All Collections
Haystack Intranet
Integrations
Single Sign-On (SSO) & User Provisioning (SCIM)
Microsoft Azure SCIM Set Up for User Provisioning and User Profile Data Mapping
Microsoft Azure SCIM Set Up for User Provisioning and User Profile Data Mapping

If your team uses Azure, configure your integration to handle provisioning, deprovisioning, and user profile data mapping.

Alison Morris avatar
Written by Alison Morris
Updated over a week ago

Before enabling your user provisioning, please ensure you've configured your workspace notification preferences appropriately. Provisioned users receive notifications even if they've not yet signed into their account. You can configure your workspace notification preference on your Admin Console's Security Settings Page.

Create an Azure enterprise application

Skip this step if you already have a SAML application for Haystack in Azure. Please see the instructions in this article for creating a SAML SSO application for Haystack in Azure.

Enable and config SCIM Provisioning in the Azure SAML application

Replace “dev” in the SCIM connector base URL with your haystack domain; Copy the auth token from the Haystack “User Provision & Login” in the admin console; Click “Test Connector” to make sure the auth token is working properly.

Edit the fields you like to sync from Azure to Haystack using the user attribute mapping.

The default Azure user attribute mapping may not work properly, check the following mappings -

  • Map “objectId” to “externalId”

  • Map “manager” to “urn:ietf:params:scim:schemas:extension:haystack:1.0:User:managerExternalId”

“urn:ietf:params:scim:schemas:extension:haystack:1.0:User:managerExternalId” is a custom field in Haystack SCIM extension, you will need to add this field into your application before it can be used in the attribute mapping::

  1. Remove the default Map from “manager” to “urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager”

  2. Check the “Show Advanced Options” at the bottom of the user “Attribute Mapping” page.

  3. Click the “Edit attribute list”

  4. Create a new string attribute "urn:ietf:params:scim:schemas:extension:haystack:1.0:User:managerExternalId"

  5. Navigate back to the 'User Attribute Mapping' page.

  6. Add a new mapping from “manager” to “urn:ietf:params:scim:schemas:extension:haystack:1.0:User:managerExternalId”

Map other custom attributes

joinDate -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:joinDate

pictureUrl -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:photoUrl

city(or locality) -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:locality

state(or region) -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:region

country -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:countryCode

Below is an example of the user attribute mappings

Group membership provisioning

Enable and config SCIM Group Provisioning in the Azure SAML application

Edit group fields to sync from Azure to Haystack using attribute mapping

Note: Group members sync are supported for both creation and update. Group name sync is only supported for creation.

Did this answer your question?