Skip to main content

How can we help you?

Druva Documentation

Manage Users from Microsoft Azure Active Directory using SCIM

Overview

The procedure to integrate Microsoft Azure Active Directory (Azure AD) with inSync to manage users using SCIM 2.0 is described below.

Pre-requisites

Provision users from Azure AD using SCIM

Steps:

  1. Deploy the Druva SCIM app
  2. Enable API integration with inSync
  3. Map SCIM attributes to Azure AD attributes on the SCIM app
    1. Map userPrincipalName attribute
    2. Map additional attributes (Optional)
  4. Start the provisioning status of the Druva app
  5. Assign users to the SCIM app
  6. Audit feature to monitor user provisioning

Deploy the Druva SCIM app

  1. Login to Microsoft Azure Active Directory Portal (Azure Portal) as an administrator.
  2. From the left panel of the Azure AD console, click Azure Active Directory.

    AzureADButton.png
  3. Click All Services > Enterprise applications.

    AllServices.png
  4. Click on +New application.

    EnterpriseAppsPg.png
  5. On the Add an application page, search for Druva.
  6. From the search results, select Druva with Category as Content management

    AddFromGallary.png
  7. On the Add your own application page on the right, enter a name for this custom SCIM app and click Add. Example - Druva inSync SCIM app. 
    The SCIM app is created. The App Overview page appears.

    AddDruvaName.png

Proceed to integrate this SCIM app with Druva inSync.

Enable API integration with Druva inSync

Pre-requisite: Token generated while configuring inSync SCIM. See Generate Token for SCIM.

SCIMAppProvisioning.png

  1. On the Azure console, go to All Services > Enterprise Applications section and select your SCIM app.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. On the Provisioning pane, select Provisioning mode as Automatic.
  4. Under the Admin credentials section, specify the field values as defined below:
    If you are inSync Cloud Customer: 
    • Tenant URL: Enter inSync Cloud End-point URL. Format: https://apis.druva.com/insync/scim
    • Secret Token: Enter the token that you generated on the inSync Management Console for SCIM-based user management.
       
    If you are inSync GovCloud Customer: 
    • Tenant URL: Enter inSync GovCloud End-point URL. Format: https://govcloudapis.druva.com/insync/scim
    • Secret Token: Enter the token that you generated on the inSync Management Console for SCIM-based user management.
  5. Click Test Connection to test and try to connect Azure AD to the inSync SCIM endpoint.
  6. Click Save once the test succeeds.

Proceed to configure the Azure AD Mapping and map the SCIM attributes with the Azure AD attributes.

Map SCIM attributes to Azure AD attributes on the SCIM app

As an administrator, you can view and edit what user attributes must flow between Azure AD and inSync when user accounts are provisioned or updated. The Druva SCIM app, created earlier, comes with the default base attributes and values. inSync requires only a few mandatory attributes (listed in Step 6 of this article). You can also add or define your custom SCIM attributes that you plan to use in the SCIM mapping to classify the users in inSync.

The custom attributes, except the userPrincipalName attribute, that you map in the IdP is not stored in inSync. Custom attributes are only used to evaluate the SCIM mappings that you create in the inSync Management Console.

  1. On the homepage of the Azure Portal, find and select your SCIM app in the All Services > Enterprise Applications section.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. Click the Mappings configuration.
  4. On the Attribute Mapping page, enable Synchronize Azure Active Directory Users to <name of your SCIM app>.

    SyncAzureADDashboard.png
  5. Select the following Target Object Actions:
    • Create
    • Update
    • Delete

      AttribMapping.png
  6. In the Attribute Mapping section:
    • Add the custom attributes that you want to use in inSync to create a SCIM mapping for classifying users.
      The following attributes are mandatory in inSync. Retain the following attributes and create a mapping with Azure AD  attribute value
      Retain the following mandatory attributes in Druva inSync and create a mapping with Azure AD attribute value.

You can create the Mapping with userPrincipalName or Mail for userName attribute. This userName attribute will convert to email address for the inSync User.

Using UPN as userName (email address in inSync):

Azure AD attribute SCIM attributes used in inSync (Druva Attributes)
userPrincipalName userName
Not([IsSoftDeleted]) active
displayName displayName
objectId externalId

AttribMapping2.png

Using Email as userName (email address in inSync):

Azure AD attribute SCIM app attributes used in inSync (Druva Attribute)
mail userName
Not([IsnSoftDeleted]) active
displayName displayName
objectId externalId

AttribMapping3.png

Map userPrincipalName attribute 

In some environments, you need to import userPrincipalName as an additional attribute, since O365 may be configured to back up on the basis of userPrincipalName. This attribute is not mandatory for user creation in inSync. However, in the above scenario userPrincipalName is required for O365, authentication/backup with inSync.

