Microsoft Entra ID (formerly Azure Active Directory) (SCIM)
  • 06 Sep 2024
  • 5 Minutes to read
  • Contributors

    Microsoft Entra ID (formerly Azure Active Directory) (SCIM)


      Article summary

      Understanding SCIM for Microsoft Entra ID (formerly Azure Active Directory)

      This guide provides insights into integrating Microsoft Entra ID (formerly Azure Active Directory) with Harmony SASE using the SCIM (System for Cross-domain Identity Management) protocol. 

      The integration ensures continuous synchronization of users between Azure AD and Harmony SASE, facilitating seamless user management and authentication.

      Steps

      1. Log in to Microsoft Azure and choose Azure Active Directory from the sidebar.
        ֿ3600042023401.png


      2. Under Manage, select Enterprise applications.
      3. Select New application and then Create your own application to add a new application.

      4. Enter a name for the application (for example "P81"), leave the default settings as is, and click on Create.

      5. Once the application was created, browse to App registrations, locate the created application, and click on it.

      6. From the left pane select Authentication, click on Add a platform and select Web.

      7. In the Configure Web screen, enter your workspace name: [https://workspace.perimeter81.com for US based platform or https://workspace.eu.sase.checkpoint.com for EU based platform] under the Redirect URIs and select Configure.

      8. Under Redirect URLs  add the following link: https://auth.perimeter81.com/login/callback for US based platform or https://auth.eu.sase.checkpoint.com/login/callback for EU based platform

      9. Select Save.

      10. Under Front-channel logout URL enter your workspace name: [https://workspace.perimeter81.com for US based platform or https://workspace.eu.sase.checkpoint.com for EU based platform], under Supported account types, select the applicable option for Supported account types, and click on Save.

      Configuring the permissions

      1. From the left sidebar select API permissions.
        3600042679197.png
      2. Select Add a permission.
        3600042023208.png
      3. Select Microsoft APIs and choose Microsoft Graph to change the access level.

      4. The following page displays:

      5. The next step is to modify permissions so your app can read the directory. Under Delegated permissions, check next to Sign in and read user profile and Read directory data.
      6. Grant Admin Consent if requested.

      Support user groups

      1. If you want to enable user group support you will need to enable the following permissions:
      • Application Permissions: Read directory data
      • Delegated Permissions: Access the directory as the signed-in user.
      1. Select Save at the top to save these changes.
      2. Grant Admin Consent if requested.

      Allowing access from external organizations (optional)

      1. If you want to allow users from external organizations (such as other Azure directories) to log in, you will need to enable the Multi-Tenant option for this application. In the Authentication section, choose the Multi-tenant option
      2. Select Save at the top to save these changes.
      3. Grant Admin Consent if requested.


      Configuring the key

      1. You will need to create a key (secret password) that will be used as the Client Secret in the Harmony SASE IDP connection. Select Certificates and secrets from the Application menu.
      2. Click + New Client Secret
        36000426795913.png
      3. Enter a name for the key and choose the desired duration.
        • This is an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day to ensure users don't experience a service interruption.
      4. Select Add and the key will be displayed.

      36000420252014.png

      Secret Value
      • Make sure to copy the Secret Value field of this key before leaving this screen. Otherwise, you may need to create a new key. 
      • This will later be pasted into the Client Secret field in the Harmony SASE Admin console.
      • You do not need to copy the "Secret ID"

      Configuring IDP connection

      1. Log in to your Harmony SASE Management Platform, navigate to Settings, and then IdentityProviders.
        360008599600addprovider1.png
      2. Select + Add Provider.
      3. Choose Microsoft Azure AD.
      4. Fill in your Microsoft Azure AD Domain (your Domain - for example, harmonysase.com), Domain Aliases (optional), Client ID, and Client Secret. For the Client ID, this value is stored as the Application ID in Azure AD.
        36000420260020.png

      5. For your Client Secret, use the value shown for the key when you created it in the previous step.
      6. Under Domain, set the name of the Microsoft Azure AD Domain, and under Domain Aliases, insert any email domain corresponding to the connection.
      7. Select Done.
        Troubleshooting
        If your users get access errors after the configuration, please check these steps.

      Configuring SCIM integration within Harmony SASE

      1. If you're creating the Azure integration for the first time, enable SCIM within the IDP configuration by clicking this checkbox:
      2. If you're editing an existing Azure configuration, turn SCIM Integration on by clicking the "Turn On" button:
      3. Once enabled, you need to configure SCIM by clicking on the Setting button:
      4. Copy the URL and paste it within the appropriate location within your IDP:
      5.  Generate and then copy the Token (please note that we do not save it, so if you lose it, you'll have to generate a new one), then paste it in your IDP:

      Configuring SCIM integration within Azure AD

      Configure SCIM application

      1. Log in to your Azure tenant and navigate to Azure Active Directory.
      2. Create a new enterprise application named Harmony SASE SCIM:
        1.  Click New application.
        2. Click Create your own application.
        3. Enter a name for the application (for example Harmony SASE SCIM), leave the default settings as is, and click Create.
      3. In the left navigation pane, click Enterprise applications.
      4. Select the enterprise application you created.
      5. Click Provisioning in the left navigation pane.

      6. Click the Get started button.
      7. On the Provisioning screen, set Provisioning Mode to automatic.
      8. Expand Admin Credentials.
      9. Stay on the Provision screen and expand “Mappings.”
        1. Verify that "Provision Azure Active Directory Groups" is enabled. if not, Click to enable it.
        2. Click on “Provision Azure Active Directory Users.” This will take you to the attribute mapping screen
      10. You’ll now be on the “Attribute Mapping” screen.
        1. Under “Target Object Actions,” enable all that apply
        2. These are the actions that will trigger calls to the SCIM adapter
      11. Configure “Attribute Mappings” to match the below configuration by deleting all the irrelevant fields and changing 'userPrincipalName':
      customappsso AttributeAzure Active Directory AttributeMatching Precedence
      emails[type eq “work”].valueuserPrincipalName1
      activeSwitch([IsSoftDeleted], , "False", "True", "True", "False")
      name.givenNamegivenName
      name.familyNamesurname
      userNamemail

      Assigning Users/Groups

      1. Navigate to the SCIM enterprise application and click “Users and groups” in the left-side navigation pane.
      2. Click on “+ Add user/group” on the top action bar.
      3. On the next screen, under “Users and groups” click “None Selected”.
      4. Search for the user(s)/group(s) that should be assigned to the SCIM application.
      5. Select the user(s)/group(s) and click on the “Select” button and then the “Assign” button.
      6. Those users/groups are now assigned to the SCIM application.

        Note - Special characters are not supported in groups.

      Provisioning

      Provisioning can be configured to run every 40 minutes or on demand.

      Provision On Demand

      1. Click on the “Provision on demand” button.
      2. Search for the user who should be provisioned/updated.
      3. Click on the “Provision” button found in the lower-left corner.

      Troubleshooting and Known Issues

      "NOT_IN_ACCESS_GROUPS" in Harmony SASE

      This means that the user belongs to a group not permitted on Harmony SASE.

      • To fix this issue, go to Settings -> Identity Providers and click the lock icon next to Okta:
      • Remove all groups from the list so that all users are allowed
      • Click Save. The menu should look like this:

      Recommendations

      • Verify attribute mappings and enable relevant actions that trigger calls to the SCIM adapter.
      • Assign users or groups in Azure AD to the SCIM application.
      • Periodically check Azure's Dashboard for any provisioning errors or issues.

      Troubleshooting

      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success


      Was this article helpful?