How to enable Azure AD for SCIM provisioning

πŸ§ͺ Preview feature! This feature is available for your experimentation, and we'd love your feedback. It may change before its final generally-available form. If you'd like to participate in the preview, reach out to your customer success manager for more information.

You can automate the process of provisioning and deprovisioning your Azure Active Directory (AD) users and groups in Atlan with System for Cross-domain Identity Management (SCIM).

To enable Azure AD for SCIM provisioning, complete the following steps.

πŸ’ͺ Did you know? For any questions about SCIM provisioning, head over here.

Prerequisites

Retrieve SCIM token in Atlan

πŸ€“ Who can do this? You will need your Atlan admin to complete these steps β€” you may not have access yourself. You will also need inputs and approval from your Azure AD administrator.

 You will need to generate a SCIM token in Atlan for authentication in Azure AD.

To retrieve the SCIM token, within Atlan:

  1. From the left menu on any screen, click Admin.
  2. Under the Workspace heading, click SSO.
  3. On the Single Sign on page for Azure AD, under Overview, navigate to Automate Provisioning with SCIM and toggle it on.
  4. Under SCIM token, click the + Generate token button to create a SCIM token.
  5. In the SCIM token generated dialog, click the Copy button to copy the SCIM token and store it in a secure location.
🚨 Careful! The SCIM token will only be displayed once after it has been generated, you cannot retrieve it later.

Enable SCIM provisioning in Azure AD

πŸ€“ Who can do this? You will need your Azure AD administrator to complete these steps β€” you may not have access yourself. You will also need inputs and approval from your Atlan admin.

You can enable SCIM provisioning in Azure AD to automatically sync your users and groups to Atlan.

Configure SCIM provisioning in Azure AD

To configure SCIM provisioning, within Azure AD:

  1. Log in to your Azure portal and search for and select Azure Active Directory.
  2. From the left menu under Manage, select Enterprise applications.
  3. From the All applications page, select the SAML application you created to configure SSO in Atlan.
  4. In the left menu of your application page, under Manage, click Provisioning.
  5. From the Provisioning mode dropdown, click Automatic.
  6. Under Admin credentials, enter the following details:
    1. For Tenant URL, enter your Atlan tenant URL in the following format β€” https://<your-tenant-dns>/api/service/scim.
    2. For Secret Token, enter the SCIM token you copied in Atlan.
    3. Click the Test connection button to confirm connectivity to Atlan.
  7. When successful, in the top right, click Save to save the configuration.
  8. In the Mappings section, verify that Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled. Under Mappings:
    1. Click Provision Azure Active Directory Groups, and under Attribute Mappings, define the following mappings from Azure AD on the left to Atlan on the right:
      • displayName β€”> displayName β€” Note that this field is currently unsupported in Atlan.
      • objectId β€”> externalId
      • members β€”> members
    2. Click Provision Azure Active Directory Users, and under Attribute Mappings, define the following mappings from Azure AD on the left to Atlan on the right:
      • mailNickname β€”> userName β€” If the username is not mapped, the default username will be the UserPrincipalName (UPN).
      • Switch([IsSoftDeleted], , "False", "True", "True", "False") β€”> active
      • displayName β€”> displayName
      • mail β€”> emails[type eq "work"].value
      • givenName β€”> name.givenName
      • surname β€”> name.familyName
      • objectId β€”> externalId
    3. To save any changes, click Save.

Provision users and groups

🚨 Careful! You will need to assign users or groups to Atlan from Azure AD before you can provision them. You will also need to configure group mapping to sync mapped groups from Azure AD to Atlan. For any new groups created in Azure AD, you will first need to map the groups in Atlan to sync them through SCIM provisioning.

After you have enabled SCIM provisioning and assigned users and groups to Atlan in Azure AD, you can provision them to Atlan. In Azure AD, users and groups can be provisioned in two ways β€” provisioning cycle and on-demand provisioning.

Note the following:

  • The username and email address of new and existing users cannot be changed once users have been provisioned to Atlan.
  • If provisioning any users that already exist in Atlan, ensure that their Azure AD credentials match the existing credentials in Atlan for provisioning to be successful.

To provision users and groups, within Azure AD:

  1. Log in to your Azure portal and search for and select Azure Active Directory.
  2. From the left menu under Manage, select Enterprise applications.
  3. From the All applications page, select the SAML application you created to configure SSO in Atlan.
  4. In the left menu of your application page, under Manage, click Provisioning and select a provisioning method:
    • To enable provisioning cycle, in the upper left of the Overview page, click Start provisioning and toggle the Provisioning Status to On.
    • To enable on-demand provisioning, from the left menu, click Provision on demand. To provision users or groups on demand:
      • For Select a user or group, search for and select a user or group.
      • At the bottom of the screen, click Provision. Repeat the steps for every user or group you want to provision.

Once you have enabled SCIM provisioning, Azure AD will automatically provision and update user accounts in Atlan. However, the sync typically happens every 40 minutes. So, it may take up to 40 minutes for user provisioning to be completed in Atlan.

πŸ’ͺ Did you know? There are known limitations to on-demand provisioning in Azure AD.

Related articles

Was this article helpful?
0 out of 0 found this helpful