To add userPrincipalName (optional) attribute in the  Attribute Mapping:

  1. Select Show advanced options and click the Edit attribute list for Druva link.

  2. On the Edit Attribute List windows, set all values as follows without quotation marks:
    • Name: urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName
    • Type: String

 3. Click Save.

 4. Go to Druva App Provisioning.

 5. Click the userPrincipalName attribute and select mail to associate the Azure AD email attribute with the userPrincipalName attribute.

 6. Click Add New Mapping.

7. Select Source attribute as userPrincipalName  and  Target attribute as urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName.

 8. Click Save. The attribute appears in the Attribute Mappings.

Map additional attributes (Optional)

For some organizations you may need to import the users and map them to different storage/profile on the basis of a Custom Attribute Value for the user. To achieve this a filter can be added to SCIM mapping in inSync. This Custom attribute has to be mapped in Azure as well. 
Please refer Create a SCIM Mapping for more details.

In some environments, you may need to import users and map them to various storages/profiles on the basis of a Custom Attribute Value for the user.  To achieve this, a filter can be added to the SCIM mapping in inSync. This custom attribute must be mapped in Azure AD as well.

To add an attribute (for example a city or company attribute) in the Attribute Mappings:

  1. Select Show advanced options and click the Edit attribute list for Druva link.

    ShowAdvancedOptions.png
  2. On the Edit Attribute List windows, add City or Company in the Name column
  3. On the Edit Attribute List windows, set all values as follows without quotation marks:
    • Name: Enter City or Company.
    • Type: String
    • API Expression: <Name of the additional attribute>

      For example, you need to make the following entries in the Name for city, country, or department:

      urn:ietf:params:scim:schemas:extension:Druva:2.0:User:city
      urn:ietf:params:scim:schemas:extension:Druva:2.0:User:country
      urn:ietf:params:scim:schemas:extension:Druva:2.0:User:department

      Use the same format and change the namespace in case you plan to use any other attribute apart from city, country, or department such as:
      urn:ietf:params:scim:schemas:extension:Druva:2.0:User:<name of desired attribute>

      DruvaUserAttributes2.png

      These values must be entered without quotation marks or brackets.
  4. Go to Druva App Provisioning and click Add New Mapping.

    AddNewMapping.png
  5. On the Edit Attribute window, select Source attribute as city and  Target attribute as “urn:ietf:params:scim:schemas:extension:Druva:2.0:User:city.

    EditAttribute2.png
  6. Click  Save. The city, country, or department attributes appear in the Attribute Mappings.

    AttribMapping6.png

Start the provisioning status of the Druva app

On the App Overview page, Scroll down to Settings and update the following:

  • Set Provisioning Status to On.
  • Set Scope as Sync only assigned users and groups.

    ProvisionSetting.png

Assign users to the SCIM app

At this stage, you assign the SCIM app to the users and groups that you want to manage in inSync. You can assign the SCIM app to Groups that you have created in Azure AD if you want to bulk assign it to the users. All the users in the group are automatically assigned to the SCIM app, and their accounts are created/managed in inSync.

Due to Microsoft Azure Active Directory limitation, you can assign the SCIM app only to the Security Group.

  1. On the Azure Portal homepage, got to All Services > Enterprise Applications and select your Druva SCIM app.
  2. On the App Overview page, select Users and groups under Manage on the left pane.
  3. In the right pane, click +Add User.

    AddUser.png
  4. On the Add Assignment page, search and select the Users or Group of users and assign the SCIM app.
    Ensure you assign the SCIM app to every user whose account you want to manage in inSync. After you assign the SCIM app to the users, their accounts are automatically created in inSync and configured as per the SCIM mapping.

Audit feature to monitor user provisioning

After assigning the user to Druva SCIM App, wait some time as Azure uses push functionality and users will be imported after 10 to 15 minutes.

In case the user is not imported in inSync Cloud, check the Audit logs for Druva SCIM app under Provisioning section.

Please follow the steps to check the Audit logs:

  1. On the Druva SCIM app, click Provisioning.

    ManageMenu.png
  2. Click View Audit Logs

    CurrentStatus.png

    The below is the screen visible after clicking on View Audit Logs. You can click on each one of the entries to read the reason for success or failure in exporting user from Azure to inSync.

    AuditLogs.png

 

Preserving users in Azure will preserve the user in inSync Cloud. 

There are three scenarios where inSync user will be preserved: 

  • If the user is deleted in Azure Active Directory.
  • If the user is removed/unassigned from Druva SCIM App
  • If we disable the user (Block sign in) in Azure Active Directory


If the O365 license is removed, the inSync user will still remain enabled/active state.

If the Username of the users managed using SCIM has special characters ?, *, /, \, < or >, they are automatically replaced by _ (underscore).
 

  • Was this article helpful?