Skip to main content

How can we help you?

Druva Documentation

How to provision users from Microsoft Azure Active Directory using SCIM

This article applies to:

  • Product edition: inSync Cloud

Overview

This article lists the steps to integrate Microsoft Azure Active Directory (Azure AD) with Druva inSync for managing users using SCIM 2.0.

Pre-requisites

  • You must have configured Druva inSync to manage users using SCIM. For more information, see Configure Druva inSync to manage users using SCIM.
  • Login into Microsoft Azure as an administrator. You either must be a super administrator or have an administrator account with the rights to create and manage apps.

Procedure

1: Create a custom SCIM app

Procedure

  1. Login into Microsoft Azure Active Directory Portal (Azure Portal) as an administrator. You either must be a super administrator or have an administrator account with the rights to create and manage apps.
  2. On the Azure AD Console left-hand side panel, click Azure Active Directory and then under Manage > Enterprise Applications.
  3. On the Enterprise applications > All applications page, click + New application.
  4. On the Add an application page, click Non-gallery application to create a custom SCIM app.
  5. On the Add your own application page, located on the right-hand side, provide a Name for this custom SCIM app and click Add. Example - Druva inSync SCIM app. The App Overview page appears.

The SCIM app is created. Proceed to integrate this SCIM app with Druva inSync.

2: Enable API Integration with Druva inSync

Pre-requisite

Procedure

  1. Find and select your SCIM app in the All Services > Enterprise Applications section of the Azure portal.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. On the Provisioning pane, select Provisioning mode as Automatic.
  4. Under Admin credentials section,
    • In the Secret Token box, enter the token that you generated in the inSync Management Console for SCIM-based user management in Step 2.
  5. Click Test Connection to test and try Azure Active Directory attempt to connect to the Druva inSync SCIM endpoint.
  6. If the test is successful, click Save.

Proceed to configure the Azure AD Mapping and map the SCIM attributes with the Azure AD attributes.

3. Configure and map the SCIM attributes with the Azure AD attributes in the SCIM app

As an administrator, you can view and edit what user attributes should flow between Azure AD and Druva inSync, when user accounts are provisioned or updated. The custom SCIM app, that you created, comes with the default base attributes and values. Druva inSync requires only a few mandatory attributes (listed in Step 6 of the following procedure). You should also add or define your custom SCIM attributes that you plan to use in the SCIM mapping to classify the users in Druva inSync.


Overview

This article lists the steps to integrate Microsoft Azure Active Directory (Azure AD) with Druva inSync to manage users using SCIM.

Pre-requisites

Provision users from Azure AD using SCIM

Steps:

  1. Deploy the Druva SCIM app
  2. Enable API integration with Druva inSync
  3. Map SCIM attributes to Azure AD attributes on the SCIM app
    1. Map userPrincipalName attribute
    2. Map additional attributes (Optional)
  4. Start the provisioning status of the Druva app
  5. Assign users to the SCIM app
  6. Audit feature to monitor user provisioning

Deploy the Druva SCIM app

  1. Login to Microsoft Azure Active Directory Portal (Azure Portal) as an administrator.
  2. On the Azure AD console left-hand side panel, click Azure Active Directory.

    AzureADButton.png
  3. Click All Services > Enterprise applications.

    AllServices.png
  4. Click on +New application.

    EnterpriseAppsPg.png
  5. On the Add an application page, search for Druva.
  6. From the search results, select Druva with Category as Content management.

    AddFromGallary.png
  7. On the Add your own application page on the right, enter a name for this custom SCIM app and click Add. Example - Druva inSync SCIM app. 
    The SCIM app is created. The App Overview page appears.

    AddDruvaName.png

Proceed to integrate this SCIM app with Druva inSync.

Enable API integration with Druva inSync

Pre-requisite: Token generated while configuring inSync SCIM. See Generate Token for SCIM.

SCIMAppProvisioning.png

  1. On the Azure console, go to All Services > Enterprise Applications section and select your SCIM app.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. On the Provisioning pane, select Provisioning mode as Automatic.
  4. Under Admin credentials section, specify the field values as defined below:
    • Tenant URL: Enter Druva inSync Cloud End-point URL. Format: https://apis.druva.com/insync/scim
    • Secret Token: Enter the token that you generated on the inSync Management Console for SCIM-based user management.
  5. Click Test Connection to test and try to connect Azure AD to the Druva inSync SCIM endpoint.
  6. Click Save once the test succeeds.

