Configure automatic user and group provisioning with Entra ID via SCIM
This article describes how to configure automatic user and group provisioning with your Entra ID tenant via SCIM.
Configure automatic user and group provisioning with Entra ID via SCIM
With Cerby, you can configure automatic provisioning with Entra ID (formerly Azure AD) using the System for Cross-domain Identity Management (SCIM) specification to manage the creation and synchronization of user accounts and teams based on user and group assignments.
This article describes how to configure both the Cerby enterprise application and Entra ID. When configured, Entra ID automatically provisions and deprovisions users and groups to Cerby using the Entra ID provisioning service. For more information on what this service does, how it works, and frequently asked questions, read the article What is app provisioning in Microsoft Entra ID?
Supported features
The following are the supported features of automatic user and group provisioning with Entra ID:
Push users: Users assigned to the Cerby enterprise application in Entra ID are automatically able to access the Cerby clients (web app, mobile app, and browser extension); they are available to other users in Cerby for account sharing purposes.
Push groups: Users who are members of a group in Entra ID and assigned to the Cerby enterprise application are pushed to Cerby, and this grouping structure and its members are replicated in Cerby as teams.
Remove users in Cerby when they no longer require access.
Keep user attributes synced between Entra ID and Cerby.
Disable or delete users: Disabled or deleted users in Entra ID are automatically detected in Cerby, and their associated access grants in Cerby are removed. In some cases, additional follow-up actions, like password rotation, may occur in Cerby for privileged identities to which the deprovisioned user had access grants.
Reactivate users: Reactivated users in Entra ID will reappear as valid users in Cerby; however, account access grants must be reassigned in Cerby.
Requirements
The following are the requirements to configure automatic user and group provisioning with Entra ID:
IMPORTANT: Make sure you have the automated group provisioning to apps feature included in your Entra ID plan level (P1 or P2 license plan).
An Entra ID tenant. For more information, read the article Quickstart: Set up a tenant
A user account in Entra ID with privileges to configure provisioning, such as the following:
Application Administrator
Cloud Application Administrator
Application Owner
Global Administrator
A user account in Cerby with any of the following roles:
Workspace Owner
Workspace Super Admin
Workspace Admin
The Cerby SAML2-based integration must be set up and deployed. You must have already deployed the integration as part of the article Configure SSO in Cerby with Entra ID via SAML
Users and groups from your directory already assigned to the Cerby enterprise application in Entra ID. You must have done the assignments as part of the article Manage users and group assignments for an application.
A SCIM API authentication token. Follow the instructions in the article Retrieve the SCIM API authentication token from Cerby to copy the token
NOTE: If you need to regenerate the SCIM API authentication token, read the article Regenerate the SCIM API authentication token
Configure automatic provisioning with Entra ID
To configure automatic user provisioning for Azure AD, you must complete the following main steps:
Plan your provisioning deployment
Configure Cerby to support provisioning with Azure AD
Add Cerby from the Entra ID application gallery
Define the scope for provisioning
Configure automatic user provisioning to Cerby
Monitor your deployment
The following sections describe each main step.
1. Plan your provisioning deployment
To plan your provisioning deployment with Entra ID, you must complete the following steps:
Learn about how the provisioning service works. For more information, read the article What is app provisioning in Microsoft Entra ID?
Determine who will be in scope for provisioning. For more information, read the article Scoping users or groups to be provisioned with scoping filters.
Determine what data to map between Entra ID and Cerby. For more information, read the article Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID.
The next step is 2. Configure Cerby to support provisioning with Entra ID.
2. Configure Cerby to support provisioning with Entra ID
Cerby has enabled the provisioning support for Entra ID by default. You must follow the instructions from the article Retrieve the SCIM API authentication token from Cerby to copy the SCIM API authentication token.
The next step is 3. Add Cerby from the Entra ID application gallery.
3. Add Cerby from the Entra ID application gallery
You must add the Cerby enterprise application from the Entra ID application gallery to manage provisioning to Cerby.
You can use the same application if you have previously set up Cerby for SSO. However, we recommend you create a separate app when initially testing the integration. For more information about adding an application from the gallery, read the article Quickstart: Add an enterprise application.
The next step is 4. Define the scope for provisioning.
4. Define the scope for provisioning
The Entra ID provisioning service enables you to scope who will be provisioned based on assignment to the Cerby enterprise application and or based on user and group attributes.
Scope based on assignment: Follow the instructions from the article Manage users and groups assignment to an application to assign users and groups to the application.
Scope based on user and group attributes: Use a scoping filter as described in the article Scoping users or groups to be provisioned with scoping filters.
