
- Click Add user/group.
- On the Add Assignment screen, complete the following fields:
- Users: select the users you want to provision.
- Select a role *: select the roles you want to apply to the users provisioned.
- Click Assign.
Step 5: Start the provisioning process
With the connection authenticated and attributes mapped, the synchronization process will begin based on Azure's schedule or you can force it manually in the Provision on demand page. You can check the integration results by accessing the Users report in Cloud Security and verifying if the assigned Azure AD users have been provisioned.
Large-scale user synchronization can lead to slow processing and increased machine resource usage. We recommend conducting provisioning in smaller, more manageable batches to minimize performance impact.