Setup User Provisioning with Entra-ID (Microsoft)
3 minutes
9th of January 2024
In this article:
- Step 1: Create an Enterprise Application
- Step 2: Obtain SCIM Secret Token from Spreadly
- Step 3: Set Up Provisioning
- Step 4: Edit Attribute Mappings
- Step 5: Test the Mapping
- Step 6: Select Users/Groups for Provisioning
- Step 7: Configure Single Sign-On (optional)
- We are there for you!
This guide is outdated. Please visit https://help.spreadly.app/en/article/user-provisioning-with-entra-id-10hld2i/ for the latest version.
Creating a SCIM Provisioning application in Microsoft Entra-ID is a straightforward process that significantly enhances the management of user identities in cloud-based applications. In this article, we'll guide you through the steps to set up a SCIM Provisioning application for Spreadly.
Step 1: Create an Enterprise Application
First, navigate to the "Applications" section in Entra-ID, and select "Enterprise applications". Here, click on "+ New application" and then choose "+ Create your own application". Name your application "Spreadly" and select the "Non-gallery" option. This step initiates the process of integrating your custom application with Microsoft's identity management solution.
Step 2: Obtain SCIM Secret Token from Spreadly
Access the "Team > Members" section in Spreadly to find your SCIM Secret Token. This token is essential for secure communication between Spreadly and Microsoft Entra-ID. Copy this token as you'll need it in the next steps.
Step 3: Set Up Provisioning
Now, open the newly created enterprise application in Entra-ID and go to "Provisioning > Manage: Provisioning". Set the Provision Mode to "Automatic". Input the Tenant URL as https://spreadly.app/api/v1/scim and enter the Secret Token you previously copied from Spreadly. To ensure the setup is correct, click on "Test connection", then save your settings.
Step 4: Edit Attribute Mappings
In this step, you'll configure how user attributes in Microsoft Entra-ID correspond to those in Spreadly.
| Azure Active Directory Attribute | customappsso Attribute | Matching precedence |
|---|---|---|
| objectId | externalId | 1 |
| userPrincipalName / email | userName | 2 |
| givenName | name.givenName | |
| surname | name.familyName | |
| telephoneNumber | phoneNumbers[type eq "work"].value | |
| mobile | phoneNumbers[type eq "mobile"].value | |
| jobTitle | title | |
| department | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User[department] | |
| employeeOrgData.division | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User[division] | |
| companyName | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User[organization] | |
| streetAddress | addresses[type eq "work"][streetAddress] | |
| city | addresses[type eq "work"][city] | |
| postalCode | addresses[type eq "work"][postalCode] | |
| state | addresses[type eq "work"][region] | |
| country | addresses[type eq "work"][country] |
For a comprehensive list of user attributes, visit https://spreadly.app/en/blog/provisioning-with-scim-20#user-attributes. It's important to note that provisioning of Groups is not yet supported and should be disabled.
Step 5: Test the Mapping
To verify that your mappings are correct, use the "Provision on demand" feature. Select a user to test the mapping. This step is crucial to ensure that the data flows correctly between Microsoft Entra-ID and Spreadly.
Step 6: Select Users/Groups for Provisioning
Finally, manage who will be provisioned by visiting "Manage: Users and groups" in your enterprise application. Here, select the users and groups you expect to be provisioned. This step determines which identities from Microsoft Entra-ID will be managed in Spreadly.
Step 7: Configure Single Sign-On (optional)
Finally, set up the Single Sign-On (SSO) feature for a seamless user experience. Under "Manage: Single sign-on," copy the Sign on URL from Spreadly's "Team > Settings." Additionally, upload the Spreadly application logo (download here). For a cleaner user interface, make the default Spreadly App (Application ID: f6f257df-7ac4-4e92-886c-4768649ca097) invisible to users.
We are there for you!
By following these steps, you'll have successfully integrated Spreadly with Microsoft Entra-ID using SCIM provisioning. This integration will streamline the management of user identities and access, enhancing both security and efficiency. If you have any questions don't hesitate to contact our support.
