Integration with Azure

Workbench

To configure Microsoft Entra ID to work with Workbench, SSO must be configured in Workbench via SAML or OIDC. See the SAML Single Sign-On Authentication section or the OpenID Connect Authentication section of this guide for more information. See the Authenticating Users section of this guide for more general information on configuring authentication in Workbench.

Below is an example of how to configure Microsoft Entra ID to use Workbench’s user provisioning SCIM API. Please reference the Integrate your SCIM endpoint with the Microsoft Entra provisioning service section of Microsoft’s documentation for more information on getting started with provisioning and how to configure Microsoft Entra ID to use SCIM for your application.

Note

Microsoft Entra ID does not support the synchronization of passwords to external systems through SCIM. See Azure AD SCIM provisioning - Create User random password - Microsoft Q&A for more information.

Once your application is created in Microsoft Entra, you can configure the Microsoft Entra provisioning service to use Workbench’s SCIM API to provision users.

  1. In the application management screen of your application in Microsoft Entra, click on Provisioning in the left panel. Screenshot of the Microsoft Entra ID application management screen with the Provisioning option highlighted. The Provisioning blade displays. Once configured, this screen displays the provisioning settings for your application.

  2. Click on Provisioning in the left panel again. Screenshot of the Provisioning blade with the Provisioning option highlighted. The configuration options for provisioning display.

  3. In the Provisioning Mode drop-down, select Automatic. Screenshot of the Provisioning blade with the Provisioning Mode drop-down highlighted. Further configuration options display.

  4. Expand the Admin Credentials section. Screenshot of the Provisioning blade with the Admin Credentials section highlighted.

  5. Do the following:

    1. In the Tenant URL field, type the URL of the SCIM API endpoint hosted by your Workbench instance. For example, https://workbench-hostname>/scim/v2.
    2. Copy your Workbench SCIM API token and paste it into the Secret Token field. See the Managing tokens section for more information on how to generate this token. Screenshot of the Provisioning blade with the Admin Credentials section expanded and the Tenant URL and Secret Token fields highlighted.

  6. To trigger a test of the connection to Workbench, click Test Connection. Screenshot of the Provisioning blade with the Admin Credentials section expanded and the Test Connection button highlighted. If the connection is successful, a similar notification appears: Screenshot of a sample notification indicating that the connection was successful.

  7. To save the Admin Credentials configuration, click Save. Screenshot of the Provisioning blade with the Save button highlighted.

  8. Expand the Mappings section and click Provision Azure Active Directory Users. Screenshot of the Provisioning blade with the Mappings section expanded and the Provision Azure Active Directory Users option highlighted. The Attribute Mapping blade displays.

  9. Do the following:

    1. For the Enabled toggle button, select Yes.
    2. For the Target Object Actions section, select the following check boxes:
      • Create
      • Update
      • Delete Screenshot of the Attribute Mapping blade with the Enabled toggle button and the Target Object Actions section highlighted.

  10. Scroll to the Attribute Mappings section. Review the attributes that are synchronized from Microsoft Entra ID to your application. Ensure that the userPrincipalName attribute from Microsoft Entra ID is mapped to the userName attribute in your application. Screenshot of the Attribute Mapping blade with the userPrincipalName attribute from Microsoft Entra ID mapped to the userName attribute in your application.

  11. Optionally, scroll to the bottom of the page and select Show advanced options. You can add custom extension attributes supported by Workbench here. See the Adding Workbench attributes to identity providers section for more information. Screenshot of the Attribute Mapping blade with the Show advanced options check box selected.

  12. Click Save to save the attribute mapping. Screenshot of the Attribute Mapping blade with the Save button highlighted.

  13. Return to the previous blade. Click Provision Azure Active Directory Groups. Screenshot of the Provisioning blade with the Mappings section expanded and the Provision Azure Active Directory Groups option highlighted.

    The Provision Azure Active Directory Groups option is not supported by Workbench at this time.

  14. Currently, Workbench does not support the Provision Azure Active Directory Groups option. For the Enabled toggle button, select No and click Save. Screenshot of the Attribute Mapping blade with the Enabled toggle button set to No.

  15. Return to the previous blade and set the Provisioning Status toggle button to On. Screenshot of the Provisioning blade with the Provisioning Status toggle button set to On.

  16. To save the configurtion, click Save.

With provisioning configured successfully, any users that are assigned to the Workbench application are automatically created in Workbench.

Back to top