The following are some recommendations when defining the scope:
Start small. Test with a small set of users and groups before rolling out to everyone:
When the scope for provisioning is set to assigned users and groups, you can start by assigning one or two users or groups to the application.
When the scope is set to all users and groups, you can specify an attribute-based scoping filter, according to the article Scoping users or groups to be provisioned with scoping filters.
If you need additional roles, you can update the application manifest. For more information, read the article Add app roles to your application and receive them in the token.
The next step is 5. Configure automatic user provisioning to Cerby.
5. Configure automatic user and group provisioning to Cerby
To configure automatic user and group provisioning to Cerby, you must complete the following steps:
Log in to your Microsoft Azure account.
Select your Cerby enterprise application by performing the following actions:
Click the Menu (
) icon at the top left of the page. A drop-down menu is displayed.
Select the Microsoft Entra ID option from the drop-down menu. The Overview page is displayed.
Select the Enterprise applications option from the left navigation drawer. The All applications page is displayed.
Select the Cerby option from the list of enterprise applications. The Overview page of your Cerby application is displayed.
Configure automatic provisioning by performing the following actions:
Select the Provisioning option from the Manage section of the left navigation drawer, as shown in Figure 1. The Get started with application provisioning page of the Cerby enterprise application is displayed with an empty state for provisioning.
Figure 1. Overview page of the Cerby application in Entra ID
NOTE: If the connection fails, ensure your Cerby account has the workspace Admin, Owner , or Super Admin role and try again.
4. Click the Attribute mapping (Preview) option in the left navigation menu under the Manage section. The Attribute mapping (Preview) page is displayed. 5. Review the user attributes that are synced between Entra ID and Cerby by performing the following actions: 1. Click the Provision Microsoft Entra ID Users button. The Attribute Mapping page is displayed. 2. Select the Yes option from the Enabled switch. 3. Verify that the attributes and information from Table 1 are configured correctly in the Attribute Mappings section.
NOTE: The attributes selected as Matching precedence properties are used to match the user accounts in Cerby for update operations. If you change the matching target attribute, you must ensure that the Cerby API supports filtering users based on that attribute. For more information, read the article Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID.
6. Enable group provisioning from Entra ID to Cerby by performing the following actions: 1. Click the Provision Microsoft Entra ID Groups button. The Attribute Mapping page is displayed. 2. Select the Yes option from the Enabled switch. 3. Verify that the attributes and information from Table 2 are configured correctly in the Attribute Mappings section. 4. Click the Save button. The Attribute Mapping (Preview) page is displayed again, and a success message box is displayed. 7. Configure the email address for notifications and the scope in the Settings section by performing the following actions: 1. Activate the Properties tab on the page. The Basics page is displayed. 2. Click the Edit (
) option. The Basics side panel is displayed. 3. Enter the email address of the person or group who must receive the provisioning error notifications in the Notification Email field. 4. Select the option from the Scope drop-down list that corresponds to the scoping that you defined in step 4. Define the scope for provisioning.
NOTE: For more information on how to configure scoping filters, read the article Scoping users or groups to be provisioned with scoping filters.
8. Click the Start provisioning button.
NOTE: This configuration starts the initial sync cycle of all users and groups defined in the Scope drop-down list from the Settings section. The initial cycle takes longer to complete than the next cycles, which occur approximately every 40 minutes, as long as the Entra ID provisioning service is running. Any group assigned to the Cerby application in Entra ID is pushed automatically as a team in the corresponding Cerby workspace.
The next step is 6. Monitor your deployment.
6. Monitor your deployment
Monitor your deployment by using the following resources:
Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully. For more information, read the article What are the Microsoft Entra user provisioning logs?
Verify the progress bar of the provisioning cycle synchronization to see how close it is to completion. For more information, read the article Check the status of user provisioning.
Verify the provisioning configuration health. If it is in an unhealthy state, the application goes into quarantine. For more information about quarantine states, read the article Application provisioning in quarantine status.
Now you are done.
Table 1. User attribute mappings in Entra ID
The following table shows the user attribute mappings you must configure in Entra ID as part of step 5. Configure automatic user provisioning to Cerby:
Cerby attribute
Microsoft Entra ID attribute
Matching precedence
userName
userPrincipalName
1
emails[type eq "work"].value
mail
2
active
Not([IsSoftDeleted])
name.givenName
givenName
name.familyName
surname
externalId
objectId
Table 2. Group attribute mappings in Entra ID
The following table shows the group attribute mappings you must configure in Entra ID as part of step 5. Configure automatic user provisioning to Cerby:
Cerby attribute
Microsoft Entra ID attribute
Matching precedence
displayName
displayName
1
members
members
externalId
objectId
Last updated