System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once.
To set up SCIM provisioning in Azure AD you will need to have the involvement of both the Blinq organization admin and the manager of your Azure AD account.
Note
User provisioning should work with any service that adheres to the SCIM protocol. If you are looking to setup user provisioning with a service other than Azure AD please contact us at support@blinq.me so we can help you get set up.
SCIM capabilities supported in Blinq
- Provisioning one or more users and their Blinq cards
- Deprovisioning of users and their Blinq cards
- Updating user details (which can propagate to a Blinq card)
Setup
Creating the Blinq application in Azure AD
To create the Azure application that will connect to Blinq:
- Navigate to portal.azure.com and log in
- Search for 'Enterprise Applications'
- Click on New Application
- Search for Blinq
- Select the first option
- Click Create
Steps 4 - 6 |
Setting up user provisioning
Navigate to your newly created Enterprise Application in Azure and do the following:
- Select Provisioning in the left panel
- Click Get started
- Set the Provisioning Mode to Automatic
You should see a Tenant URL field and a Secret Token field. We will need to get this information from your account in Blinq so let's do that now.
- Navigate to https://dash.blinq.me in a seperate browser tab
- If you aren't logged in to Blinq you will need to do so
- Click on your workspace in the top left of the screen
- In the dropdown click Settings
- Under the Integrations page you should see Team Card Provisioning which contains a URL and Token. You will need to generate the token by clicking Generate
- Copy the URL and Token and navigate back to the Provisioning page in your Azure app. Paste the URL and Token in the corresponding fields
- Click Test Connection
- After a few seconds you should see a success message letting you know that the supplied credentials are authorized to enable provisioning. With your credentials verified you can now click Save
Steps 3 - 4 |
Step 5 |
Note
The Card Settings section allows you to configure how a card is created for a newly provisioned user. We will go over this in the Provisioning users section of this guide
Note
You can generate a new token at any time by navigating back to this Integrations settings page and clicking Regenerate next to the token field. You can navigate to the Security tab of the settings page to see a list of your active tokens, as well as delete a token.
Configuring user provisioning in Azure
After saving you should now see a Mappings and Settings section.
- Click on Provision Azure Active Directory Users
- Click Delete on the Attribute Mapping you want to remove
Finally, under Settings, make sure to set Provisioning Status too On in order to start provisioning. Once that is done click Save button in the top left of the page.Note
A sync occurs between Azure and Blinq every 40 minutes
Configuring user provisioning in Blinq
Now that user provisioning is completely configured we can add users to the Azure app in order for them to be provisioned in Blinq. However before you proceed we should go over what happens when a user is provisioned in Blinq.
When a user is provisioned in your Blinq workspace the following actions will occur by default:
- A user is created in your Blinq workspace
- A card is automatically created for this user
- This card will contain any relevant details from the users profile in Azure AD
- These card fields will even stay in sync with whatever value is in the users profile
- An email is sent to the user to let them activate their account.
We can extend this behaviour with the Card Settings section in Blinq - which is found on the same page as the URL and Token.
Card Settings allows you to configure:
- Which Templates are applied to newly created cards (if any)
- Whether or not an activation email is sent to new users automatically
Configuring which Templates are applied
Templates are the best way to ensure consistent branding across a team, department, or company. If a template contains your company logo and name then every card created with that template will contain the logo and name. If you edit the logo or name in your template than every card that inherits from the template will get the new value.
In Card Settings you can choose when a particular Template will be applied to a new card. For example we could add a Filter that states that we should apply Template A when:
- A new user is in the Marketing department
- OR a new user is in the Sales department
If a newly provisioned user belongs to either of these departments (as stated in their Azure AD profile) then Template A will be applied to their card.
Note
Template fields take precedence over fields from Azure. For example, if on their Azure AD profile their company is Blinq and on the applied Template it is Blinq Inc. then Blinq Inc. is what will appear on their card.
Note
Templates are only applied to a newly provisioned users card. After the user has been provisioned you will need to manually assign the Template to their card on the Blinq dashboard.
Configuring activation emails
If this toggle is turned on then as soon as a user is provisioned they will get an email notifying them that they can activate their account.
If this toggle is turned off then the activation email will not be sent and you will need to manually send the activation emails from the Team Cards page in the Blinq Dashboard.
Provisioning users
We are approaching the finish line! User provisioning has now been setup and configured so let's actually provision some users.
We don't support group provisioning at this time.
- Navigate back to the main page of your Azure application
- Click Users and Groups in the left-hand side of the page
- Click Add user/group
- Click on Users and groups
- Select the users that you would like to provision
- Click the Select button at the bottom of the selection section
- Click the Assign button at the bottom left of the screen
Step 3 |
Step 4 |
Note
Deprovisioning can be completed by either removing the user from Azure, or removing them from the group you are syncing to SCIM via the Blinq Enterprise Users and Groups menu.
If you deprovision a user from the Azure application (by removing them from the list of Users), the user will exist in Blinq as an inactive user and will not be counted towards your Blinq user count.
Supported user attributes
A users attributes can be found on the Azure AD User Profile. We support the following attributes:
- Name
- First name
- Last name
- Job title
- Department
- Company name
- Office phone
- Mobile phone
Note
Unfortunately whilst Blinq supports syncing profile images via SCIM, Azure AD does not expose this to us. Profile images will need to be uploaded to each card by the card owner or by the team admin.
Viewing a provisioned user in Blinq
To view a provisioned users card navigate to the Team Cards section in the Blinq Dashboard. To view a card select the corresponding row and click the Edit button.
By default all card fields that were created when the user is provisioned are:
- Locked so that they can't be overridden by the card owner
- Linked so that any changes to the users Azure profile will be synced
If you edit the field value and Save then the field will be unlinked so that your new changes aren't overridden by any changes to the corresponding attribute in the users Azure profile.
If you remove a lock on a field to allow the card owner to make changes then the field will be unlinked so that any changes that the card owner makes to the field aren't overridden by any changes to the corresponding attribute in the users Azure profile.
Congratulations!! 🎉
You made it. We know this was a lot to digest so if you have any questions that aren't addressed in the FAQ below please email us at support@blinq.me.
FAQ
What happens if the admin who set up the initial SCIM token is no longer admin or their account was deactivated?
If the original admin who created the SCIM provisioning token on your workspace was deactivated, SCIM will no longer work on your account. In order to reactivate SCIM, the current admin of the workspace can generate a new token and enter it into the provisioning details of your Azure application.
Was this article helpful?
Articles in this section
- Exporting Blinq contacts to a CRM
- What does the Salesforce Integration Include?
- Exporting Blinq contacts to Salesforce CRM
- Exporting Blinq contacts to HubSpot CRM
- Exporting Blinq contacts to any CRM using Zapier
- SAML integration to Google Workspace
- Establishing an email signature integration with Google Workspace
- Activate the Email Signature sync for Google Workspace
- Disconnect an integration with Google Workspace
- Okta ID - SCIM Provisioning Users