Microsoft Azure SCIM employee provisioning

In this article

Microsoft Azure SCIM provisioning allows for real time employee provisioning through Azure Active Directory utilizing SCIM API.

How does this integration work?

With the Envoy + Microsoft Azure integration, Envoy will allow employee provisioning utilizing a custom Enterprise app within Azure’s Active Directory portal.

Note: Please reach out to Envoy support to be whitelisted for access.

Enabling the Envoy + Azure integration

Note: The Azure subscription requires ability to add “Non-gallery application” within Enterprise apps. You’ll need to be an admin on your Azure account to complete this integration. Either become an admin or ask your admin for help before completing these steps:

  1. Go to Integrations > All integrations.
  2. Under Directory, find Microsoft Azure SCIM. Click “Install.”
  3. Select “Sync all users” or “Sync specific users per location” and click “Save”.
  4. Copy the Oauth Bearer Token from Envoy and note to be entered into Azure later.
  5. Open the Azure portal and select Azure Active Directory -> Enterprise applications -> New application -> Non-gallery application
  6. Enter your custom app name (“Envoy provisioning”)
  7. Open Provisioning tab and select “Provisioning Mode” as “Automatic”
  8. Copy Envoy’s SCIM endpoint into “Tenant URL” = https://app.envoy.com/scim/v2 and paste the Oauth Bearer Token from the Envoy Dashboard.
    1. Note: Tenant URL above is for new instances, if existing, do not update.
  9. Click on “Test Connection”, once successful, “Save”
  10. Go to the Mappings section on the Provisioning tab
    1. Click on “Synchronize Azure Active Directory Groups to customappsso”.
      1. In the attribute Mappings section, delete the following group mapping attributes and “Save”:
        1. objectID
        2. mail
        3. mailEnabled
        4. securityEnabled
        5. members
    2. Click on “Synchronize Azure Active Directory Users to customappsso”.
      1. In the attribute Mappings section, delete the following user mapping attributes and “Save”:
        1. employeeNumber
        2. costCenter
        3. organization
        4. division
        5. department
        6. manager
  11. Click on “Users and groups” on the left hand side and then assign users or groups to the application Note that Azure does not support nested groups for SCIM provisioning.
  12. Once users are assigned, click on “Provisioning” on the left hand side and scroll down to the bottom and turn “Provisioning Status” On.

Note: Envoy is in the process of updating our official Envoy app within the Microsoft Azure store. At a future date, both employee provisioning and single sign on will be handled through a single app.