Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Setting Up User Provisioning with Microsoft Azure SCIM 👥

Before You Begin...

Before you turn on user provisioning, it's a good idea to check your workspace notification settings. Once you enable SCIM, users will receive notifications even if they haven't signed into their account yet! You can find and adjust these settings in your Admin Console on the Security Settings page.

Step 1: Create an Azure Enterprise Application

You can skip this step if you've already created a SAML application for Haystack in Azure. If not, you'll need to create a new enterprise application first.

Step 2: Enable and Configure SCIM Provisioning

Now, let's enable SCIM provisioning within your Azure SAML application.

You'll need to:

  • Replace "dev" in the SCIM connector base URL with your Haystack subdomain.

  • Copy the auth token from the User Provision & Login section in your Haystack Admin Console.

  • Click "Test Connector" to make sure the token is working properly.

Step 3: Edit User Attribute Mappings

The default Azure user attribute mapping might not work perfectly with Haystack, so you'll want to adjust a few things. You can edit the fields you want to sync from Azure to Haystack.

  • Map "objectId" to "externalId".

  • Map "manager" to a custom field: "urn:ietf:params:scim:schemas:extension:haystack:1.0:User:managerExternalId".

To map the manager attribute, you'll need to create a new custom field:

  1. Remove the default mapping from "manager" to "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager."

  2. Check "Show Advanced Options" at the bottom of the user "Attribute Mapping" page.

  3. Click "Edit attribute list."

  4. Create a new string attribute named "urn:ietf:params:scim:schemas:extension:haystack:1.0:User:managerExternalId".

  5. Go back to the "User Attribute Mapping" page and add a new mapping from "manager" to your new custom field.

Step 4: Map Other Custom Attributes

You can also sync other custom fields to Haystack, such as:

  • joinDate -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:joinDate

  • pictureUrl -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:photoUrl

  • city(or locality) -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:locality

  • state(or region) -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:region

  • country -> urn:ietf:params:scim:schemas:extension:haystack:1.0:User:countryCode

 

Step 5: Provision Group Memberships

Want to sync your groups too? You can enable SCIM Group Provisioning in your Azure SAML application.

Once enabled, you'll be able to edit which group fields you want to sync from Azure to Haystack. Group member changes are supported for both creation and updates, while group names are only supported for creation.

You're all set! Your Azure integration is now configured for seamless user and group management.

Keywords: Azure, SCIM, user provisioning, user profile, data mapping, group management, sync, security, guide, admin, provisioning, integration, Microsoft, help, instructions