SCIM Integration with Azure Active Directory (new)

Owned by Yuriy Shpek
Jul 04, 2023

Here is a quick demo of how it works with Azure .

1. Create a new Enterprise Application

Azure AD supports User and Group provisioning via SCIM v2.0 for the Azure Enterprise Apps. So, the fIrst step is to create an Enterprise App Registration in your Azure AD.

1.1. Sign in to the Azure portal. Open the Azure Dashboard and select Azure Active Directory from the resource blade or the left-hand dropdown menu.

1.2. Select Enterprise applications from the left-hand menu.

1.3. Click New application from the top menu, then Create your own application.

1.4. Enter the name of your application and select non-gallery app.

1.5. Click Create.

2. SCIM provisioning settings

2.1. Open the enterprise application you just created (if not currently opened).

2.2. Click either Provisioning from the left-hand menu or select Provisioning Users Accounts from the Getting Started screen and then click Get started.

2.3. The Provisioning pane appeared. Please get SCIM API URL and Bearer token on the Jira/Confluence/Bitbucket side, for example:

2.4. Fill in the Provisioning settings form, Admin Credentials section. Select Automatic for Provisioning Mode:

Then hit Test Connection. Once the connection has been successful, hit Save. Now you will be given 2 more sections for configuration: Mappings and Settings.

Successful test connection: everything is good, and Azure AD can communicate with SCIM service. At this stage, we can see on the Jira/Confluence/Bitbucket side a test request from Azhur recorded in the Audit Log:

Unsuccessful test connection:

  • Check the domain and path are correct.

  • Check the Secret Token value and make sure it is correct.

2.5. Provisioning settings form, Mappings section.

Azure automatically adds two default mappings to our enterprise application: Groups and Users:

2.6. User mappings

Click on Provision Azure Active Directory Users to configure the user mappings (figure above). Ensure that User Mapping is Enabled and the Source Object is set to User. For a full provisioning service, make sure that Create, Update and Delete are activated from the Target Object Actions settings. Delete mappings for unavailable fields in Jira/Confluence/Bitbucket under the Attribute Mappings section. Click Save when you've finished.

2.7. Group Mappings

Click on Provision Azure Active Directory Groups to configure the group mappings. Ensure that Group Mapping is Enabled and the Source Object is set to Group. For a full provisioning service, make sure that Create, Update and Delete are activated from the Target Object Actions settings. Adjust Mappings. Click Save when you've finished.

3. Test your configuration

3.1. Assigning users and groups

  1. To provision or de-provision users and groups, they need to be assigned to the enterprise appTo do so, go to the Overview section of your SCIM enterprise application.

  2. Select Users and Groups from the left-hand navigation.

  3. Click Add users/groups from the top navigation bar.

  4. Search for users and/or groups you would like to add to this application and select them

  5. Click Assign.

3.2. Start provisioning

  1. Once you assigned a user to your custom Azure app return back to the Provisioning page of your SCIM App.

  2. Select Provision on-demand or Start provisioning from the top navigation bar.

3.3. Check the Jira (Confluence/Bitbucket) info