1. AWS Simpplr
  2. Integrations and APIs
  3. People Data

User Provisioning with Microsoft Entra ID

Avatar
Matthew Rawls
Follow

Note, you must be the Microsoft admin user, as well as an Application manager on Simpplr to complete these steps.

Note that Microsoft Azure has recently renamed to Entra ID. See this article for more information.

We'll start in our Simpplr application.

  1. From your user profile image, go to Manage > Application > Integrations > People data.

  2. Select Active Directory > Provisioning and then Save.
    Entra prov 1.png

  3. After clicking Save, you'll see an Entra link and token (one time only) displayed that need to be configured in the Entra portal. Copy these and paste them somewhere you have access to for alter. We will need to paste them again in our Entra portal.

    Note:

    If the page is refreshed or exited, this token will not be displayed again. If a new token is required, disable the provisioning and then enable again and save. This will create a new token and invalidate the old ones. Don't forget to change the token in this case in the older applications on Entra ID (Entra ID applications will be explained in the later part of this doc).

 

Now we're ready to navigate to the Entra Portal and login via client credentials (this must be the Entra ID admin user's profile).

  1. Once logged in as the admin, search for Enterprise applications in the search box and click on the result.
    AWS_Azure_Provisioning_2.png

     

  2. This will open the enterprise application dashboard on Azure/Entra ID. Either select an existing application or create a new one. To create a new application, follow these steps:

    1. Click on new application in top-left corner. This will open Browse Azure AD Gallery.

    2. Click Create your own application.

    3. Enter the name and select Integrate any other application you don't find in the gallery (Non-gallery).
      Entra prov 3.png

    4. Click Create.

    5. On successful creation, you'll see a success message on the screen.

  3. Go to the Provisioning tab.

  4. Select Get Started, then Automatic from the drop down menu.

  5. This opens the Admin Credentials form. Paste the Entra ID link and token that you got in step 3 above from your Simpplr environment.

  6. Click Test Connection. On successful testing, you'll see a success message on screen.
    AWS_Azure_provisioning_3.png

     

  7. Click Save.

  8. After clicking Save, the Mappings section appears on screen.
    Entra prov 4.png

     

  9. Expand the mapping section and click Provision Microsoft Entra ID Users.

  10. Check to ensure enabled is marked Yes and Target Object Actions are all selected (it's preferred to select all options, but you can select required events as per your org's requirements).

    1. By default Entra ID maps userPrincipleName against the username field. To ensure there are no duplicate profiles when SSO and SCIM both exist, we will have to manually update the mapping to point to mail instead as seen in the screenshot below.Azure new mapping.jpg

       
    2. Similarly, by default Entra ID assigns mailNickName as a mapping field against externalId. We will have to manually update the mapping field to ObjectId against externalId by clicking on the mailNickName field in the below screenshot.Entra prov 6.png

  11. Since there is no standard mapping for Simpplr roles or mobile numbers, we'll need to add them ourselves.

  12. Adding roles:

    1. In the Azure portal, go to Microsoft Entra ID > App registrations in the left sidebar. Select your application.

    2. Click on App Roles in the left sidebar, then Create app role.

      Entra prov 7.png 

    3. Roles for End User and Application manager need to be created one at a time. So in the next step, put application manager in Display name and application_manager in Value. Allow member types to be Users/Groups and an appropriate description like Simpplr Application manager role. Check the Do you want to enable this app role? checkbox and click on Apply.
      AWS_Azure_provisioning_8.png

       

    4. Repeat the previous step for End users with the value Display name as End User, Value as end_user, with a description like Simpplr End user role and click on Apply.

      Display name End User
      Value end_user
      Description Simpplr End user role

    5. To map these roles to your application and SCIM, from the Active Directory home page, go to Enterprise applications in the left sidebar, then select your application.

    6. Select the Provisioning tab, then click Edit provisioning.
      AWS_Azure_provisioning_9.png

    7. Expand the Mappings section and click on Provision Microsoft Entra ID Users. This will open the Attribute Mapping page.
      AWS_Azure_provisioning_10.png
       

    8. Scroll down to the bottom of the page and click Add New Mapping.AWS_Azure_provisioning_17.png

    9. In the mapping type, select Expression.

    10. Use the following values:
      Expression: SingleAppRoleAssignment([appRoleAssignments]) (recommended)
      Target attribute: roles[primary eq "True"].value and click on Ok and then Save.
      AWS_Azure_provisioning_11.png

       

  13. Adding mobile number:

    1. Go to the Attribute Mapping page again (refer step 12.7 above for Attribute Mapping page).

    2. Add a mapping with the following values:

      1. Mapping type: Direct

      2. Source attribute: mobile

      3. Target Value: phoneNumbers[type eq "other"].value

    3. Click Ok and then Save.

  14. Go back to your application home page, and in the Provisioning tab, click Start Provisioning. It takes approximately 30 mins to start the SCIM provisioning.

  15. To add the users, simply go to Users and Groups from your Application homepage in the left sidebar.

  16. Click on Add user/group.

  17. Click on the link below Users and groups.
    AWS_Azure_provisioning_12.png

     

  18. Search for the the appropriate group you created in the steps above and click Select.
    AWS_Azure_provisioning_13.png

     

  19. Click on Select a role and select the appropriate role.
    AWS_Azure_provisioning_14.png

  20. Click Assign.

  21. To provision manually or to retry, click on Provision on demand in the Provisioning page of your application, select the user and click on Provision. Make sure that the user is assigned to the app and has a role, or else the provisioning will be skipped by Entra ID automatically.

  22. You can check the logs in the Provisioning page of your application. To check the logs, click View Provisioning Logs.

  23. It will open the following page. Check the status to know if the user was provisioned.
    AWS_Azure_provisioning_15.png

     

  24. Click on any particular entry to know the reason for failure/skipped.
    AWS_Azure_provisioning_16.png

     

To stop User Sync & Provisioning using SCIM on Entra ID:

    1. Go to Microsoft Entra ID > Enterprise Applications. Select your application.

    2. Click on Provisioning in the left sidebar, then Stop Provisioning in the top bar.

    3. Head back to Simpplr and go to Manage > Application > Integrations > People Data.

    4. Unselect the Provisioning from Entra and click Save.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more