Overview
The procedure to integrate Microsoft Azure Active Directory (Azure AD) with inSync to manage users using SCIM 2.0 is described below.
Pre-requisites
inSync is configured to manage users using SCIM. See Configure inSync to manage users using SCIM section.
You must be a Microsoft Azure super administrator or an administrator account with rights to create and manage apps.
Provision users from Azure AD using SCIM
Steps:
Deploy the Druva SCIM app
Login to Microsoft Azure Active Directory Portal (Azure Portal) as an administrator.
From the left panel of the Azure AD console, click Azure Active Directory.
Click All Services > Enterprise applications.
Click on +New application.
On the Add an application page, search for Druva.
From the search results, select Druva with Category as Content management.
On the Add your own application page on the right, enter a name for this custom SCIM app and click Add. Example - Druva inSync SCIM app.
The SCIM app is created. The App Overview page appears.
Proceed to integrate this SCIM app with Druva inSync.
Enable API integration with Druva inSync
Pre-requisite:Token generated while configuring inSync SCIM. See Generate Token for SCIM.
On the Azure console, go to All Services > Enterprise Applications section and select your SCIM app.
On the App Overview page, select Provisioning under Manage on the left pane.
On the Provisioning pane, select Provisioning mode as Automatic.
Under the Admin credentials section, specify the field values as defined below:
If you are inSync Cloud Customer:Tenant URL: Enter inSync Cloud End-point URL. Format: https://apis.druva.com/insync/scim
Secret Token:Enter the token that you generated on the inSync Management Console for SCIM-based user management.
If you are inSync GovCloud Customer:
Tenant URL: Enter inSync GovCloud End-point URL. Format: https://govcloudapis.druva.com/insync/scim
Secret Token:Enter the token that you generated on the inSync Management Console for SCIM-based user management.
Click Test Connection to test and try to connect Azure AD to the inSync SCIM endpoint.
Click Save once the test succeeds.
Proceed to configure the Azure AD Mapping and map the SCIM attributes with the Azure AD attributes.
Map SCIM attributes to Azure AD attributes on the SCIM app
As an administrator, you can view and edit what user attributes must flow between Azure AD and inSync when user accounts are provisioned or updated. The Druva SCIM app, created earlier, comes with the default base attributes and values. inSync requires only a few mandatory attributes (listed in Step 6 of this article). You can also add or define your custom SCIM attributes that you plan to use in the SCIM mapping to classify the users in inSync.
The custom attributes, except the userPrincipalName attribute, that you map in the IdP is not stored in inSync. Custom attributes are only used to evaluate the SCIM mappings that you create in the inSync Management Console.
On the homepage of the Azure Portal, find and select your SCIM app in the All Services > Enterprise Applications section.
On the App Overview page, select Provisioning under Manage on the left pane.
Click the Mappings configuration.
On the Attribute Mapping page, enable Synchronize Azure Active Directory Users to <name of your SCIM app>.
Select the following Target Object Actions:
In the Attribute Mapping section:
Add the custom attributes that you want to use in inSync to create a SCIM mapping for classifying users.
The following attributes are mandatory in inSync. Retain the following attributes and create a mapping with Azure AD attribute value
Retain the following mandatory attributes in Druva inSync and create a mapping with Azure AD attribute value.
💡 Tip
You can create the Mapping with userPrincipalName or Mail for userName attribute. This userName attribute will convert to email address for the inSync User.
Using UPN as userName (email address in inSync):
Azure AD attribute | SCIM attributes used in inSync (Druva Attributes) |
userPrincipalName | userName |
Not([IsSoftDeleted]) | active |
displayName | displayName |
objectId | externalId |
Using Email as userName (email address in inSync):
Azure AD attribute | SCIM app attributes used in inSync (Druva Attribute) |
userName | |
Not([IsnSoftDeleted]) | active |
displayName | displayName |
objectId | externalId |
Map userPrincipalName attribute
In some environments, you need to import userPrincipalName as an additional attribute, since O365 may be configured to back up on the basis of userPrincipalName. This attribute is not mandatory for user creation in inSync. However, in the above scenario userPrincipalName is required for O365, authentication/backup with inSync.
