SCIM Provisioning of Users with Azure AD SCIM Provisioning of Users with Azure AD

SCIM Provisioning of Users with Azure AD

System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once. 

To set up SCIM provisioning in Azure AD you will need to have the involvement of both the Blinq organization admin and the manager of your Azure AD account. 

 

Note

User provisioning should work with any service that adheres to the SCIM protocol. If you are looking to setup user provisioning with a service other than Azure AD please contact us at support@blinq.me so we can help you get set up.

 

SCIM capabilities supported in Blinq

  • Provisioning one or more users and their Blinq cards
  • Deprovisioning of users and their Blinq cards
  • Updating user details (which can propagate to a Blinq card)

 

Setup

Creating the Blinq application in Azure AD

To create the Azure application that will connect to Blinq:

  1. Navigate to portal.azure.com and log in
  2. Search for 'Enterprise Applications'
  3. Click on New Application
  4. Search for Blinq
  5. Select the first option
  6. Click Create
Screenshot_2023-04-05_at_4.27.42_pm.png
Steps 4 - 6

 

Setting up user provisioning

Navigate to your newly created Enterprise Application in Azure and do the following:

  1. Select Provisioning in the left panel
  2. Click Get started
  3. Set the Provisioning Mode to Automatic

You should see a Tenant URL field and a Secret Token field. We will need to get this information from your account in Blinq so let's do that now.

  1. Navigate to https://dash.blinq.me in a seperate browser tab
  2. If you aren't logged in to Blinq you will need to do so
  3. Click on your workspace in the top left of the screen
  4. In the dropdown click Settings
  5. Under the Integrations page you should see Team Card Provisioning which contains a URL and Token. You will need to generate the token by clicking Generate
  6. Copy the URL and Token and navigate back to the Provisioning page in your Azure app. Paste the URL and Token in the corresponding fields
  7. Click Test Connection
  8. After a few seconds you should see a success message letting you know that the supplied credentials are authorized to enable provisioning. With your credentials verified you can now click Save

 

mceclip1.png
Steps 3 - 4

 

mceclip2.png
Step 5

Note

The Card Settings section allows you to configure how a card is created for a newly provisioned user. We will go over this in the Provisioning users section of this guide

 

Note

You can generate a new token at any time by navigating back to this Integrations settings page and clicking Regenerate next to the token field. You can navigate to the Security tab of the settings page to see a list of your active tokens, as well as delete a token. 

 

Configuring user provisioning in Azure

After saving you should now see a Mappings and Settings section.

image__1_.png

[OPTIONAL] If you would like to restrict what information is sent to Blinq you  can do the following:
  1. Click on Provision Azure Active Directory Users
  2. Click Delete on the Attribute Mapping you want to remove

image__4_.png

Finally, under Settings, make sure to set Provisioning Status too On in order to start provisioning. Once that is done click Save button in the top left of the page.Note
A sync occurs between Azure and Blinq every 40 minutes

mceclip5.png

 
 

 

Configuring user provisioning in Blinq

Now that user provisioning is completely configured we can add users to the Azure app in order for them to be provisioned in Blinq. However before you proceed we should go over what happens when a user is provisioned in Blinq.

When a user is provisioned in your Blinq workspace the following actions will occur by default:

  1. A user is created in your Blinq workspace
  2. A card is automatically created for this user
    • This card will contain any relevant details from the users profile in Azure AD
    • These card fields will even stay in sync with whatever value is in the users profile
  3. An email is sent to the user to let them activate their account.

We can extend this behaviour with the Card Settings section in Blinq - which is found on the same page as the URL and Token.

mceclip0.png

Card Settings allows you to configure:

  • Which Templates are applied to newly created cards (if any)
  • Whether or not an activation email is sent to new users automatically

Configuring which Templates are applied

Templates are the best way to ensure consistent branding across a team, department, or company. If a template contains your company logo and name then every card created with that template will contain the logo and name. If you edit the logo or name in your template than every card that inherits from the template will get the new value.

mceclip1.png

In Card Settings you can choose when a particular Template will be applied to a new card. For example we could add a Filter that states that we should apply Template A when:

  • A new user is in the Marketing department
  • OR a new user is in the Sales department

If a newly provisioned user belongs to either of these departments (as stated in their Azure AD profile) then Template A will be applied to their card.

 

Note

Template fields take precedence over fields from Azure. For example, if on their Azure AD profile their company is Blinq and on the applied Template it is Blinq Inc. then Blinq Inc. is what will appear on their card.

 

Note

Templates are only applied to a newly provisioned users card. After the user has been provisioned you will need to manually assign the Template to their card on the Blinq dashboard.

 

Configuring activation emails

mceclip2.png

If this toggle is turned on then as soon as a user is provisioned they will get an email notifying them that they can activate their account.

If this toggle is turned off then the activation email will not be sent and you will need to manually send the activation emails from the Team Cards page in the Blinq Dashboard.

 

 

Provisioning users

We are approaching the finish line! User provisioning has now been setup and configured so let's actually provision some users.

Note:

We don't support group provisioning at this time.

  1. Navigate back to the main page of your Azure application
  2. Click Users and Groups in the left-hand side of the page
  3. Click Add user/group
  4. Click on Users and groups
  5. Select the users that you would like to provision
  6. Click the Select button at the bottom of the selection section
  7. Click the Assign button at the bottom left of the screen
mceclip4.png
Step 3
mceclip5.png
Step 4

Note

Deprovisioning can be completed by either removing the user from Azure, or removing them from the group you are syncing to SCIM via the Blinq Enterprise Users and Groups menu. 

If you deprovision a user from the Azure application (by removing them from the list of Users), the user will exist in Blinq as an inactive user and will not be counted towards your Blinq user count.

 

Supported user attributes

A users attributes can be found on the Azure AD User Profile. We support the following attributes:

  • Name
  • First name
  • Last name
  • Job title
  • Department
  • Company name
  • Office phone
  • Mobile phone
  • Email

Note

Unfortunately whilst Blinq supports syncing profile images via SCIM, Azure AD does not expose this to us. Profile images will need to be uploaded to each card by the card owner or by the team admin.

 

Viewing a provisioned user in Blinq

To view a provisioned users card navigate to the Team Cards section in the Blinq Dashboard. To view a card select the corresponding row and click the Edit button.

mceclip6.png

By default all card fields that were created when the user is provisioned are:

  • Locked so that they can't be overridden by the card owner
  • Linked so that any changes to the users Azure profile will be synced

If you edit the field value and Save then the field will be unlinked so that your new changes aren't overridden by any changes to the corresponding attribute in the users Azure profile.

If you remove a lock on a field to allow the card owner to make changes then the field will be unlinked so that any changes that the card owner makes to the field aren't overridden by any changes to the corresponding attribute in the users Azure profile.

 

Congratulations!! 🎉

You made it. We know this was a lot to digest so if you have any questions that aren't addressed in the FAQ below please email us at support@blinq.me.

 

 

FAQ

What happens if the admin who set up the initial SCIM token is no longer admin or their account was deactivated?

If the original admin who created the SCIM provisioning token on your workspace was deactivated, SCIM will no longer work on your account. In order to reactivate SCIM, the current admin of the workspace can generate a new token and enter it into the provisioning details of your Azure application.