Skip to main content

 

Druva Documentation

Manage Users from Microsoft Azure Active Directory using SCIM

Overview

This article lists the steps to integrate Microsoft Azure Active Directory (Azure AD) with Druva inSync for managing users using SCIM 2.0.

Pre-requisites

  • You must have configured Druva inSync to manage users using SCIM. For more information, see Configure Druva inSync to manage users using SCIM.
  • Login into Microsoft Azure as an administrator. You either must be a super administrator or have an administrator account with the rights to create and manage apps.

Procedure

1: Create a custom SCIM app

Procedure

  1. Login into Microsoft Azure Active Directory Portal (Azure Portal) as an administrator. You either must be a super administrator or have an administrator account with the rights to create and manage apps.
  2. On the Azure AD Console left-hand side panel, click Azure Active Directory and then under Manage > Enterprise Applications.
  3. On the Enterprise applications > All applications page, click + New application.
  4. On the Add an application page, click Non-gallery application to create a custom SCIM app.
  5. On the Add your own application page, located on the right-hand side, provide a Name for this custom SCIM app and click Add. Example - Druva inSync SCIM app. The App Overview page appears.

The SCIM app is created. Proceed to integrate this SCIM app with Druva inSync.

2: Enable API Integration with Druva inSync

Pre-requisite

Procedure

  1. Find and select your SCIM app in the All Services > Enterprise Applications section of the Azure portal.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. On the Provisioning pane, select Provisioning mode as Automatic.
  4. Under Admin credentials section,
    • In the Secret Token box, enter the token that you generated in the inSync Management Console for SCIM-based user management in Step 2.
  5. Click Test Connection to test and try Azure Active Directory attempt to connect to the Druva inSync SCIM endpoint.
  6. If the test is successful, click Save.
    Azure_scim_1.png

Proceed to configure the Azure AD Mapping and map the SCIM attributes with the Azure AD attributes.

3. Configure and map the SCIM attributes with the Azure AD attributes in the SCIM app

As an administrator, you can view and edit what user attributes should flow between Azure AD and Druva inSync, when user accounts are provisioned or updated. The custom SCIM app, that you created, comes with the default base attributes and values. Druva inSync requires only a few mandatory attributes (listed in Step 6 of the following procedure). You should also add or define your custom SCIM attributes that you plan to use in the SCIM mapping to classify the users in Druva inSync.

  • Druva recommends you to delete the unwanted SCIM attributes from the list.
  • The custom attributes, except the userPrincipalName custom attribute, that you map in the IdP are not stored in Druva inSync. Custom attributes are only used to evaluate the SCIM mappings that you create in the Druva inSync Management Console.

Procedure

  1. If you are on the home page of the Azure Portal, find and select your SCIM app in the All Services > Enterprise Applications section.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. Click the Mappings configuration.
  4. On the Attribute Mapping page, enable Synchronize Azure Active Directory Users to <name of your SCIM app>.
  5. Select the following Target Object Actions:
    • Create
    • Update
    • Delete
  6. In the Attribute Mapping section, define the value for the SCIM attributes as listed in the following table. Also add the custom attributes that you want to use in Druva inSync to create a SCIM mapping for classifying users.
    Delete all the other SCIM attributes. For more information on customizing    SCIM attributes, see  Azure Portal documentation.

 The following attributes are mandatory in Druva inSync. Retain the following attributes and create a mapping with Azure AD  attribute value

SCIM app attributes used by inSync Azure AD attribute
userName mail (Attribute value should be in email format)
displayName

Map the value that you want to see as Display Name of the user in Druva inSync.  

Druva recommends the following format as the displayName attribute value.

Create the following as an Expression:

Join(" ",[givenName],[surname]) 

active

Switch ([IsSoftDeleted], , "False", "True", "True", "False")

This attribute is already mapped to 'active' SCIM attribute when you create a new SCIM app.

externalId

*Optional attribute

objectId
userPrincipalName

Set the value userPrincipalName attribute value.

If the userPrincipalName custom attribute is not specified, the displayName attribute value is populated as the userPrincipalName attribute value in inSync Management Console.

azure_scim_2.png 

  1.  On the App Overview page, scroll down to the Settings section and update the following settings:
    • Set Provisioning Status to Yes.
    • Set Scope as Sync only assigned users and groups.
      azure_scim_3.png

After configuring the SCIM app, assign the SCIM app to users in your organization.

4: Assign users to the SCIM app

The last step of the SCIM app configuration is to assign the SCIM app to the users and groups that you want to manage in Druva inSync.

You can assign the SCIM app to Groups that you have created in Azure AD if you want to bulk assign it to the users. All the users in the group are automatically assigned the SCIM app, and their accounts are created in Druva inSync.

Procedure

  1. If you are on the home page of the Azure Portal, find and select your SCIM app in the All Services > Enterprise Applications section.
  2. On the App Overview page, select Users and groups under Manage on the left pane.
  3. In the right pane, click +Add User.
  4. On the Add Assignment page, search and select the Users or Group of users and assign the SCIM app.

Ensure you assign the SCIM app to every user whose account you want to manage in Druva inSync. After you assign the SCIM app to the users, their accounts are automatically created in Druva inSync and configured as per the SCIM mapping.

Next step

View the user accounts managed using SCIM

inSync administrators can view the account created and managed using SCIM in the inSync Management Console.

  • Manage Users page - The Manage Users page lists all the users created and managed in Druva inSync. For more information, see Manage Users page.
  • User Provisioning Report - This report lists the user accounts created and managed using SCIM and also displays information like the account status, profile, and storage assigned to the users. For more information, see User Provisioning Report.

If the Username of the users managed using SCIM has special characters ?, *, /, \, < or >, they are automatically replaced by a _ (underscore).

  • Was this article helpful?