Documentation Index

Fetch the complete documentation index at: https://docs.senhasegura.io/llms.txt

Use this file to discover all available pages before exploring further.

How to set up SCIM provisioning with Azure AD

Prev Next

This document provides information on how to integrate the Cloud Security platform with Azure AD, so that administrators can provision, query, and manage platform users automatically via SCIM 2.0 integration, avoiding manual processes, scaling identity governance, and ensuring compliance with security best practices.

Info
  • This guide details the step-by-step configuration using Microsoft Entra ID (Azure AD). Since Cloud Security is compatible with the SCIM 2.0 protocol, you can use other providers, such as Okta or GCP. If you use another provider, the target attributes listed in the mapping step are the standard required by our API. However, the interface navigation, source attributes, and expression syntax vary according to the rules of the chosen provider.
  • Users provisioned via SCIM will be created in the Cloud Security platform using the same email address registered in Azure AD.

Requirements

  • A service account with the SCIM Management role configured in Cloud Security. More information in How to create a service account.
  • The Client ID and Client Secret generated for this service account.
  • Administrator access to your Microsoft Entra ID (Azure AD) portal.

Step 1: Create an enterprise application

The first step is to create an enterprise application in Azure AD. This application will act as the bridge between your Azure directory and Cloud Security.

  1. Access the Azure platform.
  2. Login to your Azure account.
  3. Locate the Microsoft Entra ID service.
  4. In the side menu, select Enterprise applications.
  5. On the Enterprise applications screen, in the side menu, select Manage > All applications.
  6. Click New application.
  7. Click Create your own application.
  8. Enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery).
  9. Click Create.

Step 2: Configure the provisioning credentials

In order for Azure AD to send user data to Cloud Security, you must establish a secure connection. In this step, you will use the access key generated for your service account to authenticate the integration.

  1. In your enterprise application, in the side menu, select Manage > Provisioning.
  2. On the Provisioning screen, in the Provisioning Mode field, select Automatic.
  3. In the Admin Credentials tab, complete the following fields:
    1. Authentication Method: select OAuth2 Client Credentials Grant.
    2. Tenant URL *: enter the platform’s SCIM base URL. Example: https://<your-tenant>/scim/v2.
    3. Token Endpoint *: enter the Cloud Security token endpoint. Example: https://<your-tenant>/realms/zarya/protocol/openid-connect/token.
    4. Client Identifier *: enter the Client ID obtained from the service account access key.
    5. Client Secret *: enter the Client Secret obtained from the service account access key.
      Info

      For security reasons, the Client Secret is displayed only once during the service account access key creation. If you did not save it, you must generate a new access key in the Cloud Security platform. More information in How to create a service account.

  4. Click Test Connection to validate the connection with Cloud Security. Azure sends a request to the platform to validate the credentials and the token endpoint.
  5. Upon a successful test, click Save at the top of the screen to display the Mappings section.
  6. In the Mappings section, click Provision Microsoft Entra ID Groups and toggle the Enabled switch to No.
  7. Click Save.

Step 3: Configure the attribute mapping

By default, Azure AD maps some attributes that are not required by Cloud Security. See the following steps to configure the attribute list:

  1. In your enterprise application, in the side menu, select Manage > Attribute mapping.
  2. On the Attribute mapping screen, click Provision Microsoft Entra ID Users.
  3. In the Attribute Mapping table, delete the following attributes:
    1. title.
    2. emails[type eq "work"].value.
    3. name.formatted.
    4. All addresses and phoneNumbers attributes.
    5. All attributes starting with urn:.
  4. Edit the externalId attribute:
    1. Source attribute: enter objectId.
    2. Click Ok.
  5. Select the Show advanced options checkbox and click Edit attribute list for customappsso.
  6. In the new window, create a new target attribute to receive the platform roles:
    1. Name: enter roles.
    2. Type: select String.
    3. Multi-Value?: select the checkbox.
    4. Click Save and confirm the changes.
  7. In the Attribute Mappings table, ensure your configuration matches exactly with the table below. Edit existing attributes or click Add new mapping as needed:
Mapping type Source attribute Target attribute
Direct userPrincipalName userName
Expression Switch([isSoftDeleted], , "False", "True", "True", "False") active
Direct displayName displayName
Direct preferredLanguage preferredLanguage
Direct givenName name.givenName
Direct surname name.familyName
Direct objectId externalId
Expression AssertiveAppRoleAssignmentsComplex([appRoleAssignments]) roles
  1. Click Save at the top of the screen and return to the main provisioning menu.

Step 4: Create and assign roles

To ensure users receive the correct permissions, you must replicate the Cloud Security roles within your Azure application. Once created, you will assign these roles to the users or groups you want to provision.

  1. On the App registrations screen, open the application created under the same name as your enterprise application and select Manage > App roles.
  2. Click Create app role.
  3. On the Create app role screen, complete the following fields:
    1. Display name *: enter a name for the role. Example: [Cloud Entitlements] Tenant Administrator.
    2. Allowed member types *: select the User/Groups option.
    3. Value *: enter the same role name as registered in the Cloud Security platform. Example: Platform.Tenant.Admin.
      Attention

      The Value * field must exactly match the internal role name registered in Cloud Security. If the values don’t match, the synchronization will fail to assign the correct permissions to the user.

    4. Description *: enter a brief description for the role.
  4. Click Apply.
  5. In your enterprise application, in the side menu, select Manage > Users and groups.
  6. Click Add user/group.
  7. On the Add Assignment screen, complete the following fields:
    1. Users: select the users you want to provision.
    2. Select a role *: select the roles you want to apply to the users provisioned.
  8. Click Assign.

Step 5: Start the provisioning process

With the connection authenticated and attributes mapped, the synchronization process will begin based on Azure's schedule or you can force it manually in the Provision on demand page. You can check the integration results by accessing the Users report in Cloud Security and verifying if the assigned Azure AD users have been provisioned.

Attention

Large-scale user synchronization can lead to slow processing and increased machine resource usage. We recommend conducting provisioning in smaller, more manageable batches to minimize performance impact.