SCIM Directory Integration - Microsoft Entra ID (formerly Azure AD)

By Chad Satterfield

Configure a SCIM user-directory integration with Microsoft Entra ID

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)

Before You Begin

  • Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji instance. You will need to obtain the SCIM access token and API URL.
  • Copy and store the token provided as outlined in the SCIM Directory Integration article. The token will not be visible once you click Done and will be required in a later step.
  • Be sure to review the supported user and group attributes listed in the SCIM Directory Integration.

Create the SCIM Integration in Microsoft Entra ID

  1. Sign in to portal.azure.com.
  2. Open the menu in the top left corner.
  3. Select Microsoft Entra ID.
  4. In the Manage section, select Enterprise applications
  5. Select New application, or if you have already created a SAML single sign-on application, you can select that application and add SCIM.
  6. Select Create your own application.
  7. Give the application a name.
  8. Select Integrate any other application you don't find in the gallery (Non-gallery).
  9. Click Create.
  10. You will be taken to the Overview page for the newly created app.
  11. In the left-hand navigation, select Provisioning.
  12. Click Get started.
  13. For Provisioning Mode, select Automatic.
  14. If the Admin Credentials section doesn't display details, click the reveal triangle to expand it.
  15. Paste the Kandji SCIM API URL that you copied earlier into the Tenant URL field.
  16. Paste the API token that you copied earlier into the Secret Token field.
  17. Click Test Connection. You should see a successful test notification.
  18. In the upper-left corner, click Save, then click the X in the upper-right corner to close the settings.R1VHmIGhlMnxr5sCLqP15_HN9xFJTWlUfQ
  19. Once back in the Provisioning overview, click Edit provisioning.
  20. Expand the Mappings reveal triangle and ensure that both Groups and Users are enabled.

Note: if you are on the free tier of Microsoft Entra ID, group assignment is not supported.
  1. Expand the Settings reveal triangle.

  2. For Scope, choose Sync only assigned users and groups.

  3. Set the Provisioning Status to On.

  4. Click Save, then click the X in the upper-right corner to close the settings.FCe05pTOz2UhKGA7PsWScTgJX8UGn9bDvw

  5. Select Users and groups in the left sidebar, click Add user/group and add the users or groups you want to provision in Kandji. If you are using the free Microsoft Entra ID tier, you will only assign users to the app.

  6. In Kandji, click the Users module in the left sidebar, then click Users Without Devices. If Kandji does not display users, go back to the SCIM app in Microsoft Entra ID, click Stop provisioning, then click Start provisioning.

Syncing
User syncing is one-way, meaning the Microsoft Entra ID SCIM app will send user information to Kandji only when there is new information to be sent. Therefore, a Sync Now option is not available in the web app.
If a user or group is added to the SCIM app in Microsoft Entra ID after the app was created, a sync will happen every 40 minutes (set by Microsoft Entra ID). If you want the sync to happen sooner, you can stop/start the provisioning in the SCIM app on the Microsoft Entra ID. This will not impact existing users/groups in Kandji.
Assignment Rules
If you are going to be using assignment rules with groups, you will need to explicitly add each group you want to have provisioned in Kandji to the SCIM app, otherwise groups will not come over automatically if you are adding just the user.