This article describes the steps required to configure Azure Active Directory (AAD) to synchronise users and groups into Buttonwood Central using SCIM.
SCIM (System for Cross-Domain Identity Management) is a standard used to automate the exchange of identity provider information across different identity domains.
Buttonwood utilises this standard to enable organisations to centrally manage their users and groups from their chosen identity provider, and have properties of selected users and groups synchronised to Buttonwood.
This process ensures that identity management is performed at the source of truth and streamlines the addition, modification, and deletion of users and groups.
Create an Azure AD Enterprise Application
This section details the steps required to create the Azure AD Enterprise Application which will hold the SCIM configuration for Buttonwood Central.
Prerequisites
- Administrative access to the Azure Portal
- Buttonwood tenant configured for SCIM, with the following attributes noted:
- SCIM Endpoint
- Organisation API Key
Procedure Steps
- Log in to the Azure Portal
https://portal.azure.com - Navigate to Azure Active Directory
- Select Enterprise Applications
- Click New Application
- Select Non-gallery application
- In the Add your own application blade, enter the following information:
- Name: A name for the application
- Name: A name for the application
- Click Add
- Once the application has completed provisioning, its properties screen is displayed
- From the Manage sub-menu, select Provisioning
- For the Provisioning Mode, select Automatic
- In the Admin Credentials section, enter the following information:
- Tenant URL: The SCIM Endpoint URL as noted when enabling the feature in Buttonwood Central
- Secret Token: The Organisation API Key as noted when enabling the feature in Buttonwood Central
- Click Test Connection
- A notification displays the status of the test
- Click Save
Configure Group Synchronisation Mappings
This section details the steps required to configure the mapping of group attributes when synchronising users from Azure Active Directory to Buttonwood Central.
Note: Please ensure that mappings are configured as described, as the synchronisation process will fail if fields are incorrectly mapped or remain unmapped.
Prerequisites
- Administrative access to the Azure Portal
- An Azure Active Directory Application created and configured for SCIM with Buttonwood Central credentials
Procedure Steps
- Log in to the Azure Portal
https://portal.azure.com - Navigate to Azure Active Directory
- Select Enterprise Applications
- Select the Enterprise Application configured in the procedure above
- From the Manage sub-menu, select Provisioning
- In the Mappings section, select Synchronize Azure Active Directory Groups to customappsso
- For the Enabled option, select Yes
Note: Leave this disabled if Azure AD groups do not need to be synchronised to Buttonwood Central
- For the Target Object Actions option, select the following:
- Create
- Update
- Delete
- Create the following mappings
Mapping Type Source Attribute Default Value Target Attribute Match Object Precedence Apply this mapping Direct objectId <blank> externalId Yes 1 During creation Direct displayName <blank> displayName No - Always Direct members <blank> members No - Always - Click Save
Configure User Synchronisation Mappings
This section details the steps required to configure the mapping of user attributes when synchronising users from Azure Active Directory to Buttonwood Central.
Note: Please ensure that mappings are configured as described, as the synchronisation process will fail if fields are incorrectly mapped or remain unmapped.
Prerequisites
- Administrative access to the Azure Portal
- An Azure Active Directory Application created and configured for SCIM with Buttonwood Central credentials
Procedure Steps
- Log in to the Azure Portal
https://portal.azure.com - Navigate to Azure Active Directory
- Select Enterprise Applications
- Select the Enterprise Application configured in the procedure above
- From the Manage sub-menu, select Provisioning
- In the Mappings section, select Synchronize Azure Active Directory Users to customappsso
- For the Enabled option, select Yes
Note: Leave this disabled if Azure AD users do not need to be synchronised to Buttonwood Central
- For the Target Object Actions option, select the following:
- Create
- Update
- Delete
- Create the following mappings
Mapping Type Source Attribute Default Value Target Attribute Match Object Precedence Apply this mapping Direct objectId <blank> externalId Yes 1 During creation Expression Switch([IsSoftDeleted], , "False", "True", "True", "False") <blank> active No - Always Direct mail <blank> emails[type eq "work"].value No - Always Direct userPrincipalName <blank> userName No - Always Direct givenName <blank> name.givenName No - Always Direct surname <blank> name.familyName No - Always Expression Join(" ", [givenName], [surname]) <blank> name.formatted No - Always Direct mobile <blank> phoneNumbers[type eq "mobile].value No - Always - Click Save
Selecting Users and Groups to Provision
This section details the steps required to select groups and users to synchronise from Azure Active Directory to Buttonwood Central.
Use this procedure in conjunction with the Provisioning Scope option to ensure that only selected users and groups are synchronised, rather than all users and groups.
Prerequisites
- Administrative access to the Azure Portal
- An Azure Active Directory Application created and configured for SCIM with Buttonwood Central credentials
Procedure Steps
- Log in to the Azure Portal
https://portal.azure.com - Navigate to Azure Active Directory
- Select Enterprise Applications
- Select the Enterprise Application configured in the procedure above (eg. Buttonwood - SCIM)
- From the Manage sub-menu, select Users and groups
- Click Add User
Note: This option also applies to groups
- In the Add Assignment blade, select the required users and groups
- Click Assign
- Once provisioning is started, Azure Active Directory will commence synchronisation of the selected users and groups into Buttonwood Central
Note: Synchronised users will automatically receive activation emails
Starting Provisioning
This section details the steps required to start provisioning services, which synchronises users and groups from Azure Active Directory to Buttonwood Central.
Prerequisites
- Administrative access to the Azure Portal
- An Azure Active Directory Application created and configured for SCIM with Buttonwood Central credentials
- Group and/or User synchronisation mappings configured
Procedure Steps
- Log in to the Azure Portal
https://portal.azure.com - Navigate to Azure Active Directory
- Select Enterprise Applications
- Select the Enterprise Application configured in the procedure above - this example uses Buttonwood SCIM
- From the Manage sub-menu, select Provisioning
- In the Settings section, select the following options:
- Provisioning Status: On
- Scope: Sync only assigned users and groups
This ensures that only selected users and groups are synchronised to Buttonwood Central, instead of all users and groups
- Click Save
Stopping Provisioning
This section details the steps required to stop provisioning services, which pauses synchronisation of users and groups from Azure Active Directory to Buttonwood Central.
Prerequisites
- Administrative access to the Azure Portal
- An Azure Active Directory Application created and configured for SCIM with Buttonwood Central credentials
- Group and/or User Synchronisation Mappings configured
Procedure Steps
- Log in to the Azure Portal
https://portal.azure.com - Navigate to Azure Active Directory
- Select Enterprise Applications
- Select the Enterprise Application configured in the procedure above - this example uses Buttonwood SCIM
- From the Manage sub-menu, select Provisioning
- In the Settings section, select the following options:
- Provisioning Status: Off
- Provisioning Status: Off
- Click Save