To add userPrincipalName (optional) attribute in the Attribute Mapping:
Select Show advanced options and click the Edit attribute list for Druva link.
On the Edit Attribute List windows, set all values as follows without quotation marks:
Name:urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName
Type: String
3. Click Save.
4. Go to Druva App Provisioning.
5. Click the userPrincipalName attribute and select mail to associate the Azure AD email attribute with the userPrincipalName attribute.
6. Click Add New Mapping.
7. Select Source attribute as userPrincipalName and Target attribute as urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName.
8. Click Save. The attribute appears in the Attribute Mappings.
Map additional attributes (Optional)
For some organizations you may need to import the users and map them to different storage/profile on the basis of a Custom Attribute Value for the user. To achieve this a filter can be added to SCIM mapping in inSync. This Custom attribute has to be mapped in Azure as well.
Please refer Create a SCIM Mapping for more details.
In some environments, you may need to import users and map them to various storages/profiles on the basis of a Custom Attribute Value for the user. To achieve this, a filter can be added to the SCIM mapping in inSync. This custom attribute must be mapped in Azure AD as well.
To add an attribute (for example a city or company attribute) in the Attribute Mappings:
Select Show advanced options and click the Edit attribute list for Druva link.
On the Edit Attribute List windows, add City or Company in the Name column
On the Edit Attribute List windows, set all values as follows without quotation marks:
Name:Enter City or Company.
Type: String
API Expression: <Name of the additional attribute>
For example, you need to make the following entries in the Name for city, country, or department:
urn:ietf:params:scim:schemas:extension:Druva:2.0:User:city
urn:ietf:params:scim:schemas:extension:Druva:2.0:User:country
urn:ietf:params:scim:schemas:extension:Druva:2.0:User:department
Use the same format and change the namespace in case you plan to use any other attribute apart from city, country, or department such as:
urn:ietf:params:scim:schemas:extension:Druva:2.0:User:<name of desired attribute>
These values must be entered without quotation marks or brackets.
Go to Druva App Provisioning and click Add New Mapping.
On the Edit Attribute window, select Source attribute as city and Target attribute as“urn:ietf:params:scim:schemas:extension:Druva:2.0:User:city.
Click Save. The city, country, or department attributes appear in the Attribute Mappings.
Start the provisioning status of the Druva app
On the App Overview page, Scroll down to Settings and update the following:
Assign users to the SCIM app
At this stage, you assign the SCIM app to the users and groups that you want to manage in inSync. You can assign the SCIM app to Groups that you have created in Azure AD if you want to bulk assign it to the users. All the users in the group are automatically assigned to the SCIM app, and their accounts are created/managed in inSync.
❗ Important
Due to Microsoft Azure Active Directory limitation, you can assign the SCIM app only to the Security Group.
On the Azure Portal homepage, got to All Services > Enterprise Applications and select your Druva SCIM app.
On the App Overview page, select Users and groups under Manage on the left pane.
In the right pane, click +Add User.
On the Add Assignment page, search and select the Users or Group of users and assign the SCIM app.
Ensure you assign the SCIM app to every user whose account you want to manage in inSync. After you assign the SCIM app to the users, their accounts are automatically created in inSync and configured as per the SCIM mapping.
Audit feature to monitor user provisioning
After assigning the user to Druva SCIM App, wait some time as Azure uses push functionality and users will be imported after 10 to 15 minutes.
In case the user is not imported in inSync Cloud, check the Audit logs for Druva SCIM app under Provisioning section.
Please follow the steps to check the Audit logs:
On the Druva SCIM app, click Provisioning.
Click View Audit Logs.
The below is the screen visible after clicking on View Audit Logs. You can click on each one of the entries to read the reason for success or failure in exporting user from Azure to inSync.
💡 Tip
Preserving users in Azure will preserve the user in inSync Cloud.
There are three scenarios where inSync user will be preserved:
If the user is deleted in Azure Active Directory.
If the user is removed/unassigned from Druva SCIM App
If we disable the user (Block sign in) in Azure Active Directory
If the O365 license is removed, the inSync user will still remain enabled/active state.
❗ Important
If the Username of the users managed using SCIM has special characters ?, *, /, \, < or >, they are automatically replaced by _ (underscore).