Setup User Provisioning with Entra-ID (Microsoft)


Read time
3 minutes
Date
9th of January 2024

In this article:

This guide is outdated. Please visit https://help.spreadly.app/en/article/user-provisioning-with-entra-id-10hld2i/ for the latest version.


Creating a SCIM Provisioning application in Microsoft Entra-ID is a straightforward process that significantly enhances the management of user identities in cloud-based applications. In this article, we'll guide you through the steps to set up a SCIM Provisioning application for Spreadly.

Step 1: Create an Enterprise Application

Create an Entra-ID Enterprise Application for Spreadly

First, navigate to the "Applications" section in Entra-ID, and select "Enterprise applications". Here, click on "+ New application" and then choose "+ Create your own application". Name your application "Spreadly" and select the "Non-gallery" option. This step initiates the process of integrating your custom application with Microsoft's identity management solution.

Step 2: Obtain SCIM Secret Token from Spreadly

Obtain SCIM Secret Token from Spreadly

Access the "Team > Members" section in Spreadly to find your SCIM Secret Token. This token is essential for secure communication between Spreadly and Microsoft Entra-ID. Copy this token as you'll need it in the next steps.

Step 3: Set Up Provisioning

Set Up Provisioning in Entra-ID

Now, open the newly created enterprise application in Entra-ID and go to "Provisioning > Manage: Provisioning". Set the Provision Mode to "Automatic". Input the Tenant URL as https://spreadly.app/api/v1/scim and enter the Secret Token you previously copied from Spreadly. To ensure the setup is correct, click on "Test connection", then save your settings.

Step 4: Edit Attribute Mappings

Setp SCIM Mapping attributes in Entra-ID

In this step, you'll configure how user attributes in Microsoft Entra-ID correspond to those in Spreadly.

Azure Active Directory Attribute  customappsso Attribute Matching precedence
objectId externalId 1
userPrincipalName / email userName 2
givenName name.givenName
surname name.familyName
telephoneNumber phoneNumbers[type eq "work"].value
mobile phoneNumbers[type eq "mobile"].value
jobTitle title
department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User[department]
employeeOrgData.division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User[division]
companyName urn:ietf:params:scim:schemas:extension:enterprise:2.0:User[organization]
streetAddress addresses[type eq "work"][streetAddress]
city addresses[type eq "work"][city]
postalCode addresses[type eq "work"][postalCode]
state addresses[type eq "work"][region]
country addresses[type eq "work"][country]

For a comprehensive list of user attributes, visit https://spreadly.app/en/blog/provisioning-with-scim-20#user-attributes. It's important to note that provisioning of Groups is not yet supported and should be disabled.

Step 5: Test the Mapping

Test Mapping by provisioning a single user on demand

To verify that your mappings are correct, use the "Provision on demand" feature. Select a user to test the mapping. This step is crucial to ensure that the data flows correctly between Microsoft Entra-ID and Spreadly.

Step 6: Select Users/Groups for Provisioning

Finally, manage who will be provisioned by visiting "Manage: Users and groups" in your enterprise application. Here, select the users and groups you expect to be provisioned. This step determines which identities from Microsoft Entra-ID will be managed in Spreadly.

Step 7: Configure Single Sign-On (optional)

Configure Single Sign-On

Finally, set up the Single Sign-On (SSO) feature for a seamless user experience. Under "Manage: Single sign-on," copy the Sign on URL from Spreadly's "Team > Settings." Additionally, upload the Spreadly application logo (download here). For a cleaner user interface, make the default Spreadly App (Application ID: f6f257df-7ac4-4e92-886c-4768649ca097) invisible to users.

We are there for you!

By following these steps, you'll have successfully integrated Spreadly with Microsoft Entra-ID using SCIM provisioning. This integration will streamline the management of user identities and access, enhancing both security and efficiency. If you have any questions don't hesitate to contact our support.