Azure Active Directory User Provisioning with SCIM

Provision users automatically from Azure Active Directory to quickly build your catalog and keep your users fresh.

The integration between Azure AD and OpsLevel that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how Azure AD works with SCIM, please see the Azure AD User Provisioning guide.

The remainder of this guide is focused on enabling you to configure both OpsLevel and Active Directory to get provisioning up and running for your organization.

If you are interested in how to set up Single Sign-On in OpsLevel via Azure AD, please check out our guide here.

Capabilities supported

The following provisioning features are supported by OpsLevel today:

  • Create users in OpsLevel
  • Deactivate users in OpsLevel when they do not require access anymore
  • Keep user attributes synchronized between Azure AD and OpsLevel
  • Single sign-on to OpsLevel (recommended)

Requirements

The scenario outlined in this tutorial assumes that you already have the following items:

  • An Azure AD tenant.
  • A user account in Azure AD with permission to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
  • An OpsLevel account -- SCIM-based user provisioning is available to all customers of OpsLevel at this time..
  • A user account in OpsLevel with an Admin role.

Step-by-step configuration instructions

The OpsLevel - Active Directory Provisioning integration uses the same Application in Azure AD as our Single Sign-On integration. We recommend you configure Single Sign-On first by following the steps here.

Create a SCIM Integration in OpsLevel

In order to complete Step 5, you'll need to be logged in as a user with the Admin role. For more information on roles in OpsLevel, check out the guide.

  1. In the OpsLevel app, Click Integrations in the left sidebar.
  2. Click the + New Integration tile.
  3. On the New Integrations page, click the SCIM tile.
  4. Click Create to create a new SCIM Integration.
  5. On the SCIM Integration page, press the + Create API Token button and follow the prompts to create your API Token. When created, copy the token for use in Step 6 of Configuring the OpsLevel Azure AD Application below.
    NOTE: Ensure that you keep the token in a safe place as you will need it when configuring the integration within Azure AD and you will not be able to retrieve the value again later. If you do need to retrieve the value you will have to replace the token by clicking Delete API Token and repeat the API Token creation flow.
  6. While on this page, copy the SCIM API URL for use in Step 5 of configuring the OpsLevel application in Azure AD.

Configure Provisioning in Azure Active Directory

Configuring Azure AD to provision users in OpsLevel requires a generic application

  1. Sign in to the Azure portal. Select Enterprise Applications, then select All applications.
  2. In the applications list, select OpsLevel.
  3. Select the Provisioning tab.
  4. Set the Provisioning Mode to Automatic.
  5. Under the Admin Credentials section, fill in the API URL and API Token fields that you saved for later in Steps 5 and 6 of the Create a SCIM Integration in OpsLevel section. Then press save
    - For Tenant URL, use the SCIM API URL from step 5 above.
    - For Secret Token, use the SCIM API Token from step6 above.
  6. In the Azure portal, click Test Connection to ensure Azure AD can connect to your OpsLevel account. If the connection fails, ensure your API Token and URL are correct, then try the "Authorize" step again.
  7. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.
  8. Select Save.
  9. Under the Mappings section, select Synchronize Azure Active Directory Users to OpsLevel.
  10. In the Attribute Mappings section, review the user attributes that will be synchronized from Azure AD to OpsLevel. Note that the attributes selected as Matching properties will be used to match the user accounts in OpsLevel for update operations. Select the Save button to commit any changes.
AttributeType
userPrincipalNameString
activeBoolean
  1. To enable the Azure AD provisioning service for OpsLevel, change the Provisioning Status to On in the Settings section.
  2. Define the users that you would like to provision to OpsLevel by choosing the desired values in Scope in the Settings section.
  3. When you are ready to provision, click Save.

This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

Now that provisioning is configured, you can assign your Azure AD users to the OpsLevel application as needed. New OpsLevel users provisioned this way will be automatically invited to your OpsLevel organization and receive a welcome email with a link to the OpsLevel application. For more information about how to assign Azure AD users, see Azure AD's documentation.

Troubleshooting

Monitoring your deployment from Azure AD

Once you've configured provisioning, use the following resources to monitor your deployment:

  1. Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully
  2. Check the progress bar to see the status of the provisioning cycle and how close it is to completion
  3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states here.

Troubleshooting Tips

  • OpsLevel expects the userName to be in email format and we suggest using the userPrincipalName by default.
  • At this time, OpsLevel only supports synchronization of the primary email, however we plan to support additional emails in the future.

If you have questions or difficulties with the SCIM integration, hit us up at [email protected].