Proceed to configure the Azure AD Mapping and map the SCIM attributes with the Azure AD attributes.

Map SCIM attributes to Azure AD attributes on the SCIM app

As an administrator, you can view and edit what user attributes must flow between Azure AD and Druva inSync when user accounts are provisioned or updated. The Druva SCIM app, created earlier, comes with the default base attributes and values. Druva inSync requires only a few mandatory attributes (listed in Step 6 of this article). You can also add or define your custom SCIM attributes that you plan to use in the SCIM mapping to classify the users in Druva inSync.

The custom attributes, except the userPrincipalName attribute, that you map in the IdP is not stored in Druva inSync. Custom attributes are only used to evaluate the SCIM mappings that you create in the inSync Management Console.

  1. On the homepage of the Azure Portal, find and select your SCIM app in the All Services > Enterprise Applications section.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. Click the Mappings configuration.
  4. On the Attribute Mapping page, enable Synchronize Azure Active Directory Users to <name of your SCIM app>.

    SyncAzureADDashboard.png
  5. Select the following Target Object Actions:
    • Create
    • Update
    • Delete

      AttribMapping.png
  6. In the Attribute Mapping section:
    • Define the value for the SCIM attributes as listed in the following table.
    • Add the custom attributes that you want to use in Druva inSync to create a SCIM mapping for classifying users.
      The following attributes are mandatory in Druva inSync. Retain the following attributes and create a mapping with Azure AD  attribute value
      Retain the following mandatory attributes in Druva inSync and create a mapping with Azure AD attribute value.

You can create the Mapping with userPrincipalName or Mail for userName attribute. This userName attribute will convert to email address for the inSync User.

Using UPN as userName (email address in inSync):

Azure AD attribute SCIM attributes used in inSync (Druva Attributes)
userPrincipalName userName
Not([IsnSoftDeleted]) active
displayName displayName
objectId externalId

AttribMapping2.png

Using Email as userName (email address in inSync):

Azure AD attribute SCIM app attributes used in inSync (Druva Attribute)
mail userName
Not([IsnSoftDeleted]) active
displayName displayName
objectId externalId

AttribMapping3.png

Map userPrincipalName attribute 

In some environments, you need to import userPrincipalName as an additional attribute, since O365 may be configured to back up on the basis of userPrincipalName. This attribute is not mandatory for user creation in inSync. However, in the above scenario userPrincipalName is required for O365, authentication/backup with inSync.

To add userPrincipalName (optional) attribute in the  Attribute Mapping:

  1. Select Show advanced options and click the Edit attribute list for Druva link.

    ShowAdvancedOptions.png
  2. On the Edit Attribute List windows, set all values as follows without quotation marks:
    • Name: urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName
    • Type: String
    • API Expression: userPrincipalName

      DruvaUserAttributes.png
  3. Click Save.
  4. Go to Druva App Provisioning and click Add New Mapping.

    AzureADAttribute.png
  5. On the Edit Attribute window, select Source attribute as userPrincipalName  and  Target attribute as urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName.

    AzureADAttribute.png
  6. Click  Save. The attribute appears in the Attribute Mappings.

    AttribMapping5.png

Map additional attributes (Optional)

For some organizations you may need to import the users and map them to different storage/profile on the basis of a Custom Attribute Value for the user. To achieve this a filter can be added to SCIM mapping in inSync. This Custom attribute has to be mapped in Azure as well. 
Please refer Create a SCIM Mapping for more details.

In some environments, you may need to import users and map them to various storages/profiles on the basis of a Custom Attribute Value for the user.  To achieve this, a filter can be added to the SCIM mapping in inSync. This custom attribute must be mapped in Azure AD as well.

