All Collections
Integrations
Other Integrations
Provisioning and SSO
Automatic user provisioning in Azure AD using SCIM
Automatic user provisioning in Azure AD using SCIM

Setup automatic provision of users and teams using SCIM (System for Cross-Domain Identity Management).

Updated over a week ago

Introduction

GetAccept supports the ability to provision users and teams from your Microsoft Entra ID Active Directory environment. For customers that utilize Active Directory in Microsoft Entra ID, users can be provisioned to the platform and automatically added to Teams in GetAccept for convenient access management.

GetAccept provisioning integration supports the following features:

  • Create new users in GetAccept.

  • Updates user attributes from the Active Directory.

  • Deletes users (inactivates users in GetAccept).

  • Creates teams in GetAccept (from the user's Active Directory group name).

  • Adds or removes users to groups (to teams in GetAccepts).

  • Manage access rights based on custom application roles.

Before setting up the integration it is good to understand:

  • We recommend installing SSO for Microsoft Entra ID following this article.

  • Each GetAccept entity requires a unique Enterprise application in your Microsoft Entra ID environment. A GetAccept entity can only communicate with one application at a time.

  • While GetAccept creates teams from your user's Active Directory group names, being a member of multiple Active Directory groups is not supported and will result in no teams being created and provisioned to GetAccept.

Requirements:

  • To set up GetAccept user provisioning with Microsoft Entra ID, you need to have access to the GetAccept Admin account and an Entra ID administrator account.

  • If you haven't configured SSO already, we recommend starting with this article to get the GetAccept application listed as an Enterprise application in the Microsoft Entra ID portal.

How To Setup SCIM

Step 1: Connect GetAccept to Entra ID

If you have created a GetAccept application that is listed in your Enterprise applications you can proceed with the guide below. Otherwise, take a look at the SSO with Microsoft Entra ID help article first.

  1. Sign in to the Microsoft Entra ID portal using either a work or school account or a personal Microsoft account.

  2. On the left navigation panel, select the service Microsoft Entra ID.

  3. Select Enterprise Applications and search for the "GetAccept" application in the list. If you don't have the application, follow our guide to doing this here.

  4. After entering your application, click on the "Provisioning" section and select the "Automatic" option.

  5. Login to GetAccept using an administrator account and select the entity you would like to use for SCIM User Provisioning.

  6. In GetAccept, select Settings, Integrations, and find SCIM User Provisioning in the list.

  7. Click Settings to open the SCIM configuration.

  8. Copy the Tenant URL and paste it into the Admin Credentials Tenant URL field in Entra ID.

  9. Copy the Access Token and paste it into the Admin Credentials Secret Token field in Entra ID.

  10. Click Connect in GetAccept to store the token.

  11. Go back to the Entra ID screen and click Test Connection. If everything went well you should receive a success message.

  12. Click the Save button.

  13. Go to Provisioning Overview and then go to Edit Attribute Mappings, and make sure that Provisioning Status is set to Off and save the settings for now.

Step 2: Setup data mapping in Entra ID

Before you start with the simple data mappings, go through the steps below:

  • Make sure your GetAccept user roles exist according to Step 5 in the SSO article.

  • In your "GetAccept" Enterprise application, go to Users and groups, click Application registration, and make sure to disable all of your appRoles, these will be enabled again at a later step.

You can read more about custom attribute mapping in Step 5.

Start setup of data mapping:

  1. In Entra Admin go to Entra ID.

  2. Go to Enterprise Applications and click on "GetAccept" in the list.

  3. Click on Provisioning and expand the Edit attribute mappings part.

  4. Go to Enterprise Applications and click on "GetAccept" in the list.

  5. Click on Provisioning and expand the Edit attribute mappings part.

  6. Open Mappings.

  7. Click Provision Microsoft Entra ID Users.

  8. Scroll to the bottom and click Add New Mapping.

  9. Select Mapping type Expression and copy + paste the value SingleAppRoleAssignment([appRoleAssignments]) into the Expression field. If you're running into an expression error, please type the expression manually, your clipboard might've added unsupported characters.

  10. In the Target attribute, select the value roles[primary eq "True"].value from the dropdown.

  11. Click OK at the bottom and continue to Save the settings.

  12. Once this is done you have to enable your appRoles again to proceed further in the installation article.

Step 3: Assign a test user or group

  1. In Entra Admin go to Entra ID.

  2. Go to Enterprise Applications and click on "GetAccept" in the list.

  3. Click on the Users and groups section.

  4. Click + Add user.

  5. Add yourself or a test user/group.

  6. Select the desired GetAccept role (Administrator, Manager, User) from the previously created appRoles. If no roles are set all synchronized users will receive the default user-role in GetAccept.

  7. Click Assign to save.

Step 4: Enable provisioning sync

  1. In Entra Admin go to Microsoft Entra ID.

  2. Go to Enterprise Applications and click on "GetAccept" in the list.

  3. Click on Provisioning.

  4. Set Provisioning Status to On and make sure that the Scope is set to Sync only assigned users and groups. You can do this if you follow step 1.13 in this article

  5. Click Save, wait a few minutes, and check if teams and users have been successfully synchronized to GetAccept.

[Optional] Step 5: Custom Attribute Mapping

With the SCIM integration, you can customize attribute mapping for both Users and groups. Attribute mapping allows you to define how the source attribute values from Microsoft Entra ID are mapped to the corresponding values in the provisioning request sent to GetAccept. This customization enables you to tailor the integration to suit your specific requirements. For example, change the source attribute of the email address, or Active Directory groups to populate the correct name of your teams in GetAccept when provisioning data with SCIM.

