Azure Active Directory (SCIM)
  • 17 May 2022
  • 6 Minutes to read
  • Contributors

Azure Active Directory (SCIM)


This article describes how to allow users to log in using a Microsoft Azure Active Directory account, either from your company or from external directories. You must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can sign up for free.

  • Creating a new application
  • Configuring the permissions
  • Allowing access from external organizations (optional)
  • Configuring the key
  • Configuring Reply URLs
  • Configuring IDP connection
  • Troubleshooting

You can access the Azure management portal from your Microsoft service, or visit https://portal.azure.com/ and sign in to Azure using the global administrator account used to create the Office 365 organization.
If you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To find your Office 365 account Azure AD instance:

  1. Sign in to Office 365.
  2. Navigate to the Office 365 Admin Center.
  3. Open the Admin centers menu options located on the left menu.
  4. Select Azure AD.
    This will take you to the Admin Center of the Azure AD instance backing your Office 365 account.
    Follow the steps below to connect your Perimeter 81 Account to Azure Active Directory (images below):
  5. Create a new application.
  6. Configure the permissions.
  7. Allow access from external organizations (optional).
  8. Create the key.
  9. Configure Reply URLs.
  10. Configure Perimeter 81 IDP connection.

Creating a new application

  1. Log in to Microsoft Azure and choose Azure Active Directory from the sidebar.
    ֿ3600042023401.png

3600042023602.png
2. Under Manage, select App registrations.
3600042023803.png
3. Select New Registration to add a new application.
3600042024004.png
4. Enter the name "Perimeter 81" for the application, select Web app/API as the Application Type, and for Sign-on URL enter your application URL with your workspace name: [https://workspace .perimeter81.com].
3600042024205.png

Configuring the permissions

  1. Once the application has been created, you will have to configure the permissions. Select the name of the application Perimeter 81 to open the Settings section.
    3600042024406.png
  2. Select API permissions.
    3600042679197.png
  3. Select Add a permission.
    3600042023208.png
  4. Select APIs my organization uses and choose Windows Azure Active Directory to change the access level.
    3600042024609.png

The following page displays:
36000420248010.png
5. The next step is to modify permissions so your app can read the directory. Under Delegated permissions, check next to Sign in and read user profile and Read directory data.
36000420250011.png
6. Grant Admin Consent if requested.

Support user groups

  1. If you want to enable user group support you will need to enable the following permissions:
  • Application Permissions: Read directory data
  • Delegated Permissions: Access the directory as the signed-in user.
  1. Select Save at the top to save these changes.
  2. Grant Admin Consent if requested.

Allowing access from external organizations (optional)

  1. If you want to allow users from external organizations (such as other Azure directories) to log in, you will need to enable the Multi-Tenant option for this application. In the Authentication section, choose the Multi-tenant option
  2. Select Save at the top to save these changes.
  3. Grant Admin Consent if requested.
    36000426793912.png

Configuring the key

  1. You will need to create a key (secret password) that will be used as the Client Secret in the Perimeter 81 IDP connection. Select Certificates and secrets from the Application menu.
    36000426795913.png

  2. Enter a name for the key and choose the desired duration.


If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day to ensure users don't experience a service interruption.
Select Add and the key will be displayed. Make sure to copy the value of this key before leaving this screen, otherwise, you may need to create a new key. This value is used as the Client Secret in the next step.

36000420252014.png



36000420254015.png


Configuring Reply URLs

  1. Next, you need to ensure that your Auth0 callback URL is listed in allowed reply URLs for the created application.
  2. Navigate to Azure Active Directory, then Apps registrations and select the Perimeter 81 app. Then select Authentication, go to Redirect URLs and add the following link:
    https://auth.perimeter81.com/login/callback
    36000426797916.png
  3. Select Save.

Configuring IDP connection

  1. Log in to your Perimeter 81 Management Platform, navigate to Settings, and then IdentityProviders.
    360008599600addprovider1.png
  2. Select + Add Provider.
  3. Choose Microsoft Azure AD.




  4. Fill in Microsoft Azure AD Domain (your domain - for example perimeter81.com), Domain Aliases (optional), Client ID, and Client Secret. For the Client ID, this value is stored as the Application ID in Azure AD.
    36000420260020.png

  5. For the Client Secret use the value that was shown for the key when you created it in the previous step.
  6. Under Domain set the name of the Microsoft Azure AD Domain and under Domain Aliases insert any email domain that corresponds to the connection.
  7. Select Done.
    If your users are getting access errors after the configuration, please check these steps.


Configuring SCIM integration within Perimeter 81

If you're creating the Azure integration for the first time, enable SCIM within the IDP configuration by clicking this checkbox:



If you're editing an existing Azure configuration, turn SCIM Integration on by clicking the 'Turn On' button:




Once enabled, you need to configure SCIM by clicking on the Setting button:


Copy the URL and paste it within the relevant location within your IDP:


 Generate and then copy the Token (please note that we do not save it, so if you lose it you'll have to generate a new one) then paste it in your IDP:

Configuring SCIM integration within Azure AD


Create SCIM application

1. Log in to your Azure tenant and navigate to Azure Active Directory

2. In the left navigation pane, click on “Enterprise applications”

3. Click on “Create a new application”

4. Click on “+ Create your own application”

5. Enter a name for the application (P81-SCIM) and leave default settings

6. Click “Create”


Configure SCIM Application

1. Navigate back to Enterprise applications and select the newly created application

2. Click on “Provisioning” in the left navigation pane

3. Click the “Get started” button

4. On the Provisioning screen, set “Provisioning Mode” to automatic

5. Expand “Admin Credentials”

a. Add the SCIM adapter base URL (https://api.perimeter81.com/api/scim)

b. Add the token you copied before.

  

c. Click on “Test Connection”

6. Stay on the Provision screen and expand “Mappings”

a. Click on “Provision Azure Active Directory Users”. This will take you to the attribute mapping screen

7. You’ll now be on the “Attribute Mapping” screen

8. Under “Target Object Actions”, enable all that apply

a. These are the actions that will trigger calls to the SCIM adapter

9. Configure “Attribute Mappings” to match the below configuration by deleting all the irrelevant fields and changing 'userPrincipalName':

Azure Active Directory Attributecustomappsso Attribute
userPrincipalNameemails[type eq “work”].value
givenNamename.givenName
surnamename.familyName
Switch([IsSoftDeleted], , "False", "True", "True", "False")active


Assigning Users

1. Navigate to the SCIM enterprise application and click on “Users and groups” in the left side navigation pane

2. Click on “+ Add user/group” on the top action bar

3. On the next screen, under “Users” click on “None Selected”

4. Search for the user(s) that should be assigned to the SCIM application

5. Select the user(s) and click on the “Select” button then the “Assign” button

6. Those users are now assigned to the SCIM application


Provisioning

Provisioning can be configured to run every 40 minutes or on demand.


“Provision on Demand”

1. Click on the “Provision on demand” button

2. Search for the user who should be provisioned/updated

3. Click on the “Provision” button found in the lower-left corner

Troubleshooting and Known Issues

"HTTP/404 Not found response" in Azure

This error may occur if the Azure Admin selected to provision a group rather than a specific member list. Automatic Group Sync is currently not supported with Perimeter81's SCIM offering.

"NOT_IN_ACCESS_GROUPS" in Perimeter 81
  • This means that the user belongs to a group that is not permitted on Perimeter81.
  • To fix this issue, go to Settings -> Identity Providers and click the lock icon next to Okta:
  • Remove all groups from the list so that all users are allowed
  • Click Save. The menu should look like this:

Was this article helpful?