Skip to main content

How can we help you?

Druva Documentation

Multiple SCIM configuration on the Azure to import user accounts from multiple Azure AD security groups

 

Problem description

How to import users from multiple Azure AD security groups to respective profile settings or different storage regions segregated on the Druva admin console side

Requirements

Here is the following example as a requirement

  • Users in “EMEA” Azure AD security group should be imported to EMEA profile settings and assigned to EMEA storage regions
  • Users in “APAC” Azure AD security group should be imported to APAC profile settings and assigned to APAC storage regions

Resolution

Deploy the Druva SCIM app

  1. Login to Microsoft Azure Active Directory Portal (Azure Portal) as an administrator.

  2. From the left panel of the Azure AD console, click Azure Active Directory.

    AzureADButton.png

  3. Click All Services > Enterprise applications.

    AllServices.png

  4. Click on +New application.

    EnterpriseAppsPg.png

  5. On the Add an application page, search for Druva.

  6. From the search results, select Druva with Category as Content management.

    AddFromGallary.png

  7.  The SCIM app is created. The App Overview page appears.Enter the name of the SCIM app as “Druva_SCIM_<AzureADgroupname>

This will help you to identify which SCIM app is linked to which AD security group while creating multiple SCIM app

E.g
 

 


In the respective Druva SCIM app enter the following configuration details

Pre-requisite: Token generated while configuring inSync SCIM. See Generate Token for SCIM.

The same SCIM token has to be used across multiple SCIM apps

SCIMAppProvisioning.png

  1. On the Azure console, go to All Services > Enterprise Applications section and select your SCIM app.

  2. On the App Overview page, select Provisioning under Manage on the left pane.

  3. On the Provisioning pane, select Provisioning mode as Automatic.

  4. Under the Admin credentials section, specify the field values as defined below:
    If you are inSync Cloud Customer: 

    • Tenant URL: Enter inSync Cloud End-point URL. Format: https://apis.druva.com/insync/scim

    • Secret Token: Enter the token that you generated on the inSync Management Console for SCIM-based user management.

  5. If you are inSync GovCloud Customer: 

    • Tenant URL: Enter inSync GovCloud End-point URL. Format: https://govcloudapis.druva.com/insync/scim

    • Secret Token: Enter the token that you generated on the inSync Management Console for SCIM-based user management.

  6. Click Test Connection to test and try to connect Azure AD to the inSync SCIM endpoint.

  7. Click Save once the test succeeds.

Proceed to configure the Azure AD Mapping and map the SCIM attributes with the Azure AD attributes.

Map SCIM attributes to Azure AD attributes on the SCIM app

As an administrator, you can view and edit what user attributes must flow between Azure AD and inSync when user accounts are provisioned or updated. The Druva SCIM app, created earlier, comes with the default base attributes and values. inSync requires only a few mandatory attributes (listed in Step 6 of this article). You can also add or define your custom SCIM attributes that you plan to use in the SCIM mapping to classify the users in inSync.

The custom attributes, except the userPrincipalName attribute, that you map in the IdP is not stored in inSync. Custom attributes are only used to evaluate the SCIM mappings that you create in the inSync Management Console.

  1. On the homepage of the Azure Portal, find and select your SCIM app in the All Services > Enterprise Applications section.

  2. On the App Overview page, select Provisioning under Manage on the left pane.

  3. Click the Mappings configuration.

  4. On the Attribute Mapping page, enable Synchronize Azure Active Directory Users to <name of your SCIM app>.

    SyncAzureADDashboard.png

  5. Select the following Target Object Actions:

    • Create

    • Update

    • Delete

      AttribMapping.png

  6. In the Attribute Mapping section:

    • Add the custom attributes that you want to use in inSync to create a SCIM mapping for classifying users.
      The following attributes are mandatory in inSync. Retain the following attributes and create a mapping with Azure AD  attribute value
      Retain the following mandatory attributes in Druva inSync and create a mapping with Azure AD attribute value.

You can create the Mapping with userPrincipalName or Mail for userName attribute. This userName attribute will convert to email address for the inSync User.

Using UPN as userName (email address in inSync):

Azure AD attribute

SCIM attributes used in inSync (Druva Attributes)

userPrincipalName

userName

Not([IsSoftDeleted])

active

displayName

displayName

objectId

externalId

AttribMapping2.png

Using Email as userName (email address in inSync):

Azure AD attribute

SCIM app attributes used in inSync (Druva Attribute)

mail

userName

Not([IsnSoftDeleted])

active

displayName

displayName

objectId

externalId

AttribMapping3.png

1.Map userPrincipalName attribute 

In some environments, you need to import userPrincipalName as an additional attribute, since O365 may be configured to back up on the basis of userPrincipalName. This attribute is not mandatory for user creation in inSync. However, in the above scenario userPrincipalName is required for O365, authentication/backup with inSync.

To add userPrincipalName (optional) attribute in the  Attribute Mapping:

Select Show advanced options and click the Edit attribute list for Druva link.

On the Edit Attribute List windows, set all values as follows without quotation marks:

  • Name: urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName

  • Type: String

 3. Click Save.

2.Map “Group “attribute

1. Select Show advanced options and click the Edit attribute list for Druva link.

2. On the Edit Attribute List windows, set all values as follows without quotation marks:

  • Name: urn:ietf:params:scim:schemas:extension:Druva:2.0:User:group

  • Type: String

3. Click Save

Now go back to Attribute mapping page

1. Click Add New Mapping.

2.Here select mapping type as “Constant”

Constant value* would be the name of “Azure AD security group”

Copy the Azure AD security group name and paste it here, please note the name is case sensitive

Here from the screenshot you can see the Azure AD group name is “APAC-DRUVA”

Which is Azure AD security group name created on the Azure AD side that has APAC users assigned to it and Click Ok.

2. Similarly on the second Druva SCIM app for the EMEA Azure AD group.

1. Click Add New Mapping.

2. Here select mapping type as “Constant”

Constant value* would be the name of “Azure AD security group”

Copy the Azure AD security group name and paste it here, please note the name is case sensitive

Here from the screenshot you can see the Azure AD group name is “APAC-DRUVA”

Which is Azure AD security group name created on the Azure AD side that has APAC users assigned to it and Click Ok.

Now under Druva_SCIM_APAC-DRUVA app 

Click on “Users and groups” and assign the Azure AD group for which this SCIM app is created

Here in this case APAC-DRUVA  Azure AD security group

Similarly under Druva_SCIM_EMEA-DRUVA app

Click on “Users and groups” and assign the Azure AD group for which this SCIM app is created

Here, in this case, EMEA-DRUVA Azure AD security group.

Once the respective Azure Ad group is assigned to multiple SCIM apps accordingly. Go back to the Druva Admin console

Here,

Go to users -> Click on Deployment.

Click on Mapping Tab

Here click on New mapping 

Name the SCIM mapping according to the name of the Azure AD security group

And enter the following details

 


In a similar way created SCIM mapping for the other Druva SCIM app which was created

Start the provisioning status on Multiple Druva SCIM  app

On the App Overview page, Scroll down to Settings and update the following:

  • Set Provisioning Status to On.

  • Set Scope as Sync only assigned users and groups.

    ProvisionSetting.png

The user account in the APAC security group would be provisioned on the Druva admin console where they would be assigned to APAC profile and APAC storage regions

Similarly the user account in the EMEA security group would be provisioned on the Druva admin console where they would be assigned to EMEA profile and EMEA storage regions.

You can check the admin audit trails on the Druva admin console which will display SCIM created user account <username>

  • Was this article helpful?