There are three primary methods for attribute mapping:

  1. Direct Mapping: Specify the exact attribute values to be transferred.

  2. Expressions: Construct custom expressions to extract and transform data from your Active Directory, providing greater flexibility and control. You can use the Expression builder in the Provisioning section to test and validate your custom expressions, learn more about expressions here.

  3. Constant Value Mapping: Assign a fixed value to an attribute, ensuring consistency across all SCIM requests.

Important Note: While we provide documentation and guidance on attribute mapping, it's important to note that GetAccept does not provide support for configuring or troubleshooting your Active Directory mapping. However, this section aims to provide valuable insights and pointers to help you in navigating this aspect of the integration process effectively. We recommend turning to the Microsoft Community forums and help articles if you need help with setup or troubleshooting of custom attribute mapping and expressions.

Here are the GetAccept user profile fields and their matching default values we are listening to in the provisioning event from Microsoft Entra ID:

  • Email (GetAccept) equals userName (customappsso Attribute) and is by default mapped to userPrincipleName (Microsoft Entra ID Attribute) on the Source Object User under Provision Microsoft Entra ID Users.

  • First name (GetAccept) equals name.givenName (customappsso Attribute) and is by default mapped to givenName (Microsoft Entra ID Attribute) on the Source Object User under Provision Microsoft Entra ID Users.

  • Last name (GetAccept) equals name.familyName (customappsso Attribute) and is by default mapped to surname (Microsoft Entra ID Attribute) on the Source Object User under Provision Microsoft Entra ID Users.

  • Phone (GetAccept) equals phoneNumbers[type eq "work"].value (customappsso Attribute) and is by default mapped to telephoneNumber (Microsoft Entra ID Attribute) on the Source Object User under Provision Microsoft Entra ID Users.

  • Mobile (GetAccept) equals phoneNumbers[type eq "mobile"].value (customappsso Attribute) and is by default mapped to mobile (Microsoft Entra ID Attribute) on the Source Object User under Provision Microsoft Entra ID Users.

  • Title (GetAccept) equals title (customappsso Attribute) and is by default mapped to jobTitle (Microsoft Entra ID Attribute) on the Source Object User under Provision Microsoft Entra ID Users.

  • Note (GetAccept) equals externalId (customappsso Attribute) and is by default mapped to mailNickname (Microsoft Entra ID Attribute) on the Source Object User under Provision Microsoft Entra ID Users.

  • Team (GetAccept) equals displayName (customappsso Attribute) and is by default mapped to displayName (Microsoft Entra ID Attribute) on the Source Object Group under Provision Microsoft Entra ID Groups.

  • User profile language (GetAccept) equals preferredLanguage (customappsso Attribute) and is by default mapped to preferredLanguage (Microsoft Entra ID Attribute) on the Source Object User under Provision Microsoft Entra ID Users.

To change the source object User:

  1. Go to Enterprise Applications and click on "GetAccept" in the list.

  2. Click on Provisioning.

  3. Click on Edit attribute mappings.

  4. Select Provision Microsoft Entra ID Users.

  5. Find the attribute mapping you would like to change in the list.

  6. Click on Edit to the right.

  7. Select the desired mapping type. You can now edit the source attribute value to your desired Active Directory value.

  8. Be cautious and keep in mind that the target attribute is what GetAccept is listening to, changing those might affect and break the provisioning flow.

To change the source object Group:

  1. Go to Enterprise Applications and click on "GetAccept" in the list.

  2. Click on Provisioning.

  3. Click on Edit attribute mappings.

  4. Select Provision Microsoft Entra ID Groups.

  5. Find the attribute mapping you would like to change in the list.

  6. Click on Edit to the right.

  7. Select the desired mapping type. You can now edit the source attribute value to your desired Active Directory value.

  8. Be cautious and keep in mind that the target attribute is what GetAccept is listening to, changing those might affect and break the provisioning flow.

Troubleshooting

Attribute Mapping - Expression Error

If you are running into an error with the Attribute Mapping and the mapping type Expression saying "The expression you entered is not valid." in Step 2.

  • Try to manually insert the expression value, we have seen that clipboards can insert invisible characters breaking the expression format.

  • Your appRoles are still enabled, make sure to disable them before creating the new attribute.

Teams are not provisioned from Active Directory groups

If you are having issues with Teams not being created and assigned to the provisioned users in GetAccept from your Active Directory, make sure that your users don't belong to multiple groups in your Active Directory. As mentioned in the Introduction, while GetAccept creates teams from your user's Active Directory group names, being a member of multiple Active Directory groups is not supported and will result in no teams being created and provisioned to GetAccept.

The GetAccept user can only belong to one team, you can always create and manage your teams manually in GetAccept if your Active Directory setup requires multiple assigned groups to your user accounts.

Need help?

We are here to help you if you get stuck at any step in setting up the integration.
Use the chat icon to the right to start a conversation with our support team or send an email to support@getaccept.com 🧡

You can also find lots of information on Microsoft forums.

Related Articles
Azure Active Directory single sign-on (SSO) integration
Automatic user provisioning in Okta using SCIM
Did this answer your question?