Azure SCIM - Automatic User Provisioning

Requirements:
  1. Activated Azure SSO in the Wizer Admin Panel. Azure Provisioning won’t work without it.

    Azure SSO instructions

  2. SCIM bearer token. For assistance in generating a SCIM bearer token, please contact our support team at support@wizer-training.com.

  3. Azure AD account with correct permissions to configure provisioning (e.g. Application Administrator, Cloud Application Administrator, or Global Administrator).

Instructions for SCIM application setup:

The SCIM application must be set up for Azure Provisioning (user synchronization) to work. Users will continue to use the SSO application to log in.

Instructions:

  1. Log into the Azure Administration Dashboard https://portal.azure.com/

  2. Click the Azure Active Directory button1

  3. Click the Enterprise applications Tab

    2  

  4. Click the New application button

    4

  5. In the Azure AD Gallery, click Create your Own Application

    1. Enter application name (e.g. “Wizer Provisioning”)

    2. Click Integrate any other application you don't find in the gallery option

    3. Click Create5

  6. Click the Properties tab and turn off the visibility for users and then click Save

  7. Click the Provisioning tab and then click the Get started button

  8. In the Provisioning tab enter the SCIM Base URL and SCIM Bearer Token

    • Select Automatic Provisioning Mode

    • For Tenant URL enter: https://api.wizer-training.com/api/v1/scim/v2

    • For Secret Token (SCIM bearer token) enter the value that was provided by the Wizer team

    • Click Test Connection

    • After you get notified that the supplied credentials are authorized, click Save in the top left corner

  9. Define who will be in scope for provisioning

    Only users that are in scope for provisioning will appear in Wizer.

    The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application (option A) or based on attributes of the user/group (option B).

    We recommend provisioning users through assigning groups (option A).

    Start small. Test with a small set of users and groups before rolling out to everyone.

    - (option A) When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app.

    - (option B) When the scope is set to all users and groups, you can specify an attribute-based scoping filter (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts).

    Assigning users and groups - option A (recommended)

    If you choose to scope who will be provisioned to your app based on assignment, you can use the following steps to assign users and groups to the application

    • Click the Users and groups tab. Then click Add user button

    • On the Add assignment screen, choose Users and groups tab, then select users and groups from the list. Then click the Assign button

    Assignment to the application based on attributes of the user/group - option B

    If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described here (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts) (option B).

  10. Select the Scope option in the Provisioning Settings section

    - (recommended) Select Sync only assigned users and groups to only sync users and groups assigned in the Users and groups tab. But if you use attribute-based scoping filter (option B), you can select the Sync all users and groups option

    Be careful with the “Sync all users and groups” option. If the attribute-based scoping filter is not configured correctly, it can synchronize all of your Directory users including your service accounts.
    Assign the same users and groups as for the SSO application. If some users are assigned to the SCIM application but aren’t assigned to the SSO application, they won’t be able to log in.

    - (Optional) In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.

  11.  Open the Mappings panel

    1. (recommended) If you don’t want to synchronize Azure Directory Groups with Wizer departments you can turn off Provision Azure Active Directory Groups

      Click on Azure Directory Groups

      Turn off the Enabled option. Then click Save. This way Azure AD Groups won’t be created as Wizer Departments.

    2. Click Provision Azure Active Directory Users:

    3. Click on the userPrincipalName row and change the Matching precedence option to 2:

    4. Click the mail row. Change Match objects using this attribute option to Yes. The Matching precedence option to 1:

    5. Leave all the other fields unchanged. The result should look like this:

       
      For now, the Wizer application synchronizes only first name, last name, email, and department fields. But we plan to add support for other fields later, so it’s better to leave all the other attributes unchanged.

      Please note, per above the UPN (user principal name) is not synced
      If you don’t want to synchronize user departments with Wizer departments you can turn it off by deleting the “department” field from mapping.
  12. Click Save

  13. Turn on Provisioning by selecting the On option in Provisioning Status Row and click Save

  14. Provisioning should start immediately, but it might take some time before you start seeing users and groups in Wizer. The first initial sync might take a while depending on your directory size. Synchronization occurs every 40 minutes.

  15. If you experience any issues with provisioning - a user or group (department in Wizer) not showing up in Wizer, it's important to check the "Provisioning Logs" section for errors. If the sync process encounters an error it will stop and the user/group provisioning will not be successful.

    After the possible errors have been addressed, the provision should happen automatically in the next few hours, or you can restart the full synchronization manually by clicking Restart Provisioning.

What if you do not have an option of adding groups in automatic provisioning?

Since the AD plan on your end does not allow this option you can either:
1. Assign all users to the user sync application.
Just so you know, this option will sync every assigned user, including the service accounts if there are any on your end.
2. You can use the attribute-scope filtering.
Kindly note that those filters are purely Azure's functionality, in case you have additional questions about those filters' functions or setup processes we can only suggest reaching out to Azure's support directly.
 

Any questions? Please contact our support specialists at support@wizer-training.com 

Best regards,

wizer_logo_dark