Configuring SCIM User Provisioning with Azure AD
The Clumio service can integrate with Azure AD for SCIM Provisioning. Please follow the steps below to configure SCIM provisioning with Azure AD.
Ensure that you have the following before you start
Azure AD account with admin privileges
Clumio account with Super Admin Role
- The app is assigned to the required groups***
- SSO with Azure AD enabled
- Create users
- Update user attributes
- Deactivate users
Configure SCIM provisioning
In Azure AD
- Open the Azure AD Admin console.
- Go to Enterprise Applications > Clumio
- Navigate to the App's Provisioning section, and select Automatic as the Provisioning Mode.
- Get the SCIM base URL, and SCIM API token from Clumio (see step 5) and paste them under the Admin Credentials collapsible section.
- Under the Mappings collapsible section make sure both Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled.
- When setting up the Provision Azure Active Directory Users mappings, it is important to remove the mailNickname mapping. This is necessary for the AUP to function properly. If this mapping is retained, group names may be changed to their corresponding UUIDs during periodic syncs on Azure AD. This can cause AUP rule evaluations to fail.
- Click Save.
- Set the Provisioning Status to On.
- In the Overview section of the App’s provisioning settings. Click Start Provisioning to finish the SCIM setup.
- Log on to Clumio.
- Navigate to Settings > Access Management > Auto user provisioning.
- Click Get Started and type a rule name, select the conditions to apply the rule, give the group a name, select the Super Admin Role, and assign that role to an OU.
- Click Configure SCIM.
- Copy the SCIM base URL, and generate and download the SCIM API token. These will be needed for the IdP side setup. Once done, click Close.
- Next click Provisioning method (optional), and toggle on SCIM Provisioning.
- Ensure that the logged-in user is a part of the group that is assigned the Super Admin role, and groups have been pushed from Azure AD (See step 14 above).
- Click Enable Auto User Provisioning.
- You can now create additional rules per your requirements by clicking Create Auto User Provisioning Rule.
Once Auto User Provisioning is enabled, all users are evaluated per the rules you created and any changes to users within Azure AD will automatically reflect within Clumio.
Note: When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups and will need to be assigned to the app explicitly. Additionally, access is only granted to group members and not group owners.