All Collections
Integrations
Other Integrations
Provisioning and SSO
Automatic user provisioning in Azure AD using SCIM
Automatic user provisioning in Azure AD using SCIM

Setup automatic provision of users and teams using SCIM (System for Cross-Domain Identity Management).

Alan Sincich avatar
Written by Alan Sincich
Updated over a week ago

GetAccept supports the ability to provision users and teams from Microsoft Azure Active Directory, Okta, G Suite and other popular identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams in GetAccept for convenient access management. GetAccept provisioning integration supports the following features:

  • Create users in GetAccept

  • Updates user attributes

  • Deletes users (inactivates users in GetAccept)

  • Creates teams in GetAccept (from Azure groups)

  • Adds or removes users to groups (to teams in GetAccepts)

  • Manage access rights based on custom application roles

Requirements

To setup GetAccept user provisioning with Azure AD, you need to have an access to the GetAccept Admin account and an Azure account.

If you haven't configured the steps for Single sign-on we recommend you to start with this to have GetAccept application listed in the Azure Access panel application list.

Configuration Steps

  1. Go to your Azure Admin account and go to Azure Active Directory > Enterprise Applications and click on "GetAccept". If you don't have the application, follow our guide to do this here. After adding the application, click on the "Provisioning" section and select the "Automatic" option.

  2. Login to GetAccept using an administrator account and select the entity you would like to use for user provisioning > Update credentials. Go to Settings, Integrations and find SCIM User Provisioning in the list. 

  3. Click Connect and generate a new access token using the Generate button.

  4. Copy the URL to Tenant URL and the access token to Secret Token

  5. Click save in GetAccept to store the token and go back to Azure AD screen and click Test Connection. If everything went well you should receive a success message.
    Make sure Provisioning Status is set to Off and save the settings for now.

Add custom application roles

  1. In Azure Admin go to Azure Active Directory > App registrations

  2. Click GetAccept in the list 

  3. In the left panel click on Manifest and scroll down to find the section appRoles

  4. Replace the section with the following code and press Save at the top

"appRoles": [
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Managers can manage teams and their documents",
    "displayName": "Manager",
    "id": "1b4f816e-5eaf-48b9-8603-7923830595ad",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "manager"
  },
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Users can create, send and view documents",
    "displayName": "User",
    "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "user"
  },
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Administrators can manage entity settings and users",
    "displayName": "Administrator",
    "id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "admin"
  }
],

Setup data mapping in Azure AD

  1. Go to your Azure Admin account and go to Azure Active Directory > Enterprise Applications and click on "GetAccept". Click on the "Provisioning" section and expand the Edit attribute mappings part.

  2. Click on Synchronize Azure Active Directory Users to customappsso, and click Provision Azure Active Directory Users.

  3. Scroll to the bottom and click Add New Mapping

  4. Select type Expression, enter
    SingleAppRoleAssignment([appRoleAssignments])

  5. In Target attribute, select
    roles[primary eq "True"].value

  6. Click Ok at the bottom part and continue to Save the settings

Add a test user

  1. Go to your Azure Admin account and go to Azure Active Directory > Enterprise Applications and click on "GetAccept". 

  2. Click on the "Users and groups" section

  3. Click + Add user

  4. Add yourself or a test user/group

  5. Select Role from the previously created custom roles. If no roles are setup all synchronized users will receive default user-role in GetAccept.

  6. Click Assign to save

Enable provisioning sync

  1. Go to your Azure Admin account and go to Azure Active Directory > Enterprise Applications and click on "GetAccept". Click on the "Provisioning" section

  2. Set Provisioning Status to On and make sure Scope is set to Sync only assigned users and groups.

  3. Click Save and wait a few minutes and check if teams and users have been successfully synchronized to GetAccept.

Need help?

We are here to help you if you get stuck at any step setting up the integration.
Use the chat-icon to the right to start a conversation with our support team or send an email to integrations@getaccept.com

Did this answer your question?