To add an attribute (for example a city or company attribute) in the Attribute Mappings:

  1. Select Show advanced options and click the Edit attribute list for Druva link.

    ShowAdvancedOptions.png
  2. On the Edit Attribute List windows, add City or Company in the Name column
  3. On the Edit Attribute List windows, set all values as follows without quotation marks:
    • Name: Enter City or Company.
    • Type: String
    • API Expression: <Name of the additional attribute>

      For example, you need to make the following entries in the Name for city, country, or department:

      urn:ietf:params:scim:schemas:extension:Druva:2.0:User:city
      urn:ietf:params:scim:schemas:extension:Druva:2.0:User:country
      urn:ietf:params:scim:schemas:extension:Druva:2.0:User:department

      Use the same format and change the namespace in case you plan to use any other attribute apart from city, country, or department such as:
      urn:ietf:params:scim:schemas:extension:Druva:2.0:User:<name of desired attribute>

      DruvaUserAttributes2.png

      These values must be entered without quotation marks or brackets.
  4. Go to Druva App Provisioning and click Add New Mapping.

    AddNewMapping.png
  5. On the Edit Attribute window, select Source attribute as city and  Target attribute as “urn:ietf:params:scim:schemas:extension:Druva:2.0:User:city.

    EditAttribute2.png
  6. Click  Save. The city, country, or department attributes  appear in the Attribute Mappings.

    AttribMapping6.png

Start the provisioning status of the Druva app

On the App Overview page, Scroll down to Settings and update the following:

  • Set Provisioning Status to On.
  • Set Scope as Sync only assigned users and groups.

    ProvisionSetting.png

Assign users to the SCIM app

At this stage, you assign the SCIM app to the users and groups that you want to manage in Druva inSync. You can assign the SCIM app to Groups that you have created in Azure AD if you want to bulk assign it to the users. All the users in the group are automatically assigned to the SCIM app, and their accounts are created/managed in Druva inSync.

  1. On the Azure Portal homepage, got to All Services > Enterprise Applications and select your Druva SCIM app.
  2. On the App Overview page, select Users and groups under Manage on the left pane.
  3. In the right pane, click +Add User.

    AddUser.png
  4. On the Add Assignment page, search and select the Users or Group of users and assign the SCIM app.
    Ensure you assign the SCIM app to every user whose account you want to manage in Druva inSync. After you assign the SCIM app to the users, their accounts are automatically created in Druva inSync and configured as per the SCIM mapping.

Audit feature to monitor user provisioning

After assigning the user to Druva SCIM App, wait some time as Azure uses push functionality and users will be imported after 10 to 15 minutes.

In case the user is not imported in inSync Cloud, check the Audit logs for Druva SCIM app under Provisioning section.

Please follow the steps to check the Audit logs:

  1. On the Druva SCIM app, click Provisioning.

    ManageMenu.png
  2. Click View Audit Logs

    CurrentStatus.png

    The below is the screen visible after clicking on View Audit Logs. You can click on each one of the entries to read the reason for success or failure in exporting user from Azure to inSync.

    AuditLogs.png

 

Preserving users in Azure will preserve the user in inSync Cloud. 

There are three scenarios where inSync user will be preserved: 

  • If the user is deleted in Azure Active Directory.
  • If the user is removed/unassigned from Druva SCIM App
  • If we disable the user (Block sign in) in Azure Active Directory


If the O365 license is removed, the inSync user will still remain enabled/active state.

If the Username of the users managed using SCIM has special characters ?, *, /, \, < or >, they are automatically replaced by _ (underscore).
 

Overview

This article lists the steps to integrate Microsoft Azure Active Directory (Azure AD) with Druva inSync for managing users using SCIM 2.0.

Pre-requisites

  • You must have configured Druva inSync to manage users using SCIM. For more information, see Configure Druva inSync to manage users using SCIM.
  • Login into Microsoft Azure as an administrator. You either must be a super administrator or have an administrator account with the rights to create and manage apps.

Procedure

1: Create a custom SCIM app

Procedure

  1. Login into Microsoft Azure Active Directory Portal (Azure Portal) as an administrator. You either must be a super administrator or have an administrator account with the rights to create and manage apps.
  2. On the Azure AD Console left-hand side panel, click Azure Active Directory and then under Manage > Enterprise Applications.
  3. On the Enterprise applications > All applications page, click + New application.
  4. On the Add an application page, click Non-gallery application to create a custom SCIM app.
  5. On the Add your own application page, located on the right-hand side, provide a Name for this custom SCIM app and click Add. Example - Druva inSync SCIM app. The App Overview page appears.

The SCIM app is created. Proceed to integrate this SCIM app with Druva inSync.

