Set up SCIM with Azure

This topic walks you through the process of setting up SCIM in Microsoft Azure.

Prerequisites:

Before you begin, you must complete the following prerequisite tasks:

  • Set up SSO with Azure. You must configure SSO before you start setting up SCIM.
  • Define the groups in Alida to map to your Azure groups.
  • Generate an authentication token. Ensure that you have access to the following settings from the Alida User Auto-Provisioning page:
    • Base URL: The Alida SCIM API endpoint URL.
    • Token: The API token for authentication with the Alida SCIM API endpoints.
Important: Users will not be able to sign in to Alida while the initial provisioning process is running. Plan your user auto-provisioning roll-out at a time that minimizes user impact.
  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Under Azure services, click Enterprise applications.
  3. Click the name of the SSO application you created for Alida.
  4. Select Manage > Provisioning in the left menu.
  5. Configure your authentication credentials for connecting to the Alida SCIM API:
    1. Select Manage > Provisioning again in the left menu.
    2. In the Provisioning Mode drop-down list, select Automatic.
    3. Click Admin Credentials to expand the section.
    4. In the Authentication Method drop-down list, confirm that Bearer Authentication is selected.
    5. In the Tenant URL text box, paste the Alida Base URL value.
      This is the Base URL value displayed in the Authentication Credentials section on the User Auto-Provisioning page in Alida.
    6. In the Secret Token text box, paste the Alida Token value.
      This is the token you previously generated in the User Auto-Provisioning page in Alida.
    7. Click Test Connection.
      You should see a success notification confirming that Microsoft Entra can communicate with Alida. If it fails, double-check your URL and token.
    8. Click Save at the top of the page.
  6. Configure attribute mappings to define how attributes are synchronized between Microsoft Entra ID and Alida:
    1. Click Mappings to expand the section.
      The Mappings section is not displayed until after you save your Admin credentials.
    2. Click Provision Microsoft Entra ID Groups.
    3. Under Target Object Actions, deselect the Create and Delete checkboxes.
      The Update checkbox must be selected.
    4. In the Attribute Mappings table, click Edit next to the displayName attribute.
    5. In the Mapping Type drop-down list, select Expression.
    6. In the Expression text box, enter an expression that maps the SCIM groups defined in Alida to the groups in Microsoft Entra.
      Use the Switch() function which has the following syntax: 
      Switch(<source>, <defaultValue>, <key1>, <value1>, <key2>, <value2>, ...)
      For example: 
      Switch([displayName], "Analyst", "ResearchAdmin", "Admin", "Researcher", "PowerUser")
      Note: If you need to use a more complex expression, you can select the Show advanced options checkbox at the bottom of the Attribute Mapping page and then click Use the expression builder for assistance with building and verifying the expression.
    7. Optional: In the Default value if null text box, enter Analyst.
      This ensures that users will be assigned to the group with the lowest level of access if the Expression returns a null value.
    8. Click Ok to save the expression.
    9. Click Save at the top of the page to save your attribute mapping configuration.
    10. In the Save changes dialog, click Yes.
    11. Click close in the top right of the page.
  7. Turn on provisioning:
    1. Click Settings to expand the section.
    2. In the Scope drop-down list, ensure that Sync only assigned users and groups is selected.
    3. Set the Provisioning Status toggle to On.
    4. Click Save at the top of the page.
Provisioning will begin. The initial cycle can take some time depending on the number of users assigned.