Procedure for Configuring Automated Provisioning in Azure AD
If your organization uses Microsoft’s Azure Active Directory (Azure AD), follow these detailed instructions to set up automated provisioning following the SCIM standard. The procedure is shown for this provider as an example; it is similar for other providers.
Requirements
Before you begin, make sure: ✅ you have configured Authentication with SAML; ✅ your organization holds an active Antidote Web subscription; ✅ your account is assigned the Administrator or Technician role.
The basic procedure consists of three key steps:
B. Linking the Client Portal and Azure AD
C. Configuring users in Azure AD
The following settings are optional and can be configured according to your preferences:
D. Managing Antidote Web access
E. Managing roles in the organization
A. Preparing Azure AD
-
In the Azure portal, go to the Enterprise applications service. You can access it quickly by typing the first few characters in the search field.
-
1
-
-
Select the application you created for the Druide’s Client Portal when you configured the SAML settings.
-
2
-
-
Click Provisioning in the sidebar.
-
3
-
-
Click the Get Started button.
-
4
-
-
In the next window, select Automatic from the Provisioning Mode drop-down menu.
-
5
-
Keep this window open. You will need to come back to it later to enter information retrieved from the Client Portal. Open a new window to follow the instructions in the next section.
B. Linking the Client Portal and Azure AD
-
In a new window, log in to your organization’s Client Portal and click the Settings tab.
-
Go to the SCIM Automated Provisioning section.
-
12
-
-
Copy the Base URL by clicking the icon.
-
3
-
-
Go back to the Azure AD window from section A, and paste the link into the Tenant URL field.
-
4
-
-
Create a token in the Client Portal by clicking Add a token.
-
5
-
-
Click Add to confirm that you want to create a token.
-
6
-
-
Copy the token that appears on the screen by clicking the icon.
Caution — The token will only appear once. As a security measure, it is not possible to display it again. Make sure you have copied the token before closing the window.
-
7
-
-
Go back to the Azure AD window, and paste the token into the Secret Token field.
-
Click Save and close the panel.
-
89
-
C. Configuring users in Azure AD
-
Click Edit attribute mappings.
-
1
-
-
Expand the Mappings section.
-
Click Provision Azure Active Directory Users.
-
23
-
-
Make sure the source attribute associated with the target attribute userName corresponds to an email address in your database. In this example, the source attribute is userPrincipleName (in the Azure Active Directory Attribute column). If needed, you can edit the attribute by clicking on it.
-
Click Save if you made any changes, then close the panel.
-
45
-
-
Expand the Settings section.
-
Indicate whether you would like to synchronize all users and groups or only assigned users and groups.
Note — If you plan to manage roles in the organization with provisioning, choose Sync only assigned users and groups.Make sure you assign the application from the Users and groups section. (You can find instructions for adding assignments to the application starting at step 7 of section B under Steps to Configure Authentication with SAML and Azure AD.)
-
Click Save and close the panel.
-
678
-
-
Click Start provisioning.
-
9
-
User and group provisioning is now active. If the initial cycle was unsuccessful, the errors will be displayed on this screen.
The following sections describe optional settings for managing Antidote Web access and roles in the Client Portal from Azure AD.
D. Managing Antidote Web access
You can manage access to Antidote Web from Azure AD by configuring the following settings in the Client Portal.
Important — Access management for Antidote Web through automated provisioning overrides any access configured through Authentication with SAML.
- In the Client Portal, scroll down to the second part of the Automated provisioning settings.
- Choose how you would like to manage Antidote Web access. You have three options:
- Manual management Choose this option if you do not want to grant Antidote Web access automatically or if you want to use the SAML authentication settings you have already configured. If the manual management option is also selected under SAML authentication settings, no users will be automatically granted Antidote Web access. You can manage access manually from the Users tab in the Client Portal.