2: Enable API Integration with Druva inSync

Pre-requisite

Procedure

  1. Find and select your SCIM app in the All Services > Enterprise Applications section of the Azure portal.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. On the Provisioning pane, select Provisioning mode as Automatic.
  4. Under Admin credentials section,
    • In the Secret Token box, enter the token that you generated in the inSync Management Console for SCIM-based user management in Step 2.
  5. Click Test Connection to test and try Azure Active Directory attempt to connect to the Druva inSync SCIM endpoint.
  6. If the test is successful, click Save.

Proceed to configure the Azure AD Mapping and map the SCIM attributes with the Azure AD attributes.

3. Configure and map the SCIM attributes with the Azure AD attributes in the SCIM app

As an administrator, you can view and edit what user attributes should flow between Azure AD and Druva inSync, when user accounts are provisioned or updated. The custom SCIM app, that you created, comes with the default base attributes and values. Druva inSync requires only a few mandatory attributes (listed in Step 6 of the following procedure). You should also add or define your custom SCIM attributes that you plan to use in the SCIM mapping to classify the users in Druva inSync.

  • Druva recommends you to delete the unwanted SCIM attributes from the list.
  • The custom attributes, except the userPrincipalName custom attribute, that you map in the IdP are not stored in Druva inSync. Custom attributes are only used to evaluate the SCIM mappings that you create in the Druva inSync Management Console.

Procedure

  1. If you are on the home page of the Azure Portal, find and select your SCIM app in the All Services > Enterprise Applications section.
  2. On the App Overview page, select Provisioning under Manage on the left pane.
  3. Click the Mappings configuration.
  4. On the Attribute Mapping page, enable Synchronize Azure Active Directory Users to <name of your SCIM app>.
  5. Select the following Target Object Actions:
    • Create
    • Update
    • Delete
  6. In the Attribute Mapping section, define the value for the SCIM attributes as listed in the following table. Also add the custom attributes that you want to use in Druva inSync to create a SCIM mapping for classifying users.
    Delete all the other SCIM attributes. For more information on customizing    ​​​SCIM attributes, see  Azure Portal documentation.

 The following attributes are mandatory in Druva inSync. Retain the following attributes and create a mapping with Azure AD  attribute value

SCIM app attributes used by inSync Azure AD attribute
userName mail (Attribute value should be in email format)
displayName
Map the value that you want to see as Display Name of the user in Druva inSync.  
Conditional content (Pro member)
Conditional content (Pro member)
active
Conditional content (Pro member)
Conditional content (Pro member)
objectId
userPrincipalName
Conditional content (Pro member)
Conditional content (Pro member)If the userPrincipalName custom attribute is not specified, the displayName attribute value is populated as the userPrincipalName attribute value in inSync Management Console.

 

  1.  On the App Overview page, scroll down to the Settings section and update the following settings:
    • Set Provisioning Status to Yes.
    • Set Scope as Sync only assigned users and groups.

After configuring the SCIM app, assign the SCIM app to users in your organization.

4: Assign users to the SCIM app

The last step of the SCIM app configuration is to assign the SCIM app to the users and groups that you want to manage in Druva inSync.

You can assign the SCIM app to Groups that you have created in Azure AD if you want to bulk assign it to the users. All the users in the group are automatically assigned the SCIM app, and their accounts are created in Druva inSync.

Procedure

  1. If you are on the home page of the Azure Portal, find and select your SCIM app in the All Services > Enterprise Applications section.
  2. On the App Overview page, select Users and groups under Manage on the left pane.
  3. In the right pane, click +Add User.
  4. On the Add Assignment page, search and select the Users or Group of users and assign the SCIM app.

Ensure you assign the SCIM app to every user whose account you want to manage in Druva inSync. After you assign the SCIM app to the users, their accounts are automatically created in Druva inSync and configured as per the SCIM mapping.

Next step

View the user accounts managed using SCIM

inSync administrators can view the account created and managed using SCIM in the inSync Management Console.

  • Manage Users page - The Manage Users page lists all the users created and managed in Druva inSync. For more information, see Manage Users page.
  • User Provisioning Report - This report lists the user accounts created and managed using SCIM and also displays information like the account status, profile, and storage assigned to the users. For more information, see User Provisioning Report.

If the Username of the users managed using SCIM has special characters ?, *, /, \, < or >, they are automatically replaced by a _ (underscore).

  • Was this article helpful?