Skip to main content

Configure automatic user and group provisioning with Entra ID via SCIM

This article describes how to configure automatic user and group provisioning with your Entra ID tenant via SCIM.

Cerby Team avatar
Written by Cerby Team
Updated over 2 weeks ago

With Cerby, you can configure automatic provisioning with Entra ID (formerly Azure AD) using the System for Cross-domain Identity Management (SCIM) specification to manage the creation and synchronization of user accounts and teams based on user and group assignments.

This article describes how to configure both the Cerby enterprise application and Entra ID. When configured, Entra ID automatically provisions and deprovisions users and groups to Cerby using the Entra ID provisioning service. For more information on what this service does, how it works, and frequently asked questions, read the article What is app provisioning in Microsoft Entra ID?


Supported features

The following are the supported features of automatic user and group provisioning with Entra ID:

  • Push users: Users assigned to the Cerby enterprise application in Entra ID are automatically able to access the Cerby clients (web app, mobile app, and browser extension); they are available to other users in Cerby for account sharing purposes.

  • Push groups: Users who are members of a group in Entra ID and assigned to the Cerby enterprise application are pushed to Cerby, and this grouping structure and its members are replicated in Cerby as teams.

  • Remove users in Cerby when they no longer require access.

  • Keep user attributes synced between Entra ID and Cerby.

  • Disable or delete users: Disabled or deleted users in Entra ID are automatically detected in Cerby, and their associated access grants in Cerby are removed. In some cases, additional follow-up actions, like password rotation, may occur in Cerby for privileged identities to which the deprovisioned user had access grants.

  • Reactivate users: Reactivated users in Entra ID will reappear as valid users in Cerby; however, account access grants must be reassigned in Cerby.


Requirements

The following are the requirements to configure automatic user and group provisioning with Entra ID:

IMPORTANT: Make sure you have the automated group provisioning to apps feature included in your Entra ID plan level (P1 or P2 license plan).


Configure automatic provisioning with Entra ID

To configure automatic user provisioning for Azure AD, you must complete the following main steps:

The following sections describe each main step.

1. Plan your provisioning deployment

To plan your provisioning deployment with Entra ID, you must complete the following steps:

  1. Learn about how the provisioning service works. For more information, read the article What is app provisioning in Microsoft Entra ID?

  2. Determine who will be in scope for provisioning. For more information, read the article Scoping users or groups to be provisioned with scoping filters.

  3. Determine what data to map between Entra ID and Cerby. For more information, read the article Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID.

2. Configure Cerby to support provisioning with Entra ID

Cerby has enabled the provisioning support for Entra ID by default. You must follow the instructions from the article Retrieve the SCIM API authentication token from Cerby to copy the SCIM API authentication token.

3. Add Cerby from the Entra ID application gallery

You must add the Cerby enterprise application from the Entra ID application gallery to manage provisioning to Cerby.

You can use the same application if you have previously set up Cerby for SSO. However, we recommend you create a separate app when initially testing the integration. For more information about adding an application from the gallery, read the article Quickstart: Add an enterprise application.

4. Define the scope for provisioning

The Entra ID provisioning service enables you to scope who will be provisioned based on assignment to the Cerby enterprise application and or based on user and group attributes.

The following are some recommendations when defining the scope:

5. Configure automatic user and group provisioning to Cerby

To configure automatic user and group provisioning to Cerby, you must complete the following steps:

  1. Log in to your Microsoft Azure account.

  2. Select your Cerby enterprise application by performing the following actions:

    1. Click the Menu () icon at the top left of the page. A drop-down menu is displayed.

    2. Select the Microsoft Entra ID option from the drop-down menu. The Overview page is displayed.

    3. Select the Enterprise applications option from the left navigation drawer. The All applications page is displayed.

    4. Select the Cerby option from the list of enterprise applications. The Overview page of your Cerby application is displayed.

  3. Configure automatic provisioning by performing the following actions:

    1. Select the Provisioning option from the Manage section of the left navigation drawer, as shown in Figure 1. The Get started with application provisioning page of the Cerby enterprise application is displayed with an empty state for provisioning.

      Figure 1. Overview page of the Cerby application in Entra ID

    2. Click the Get started button in the top menu. The New provisioning configuration page is displayed.

    3. Enter the following information in the corresponding fields of the Admin Credentials section:

    4. Click the Test Connection button to validate the admin credentials by connecting to the SCIM endpoint. A success message box is displayed.

      NOTE: If the connection fails, ensure your Cerby account has the workspace Admin, Owner, or Super Admin role and try again.

    5. Click the Save button located at the top left of the page. The Overview page is displayed with information about the provisioning configuration.

  4. Click the Attribute mapping (Preview) option in the left navigation menu under the Manage section. The Attribute mapping (Preview) page is displayed.

  5. Review the user attributes that are synced between Entra ID and Cerby by performing the following actions:

    1. Click the Provision Microsoft Entra ID Users button. The Attribute Mapping page is displayed.

    2. Select the Yes option from the Enabled switch.

    3. Verify that the attributes and information from Table 1 are configured correctly in the Attribute Mappings section.

      NOTE: The attributes selected as Matching precedence properties are used to match the user accounts in Cerby for update operations. If you change the matching target attribute, you must ensure that the Cerby API supports filtering users based on that attribute. For more information, read the article Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID.

    4. Click the Save button. The Attribute Mapping page closes, and a success message box is displayed.

  6. Enable group provisioning from Entra ID to Cerby by performing the following actions:

    1. Click the Provision Microsoft Entra ID Groups button. The Attribute Mapping page is displayed.

    2. Select the Yes option from the Enabled switch.

    3. Verify that the attributes and information from Table 2 are configured correctly in the Attribute Mappings section.

    4. Click the Save button. The Attribute Mapping (Preview) page is displayed again, and a success message box is displayed.

  7. Configure the email address for notifications and the scope in the Settings section by performing the following actions:

    1. Activate the Properties tab on the page. The Basics page is displayed.

    2. Click the Edit () option. The Basics side panel is displayed.

    3. Enter the email address of the person or group who must receive the provisioning error notifications in the Notification Email field.

    4. Select the option from the Scope drop-down list that corresponds to the scoping that you defined in step 4. Define the scope for provisioning.

      NOTE: For more information on how to configure scoping filters, read the article Scoping users or groups to be provisioned with scoping filters.

    5. Click the Apply button to save the configuration.

  8. Click the Start provisioning button.

NOTE: This configuration starts the initial sync cycle of all users and groups defined in the Scope drop-down list from the Settings section. The initial cycle takes longer to complete than the next cycles, which occur approximately every 40 minutes, as long as the Entra ID provisioning service is running. Any group assigned to the Cerby application in Entra ID is pushed automatically as a team in the corresponding Cerby workspace.

The next step is 6. Monitor your deployment.

6. Monitor your deployment

Monitor your deployment by using the following resources:

Now you are done.


Table 1. User attribute mappings in Entra ID

The following table shows the user attribute mappings you must configure in Entra ID as part of step 5. Configure automatic user provisioning to Cerby:

Cerby attribute

Microsoft Entra ID attribute

Matching precedence

userName

userPrincipalName

1

emails[type eq "work"].value

mail

2

active

Not([IsSoftDeleted])

name.givenName

givenName

name.familyName

surname

externalId

objectId


Table 2. Group attribute mappings in Entra ID

The following table shows the group attribute mappings you must configure in Entra ID as part of step 5. Configure automatic user provisioning to Cerby:

Cerby attribute

Microsoft Entra ID attribute

Matching precedence

displayName

displayName

1

members

members

externalId

objectId

Did this answer your question?