- Grant Antidote Web access to all synchronized users Choose this option to automatically grant Antidote Web access to all synchronized users. If your organization holds multiple subscriptions, indicate the one you want to use.
- Grant Antidote Web access only to certain user groups Choose this option to grant Antidote Web access to users according to groups synchronized through automated provisioning. This option is particularly useful if your organization holds multiple subscriptions and, for example, you would like to give one group access to Antidote Web — Bilingual and another access to Antidote Web — French. To register synchronized groups, click in the appropriate field and type the first few letters of the group name, then select from the list of corresponding groups that appears. To remove a group, click the X beside its name. When a user is removed from a group by SCIM synchronization, Antidote Web access will be automatically withdrawn from that user. This also applies for a user added to a synchronized group; that user will be automatically granted access to the Antidote Web subscription associated with the group in question.
You do not need to send out invitations from the Client Portal for users to activate their Antidote Web access. They can log in directly to the Client Portal (services.druide.com) or to Antidote Web (antidote.app).
- Click Save once you have made your choice.
-
123
E. Managing roles in the organization
You can manage roles in the organization assigned to accounts in the Client Portal from Azure AD by configuring the following settings in Azure AD. Begin by synchronizing the roles.
Synchronizing roles
-
From within the application you created for Druide’s Client Portal when you configured SAML authentication, click Provisioning in the sidebar.
-
Expand the Mappings section.
-
Click Provision Azure Active Directory Users.
-
123
-
-
Click the check box Show advanced options.
-
Click Edit attribute list for customappsso.
-
45
-
-
At the bottom of the list, create a new line by entering “roles” in the field in the first column.
-
Check the box for Multi-Value.
-
67
-
-
Click Save.
-
Click Yes in the dialogue box that appears.
-
89
-
-
Click Add new mapping.
-
10
-
-
Select the mapping type Expression from the drop-down menu.
-
Enter the expression “AppRoleAssignmentsComplex([appRoleAssignments])”.
-
Select the target attribute roles from the next drop-down menu.
-
Click OK.
-
11121314
-
-
Click Save.
-
Click Yes in the dialogue box that appears.
-
1516
-
Roles are now synchronized through provisioning. Next, configure roles in the organization.
Configuring roles
-
Change services in Azure, and go to the App registrations section. You can access it quickly by typing the first few characters of the section name in the search bar.
-
1
-
-
Click All applications.
-
Select the application you created for Druide’s Client Portal.
-
23
-
-
Click App roles in the sidebar.
-
4
-
-
Click Create app role.
-
Configure the following settings: A) Display name: enter “Administrator”. B) Allowed member types: select Users/Groups. C) Value: enter “admin” (all lowercase). D) Description: enter “Administrator”. E) Do you want to enable this app role?: leave the box checked.
-
Click Apply.
-
5ABCDE7
-
-
Repeat steps 5 to 7 for the technician role: A) Display name: enter “Technician”. B) Allowed member types: select Users/Groups. C) Value: enter “technician” (all lowercase). D) Description: enter “Technician”. E) Do you want to enable this app role?: leave the box checked.
-
Repeat steps 5 to 7 for the group supervisor role: A) Display name: enter “Group supervisor”. B) Allowed member types: select Users/Groups. C) Value: enter “supervisor” (all lowercase). D) Description: enter “Group supervisor”. E) Do you want to enable this app role?: leave the box checked.
Roles in the organization are now configured, and you can assign users to them.
Assigning roles
-
Return to Enterprise applications.
-
1
-
-
Select the application.
-
2
-
-
Click Users and groups in the sidebar.
-
Select the users to whom you want to assign a role.
-
Click Edit assignment.
-
345
-
-
Click None Selected.
-
Choose the role in the organization you would like to assign from the panel on the right side of the screen.
-
Click Select.
-
Click Assign.
-
6789
-
-
Repeat steps 5 to 9 to assign other roles.
Client Portal roles in the organization are now managed from within Azure AD.