SCIM Directory Integration with Microsoft Entra ID (formerly Azure AD)

Configure a SCIM user directory integration with Microsoft Entra ID

Microsoft Entra ID is the new name for Azure AD (Azure Active Directory).

• Prerequisites
• Create the SCIM Integration in Microsoft Entra ID
• Assign Users and Groups
• Considerations

Prerequisites

• Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji tenant. You will need to obtain the SCIM access token and API URL.
• Copy and store the token provided outlined in the SCIM Directory Integration article. Once you click Done, the token will not be visible and will be required in a later step.
• Be sure to review the supported user and group attributes listed in the SCIM Directory Integration.

Create the SCIM Integration in Microsoft Entra ID

1. Sign in to the Microsoft Entra admin center.
2. Open the portal menu and then select Identity.
3. On the Identity menu, under Applications, select Enterprise Applications.
4. In the Manage section, select All applications.
5. Select New application. If you have already created a SAML single sign-on application, you can select that application and add SCIM.
   
6. Select Create your own application.
7. Give the application a name.
8. Select Integrate any other application you don't find in the gallery (Non-gallery).
9. Click Create.
   
10. You will be taken to the Overview page for the newly created app.
11. Under Manage, select Provisioning.
    
    
12. Click Get started.
    
    
13. For Provisioning Mode, select Automatic.
14. If the Admin Credentials section doesn't display details, click the reveal triangle to expand it.
15. Paste the Kandji SCIM API URL that you copied earlier into the Tenant URL field.
16. Paste the API token that you copied earlier into the Secret Token field.
17. Click Test Connection. You should see a successful test notification.
18. In the upper-left corner, click Save.
    

19. Expand the Mappings reveal triangle and ensure that both Groups and Users are enabled.

20. Click the X in the upper-right corner to close the settings.
    
    

21. Click Edit Provisioning.
    
    

22. Expand the Settings reveal triangle.

23. For Scope, choose Sync only assigned users and groups.

24. Set the Provisioning Status to On.

25. Click Save.

26. Click the X in the upper-right corner to close the settings.
    
    

27. On the Overview page, Click the X in the upper-right corner to close the settings.

Assign Users and Groups

1. Under Manage, select Users and Groups.

2. On the menu, select Add user/group.
   
   

3. On the Add Assignment dialog, select the link under Users and groups. 
4. A list of users and security groups is displayed. You can search for a specific user or group or select multiple users and groups that appear in the list.
5. After you have selected your users and groups, select Select.
   
   If you see the message below, it means that a free tier is being used, which means you can only add users (not groups) to the Passport Enterprise App.
   
   

6. Select Assign to finish assigning users and groups to the app.
   
   

7. Confirm that the users and groups you added appear in the Users and groups list.
   
   

Considerations

Syncing

User syncing is one-way, meaning the Microsoft Entra ID SCIM app will send user information to Kandji only when new information is needed.
If a user or group is added to the SCIM app in Microsoft Entra ID after the app was created, a sync will happen every 40 minutes (set by Microsoft Entra ID). If you want the sync to happen sooner, you can stop/start the provisioning in the SCIM app on the Microsoft Entra ID. This will not impact existing users/groups in Kandji.

Assignment Rules

If you use Assignment Rules with groups, you must explicitly add each group you want to have provisioned in Kandji to the SCIM app; otherwise, groups will not sync automatically if you add just the user.