Skip to main content

Configuring SCIM User Provisioning with Microsoft Entra ID for AskNicely

Jomar
  • Updated

Looking for SAML for Single Sign-On with Microsoft Entra? Click here

This guide provides step-by-step instructions to set up System for Cross-domain Identity Management (SCIM) provisioning between Microsoft Entra ID (formerly Azure Active Directory) and AskNicely. SCIM allows for automatic user provisioning and de-provisioning, streamlining your user management process.

You can choose between two provisioning options:

  1. Users provisioned automatically, but roles set manually within AskNicely
  2. Users provisioned automatically, including location-based data access

Additionally, we'll explain how to configure SCIM alongside SAML SSO, ensuring that SAML does not overwrite configurations set by SCIM.

Prerequisites

  • AskNicely Administrator Account: Ensure you have admin access to your AskNicely account.
  • Microsoft Entra ID Administrator Account: You need permissions to configure enterprise applications.
  • Active SAML SSO Configuration: SCIM provisioning requires SAML SSO to be set up between Microsoft Entra ID and AskNicely. If you haven't configured SAML SSO yet, please refer to our SAML SSO Setup Guide before proceeding.

Section 1: Configure SCIM Provisioning

The initial steps for setting up SCIM provisioning are common to both user provisioning options.

Step 1: Add AskNicely Application in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center with your admin credentials.
  2. Navigate to Azure Active Directory > Enterprise applications.
  3. Click on New application.
  4. Search for AskNicely in the gallery. If it's not available:
    • Select Create your own application.
    • Enter the name AskNicely.
    • Choose Integrate any other application you don't find in the gallery (Non-gallery).
    • Click Create.

Step 2: Configure Provisioning in Microsoft Entra ID

  1. In the AskNicely application overview, select Provisioning from the left menu.
  2. Click on Get Started if prompted.

Step 3: Set Provisioning Mode to Automatic

  1. In the Provisioning Mode dropdown, select Automatic.

Step 4: Obtain SCIM Endpoint and Secret Token from AskNicely

  1. Log in to your AskNicely admin account.
  2. Navigate to Settings > Users > SCIM.
  3. Copy the Base URL and API Token. You'll need these for Microsoft Entra ID.

Step 5: Enter SCIM Connection Details in Microsoft Entra ID

  1. In Microsoft Entra ID, under Admin Credentials:
    • Tenant URL: Paste the SCIM Base URL from AskNicely.
    • Secret Token: Paste the Secret Token from AskNicely.
  2. Click Test Connection to verify the credentials.
  3. If the test is successful, click Save.

Step 6: Configure Mappings (Optional)

By default, Microsoft Entra ID maps standard attributes. If you need to map additional attributes (e.g., for location-based access), you'll configure them in the next sections.

Section 2: Option 1 - Users Provisioned Automatically, Roles Set Manually

In this setup, users are automatically created and deactivated in AskNicely based on their status in Microsoft Entra ID. However, roles and permissions are managed manually within AskNicely.

Step 1: Start Provisioning

  1. In Microsoft Entra ID, under the Provisioning tab, set Provisioning Status to On.
  2. Click Save. Provisioning will start syncing users.

Step 2: Assign Users to the AskNicely Application

  1. Navigate to Enterprise applications > AskNicely > Users and groups.
  2. Click Add user/group.
  3. Select the users or groups you want to provision to AskNicely.
  4. Click Assign.

Step 3: Monitor Provisioning Status

  1. Under the Provisioning tab, click on Provisioning Logs to monitor the status.
  2. Ensure users are being provisioned successfully.

Step 4: Set Roles Manually in AskNicely

  1. In AskNicely, go to Settings > Users.
  2. Find the newly provisioned users.
  3. Assign the appropriate roles to each user.
    • Click on the user’s name.
    • Set their role (e.g., Admin, Manager, User).
    • Save the changes.

Section 3: Option 2 - Users Provisioned Automatically with Roles and Location-Based Access

This option allows automatic provisioning of users along with their roles and location-based data access, based on attributes defined in Microsoft Entra ID.

Step 1: Extend the Schema for Custom Attributes

  1. Go to Azure Active Directory > Enterprise applications > AskNicely > Provisioning > Mappings.
  2. Click on Provision Azure Active Directory Users.

Step 2: Add Attribute Mappings

  1. Under Attribute Mappings, click on Show advanced options.
  2. Click Edit attribute list for customappsso.
  3. Add new attributes:
    • Name: role
    • Type: String
    • Multi-valued: No
    • Referenced Object Type: None
    • Attribute Required: No
    • Add Attribute.
    • Repeat for location or any other custom attribute.
  4. Click Save.

Step 4: Map Azure AD Attributes to AskNicely Attributes

  1. Back in Attribute Mappings, click Add New Mapping.
  2. Configure the mapping for Role:
    • Mapping Type: Direct
    • Source attribute: Select the Azure AD attribute (e.g., jobTitle, extensionAttribute1)
    • Target attribute: role
    • Match objects using this attribute: Unchecked
    • Apply this mapping: Always
  3. Repeat for Location attribute:
    • Source attribute: Select the appropriate Azure AD attribute.
    • Target attribute: location
  4. Click Save.

Step 5: Start Provisioning

  1. In the Provisioning tab, ensure Provisioning Status is set to On.
  2. Click Save.

Step 6: Assign Users and Define Attribute Values

  1. Go to Users and groups in the AskNicely application.
  2. Assign users or groups as before.
  3. For each user, ensure that the Azure AD attributes for Role and Location are populated:
    • Go to Azure Active Directory > Users > Select a user.
    • Edit their profile to set the Job Title or Custom Attribute used for mapping.

Step 7: Monitor Provisioning and Verify in AskNicely

  1. Check the Provisioning Logs to ensure users are provisioned without errors.
  2. In AskNicely, navigate to Settings > Users.
  3. Verify that users have the correct roles and location-based access as per the attributes.

Section 4: Configure SCIM and SAML Together

When using SCIM and SAML simultaneously, it's essential to prevent SAML from overwriting user attributes managed by SCIM.

Understanding the Interaction

  • SAML SSO: Primarily handles authentication. It can pass user attributes during login.
  • SCIM Provisioning: Manages user creation, updates, and de-provisioning, along with user attributes.

Potential Conflict

  • If both SAML and SCIM are configured to manage user attributes, SAML assertions during login can overwrite attributes set by SCIM.

Preventing Attribute Overwrite

Prioritize SCIM over SAML for Attribute Management

  • Ensure that attribute mappings in SAML are either disabled or set to not overwrite existing attributes.
  • Rely on SCIM for managing user attributes and roles.

Verifying the Configuration

  1. After making changes, perform a test login via SAML SSO with a user.
  2. Ensure that the user's role and location in AskNicely remain as set by SCIM and are not overwritten.
  3. Check the user's attributes in AskNicely to confirm they match the SCIM provisioning data.

Additional Tips

  • Consistent Attribute Usage: Ensure that the same attributes are not being managed by both SAML and SCIM unless explicitly intended.
  • Attribute Mapping Clarity: Clearly document which system (SAML or SCIM) is responsible for each user attribute.
  • Regular Monitoring: Periodically review provisioning logs and user attributes to catch any discrepancies early.
  • User De-Provisioning: SCIM will automatically deactivate users in AskNicely when they are removed or disabled in Microsoft Entra ID.

Need Assistance?

If you have any questions or require further assistance with configuring SCIM provisioning, please contact our support team at support@asknicely.com. We're here to help!

Related articles