Joan uses System for Cross-Domain Identity Management (SCIM) to enable automatic provisioning of users from Azure AD (AAD). When enabled, all user management will be done only in Azure AD and disabled on Joan side.
More information on the SCIM integration can be found in a Microsoft guide here.
1. Enable SCIM integration in Joan Office portal
Navigate to people management and click on SCIM. When a new window opens, enable the integration and generate a new token. That token will be used to authenticate the connection between Azure AD and Joan.
2. Create a new enterprise application in Azure AD
Login to your Azure Portal account and navigate to Active Directory section.
Continue to the Enterprise applications section to create a new non-gallery application.
3. Configure Joan SCIM Azure AD application
Go to the Provisioning section of the newly created application to connect it to your Joan account.
Make sure to set:
- Provisioning Mode to Automatic
- Tenant URL: https://portal.getjoan.com/api/scim/v2/
- Secret Token: Copied from the Joan SCIM configuration page
Click on Test Connection to confirm that the connection between your Azure AD and Joan is functional. After confirming that the connection works, click Save. Once Save is clicked, additional options will appear below the Admin Credentials option.
3. Configure Mappings
Joan supports the mapping of Users, while Group mapping is currently not available. Click on "Provision Azure Active Directory Groups" and disable it. Also, make sure to enable the Provisioning Status, while we're at it.
NOTE: You need to have at least one active user added under Users and groups otherwise disabling the Azure Active Directory Groups will not work.
The next step is to map Azure user attributes to Joan ones. Click on "Provision Azure Active Directory Users" and set the attribute mappings as per the table below. Joan supports the following mapping user attributes: Users (Create,Update,Delete)
|userPrincipalName||userName||1||User email used for user matching|
|Switch([IsSoftDeleted], , "False", "True", "True", "False")||active|
|Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "Admin", "Office Manager")||userType||Used for user groups matching.
In this example, Admin role will map to Office Manager.
Joan user group and all others will have User group (empty string)
Used for assigning the user to a department
By default, Azure should already set everything correctly except:
- The objectId -> externalId mapping. In our case, it is mapping mailNickname instead. Simply click it and choose objectId instead. The final table should look like this:
- The App role assignments aren't set yet. To set them up, please refer to chapter 4 of this article and also add a new mapping as per the below screenshot (copy the text from the table above so that you don't need to type it)
IMPORTANT: After you finish setting the mappings, don't forget to hit Save.
That's it. You can now start adding groups or/and users. They will automatically synchronize with your Joan account.
4. Configuring Roles
We currently support two roles - a User and an Office Manager.
To also provision the roles, please go to App registrations and select the application created for the SCIM integration.
NOTE: Don't forget to choose the All applications if you can't see your app.
Under the App roles click Create app role.
Make sure to put Admin as the value and as the display name. The description isn't important.
Now we need to go back to the root directory and to Enterprise applications and select the application again that was created for the Joan SCIM integration.
Roles can be changed by clicking Add user/group.
NOTE: You can't change the role by clicking the user, you must go through the Add user/group and reassign it.
On this page, click None Selected under Users/Groups and choose the Users/Groups that you wish to change the roles for.
NOTE: You can choose multiple users and select them.
NOTE: Choose the role we just created.
Once you click assign, you're done!
4. Configuring the department
To assign a department to the user, first navigate to your Joan SCIM AD Azure applicaton. Once there, navigate to Users and groups and then select the user.
When the Profile page of the user opens, click on Edit and find the Department field in the section Job info. Next, enter the department you wish the user to belong to and save the configuration.
Once everything is set up, make sure that you start provisioning the users to the Joan Portal. Navigate to "Provisioning" and click "Start provisioning" and that is it!
The changes should be visible on the Joan Portal after the next synchronization cycle.