Provision and manage users from Azure AD

Joan uses a System for Cross-Domain Identity Management (SCIM) to enable the automatic provisioning of users from Azure AD (AAD). When enabled, all user management will be done only in Azure AD and disabled on Joan's side.

To establish automatic provisioning of the users please follow the provided instructions below.

Enable SCIM integration in MyJoan

Create a new enterprise application in Azure AD

Create Joan SCIM Azure AD application

Configure Mapping

Configure Roles

Adding Users and Groups

Configuring Departments

More information on the SCIM integration can be found in a Microsoft guide here.

Enable SCIM integration in MyJoan

Navigate to Settings --> Integrations and click on SCIM. Toggle to enable the integration and generate a new token. That token will be used to authenticate the connection between Azure AD and Joan.

2024-06-27 23_35_26-Joan Office

Create a new enterprise application in Azure AD

Login to your Azure Portal account and navigate to the Active Directory section.

Continue to the Enterprise applications section to create a new non-gallery application.

1_korak_kreiranje_SCIM aplikacije

Configure Joan SCIM Azure AD application

Go to the Provisioning section of the newly created application to connect it to your Joan account.

Make sure to set:

- Provisioning Mode to Automatic

- Tenant URL: https://portal.getjoan.com/api/scim/v2/

- Secret Token: Copied from the Joan SCIM configuration page

Click on Test Connection to confirm that the connection between your Azure AD and Joan is functional. After confirming that the connection works, click Save. Once Save is clicked, additional options will appear below the Admin Credentials option.

2_korak_povezava_SCIM_z_Joan_Portalom

Configure Mapping

Joan supports the mapping of Users, while Group Mapping is currently not available.
To disable the Group Mapping, we will first have to add one active user under the "Users and groups". To do so, please check the step Adding Users and Group

Once the user is added we can proceed with disabling the Group Mapping. Please click on "Provision Azure Active Directory Groups" and disable it. Also, make sure to enable the Provisioning Status, while we're at it.

4_korak_izklopimo_group_provisioning

The next step is to map Azure user attributes to Joan ones. Click on "Provision Azure Active Directory Users" and set the attribute mappings as per the table below. Joan supports the following mapping user attributes: Users (Create, Update, Delete).

By default, Azure should already set everything correctly except the objectId -> externalId mapping. In our case, please select objectId instead of the mailNickname.

5_korak_izgled_atributov_za_mapiranje

Please also make sure that following mapping is added:

  1. Click on Add New Mapping
  2. For Mapping type select Expression
  3. In Expression field paste -> Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "Admin", "Office Manager")
  4. For Target attribute select userType
  5. Click Ok and Save

6_korak_dodamo_polje_za_office_managerja-userje

To make sure all of the attributes are set correctly please check the below table:

Azure attribute Joan
attribute

Matching
precedence

userPrincipalName userName 1

Switch([IsSoftDeleted], , "False", "True", "True", "False")

active  
givenName name.givenName  
surname name.familyName  
objectId externalId  
Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "Admin", "Office Manager") userType  
department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department  

Configuring Roles

We currently support two roles - a User and an Office Manager.

To create the user roles please follow these instructions:

  1. Please go to App registrations and select the application created for the SCIM integration. NOTE: Don't forget to choose All applications if you can't see your app.
  2. Click on Create app role
  3. Make sure to put Admin as the value and as the display name. The description isn't important.

    7_korak_ustvarimo_admin_rolo

Adding Users and Groups

To add the users and groups from your Active Directory to the Joan Application please follow these instructions:

  1. Find the application that you previously created for Joan
  2. Go to Users and groups
  3. Click on +Add users/groups
  4. Select the Users/Groups you wish to add
  5. Select the role for the wanted user/group
  6. Click Assign

Note: When adding users, be careful that you are not provisioning the same account under a specific group or as a user 

8_korak_dodamo_uporabnike_in_dolocimo_vlogo

If the users/groups that you previously added are not syncing, please try to provision them on demand.

9_korak_provisioning_uporabnikov

Configuring Departments

To assign a department to the user please follow the instructions below:

  1. Navigate to your Joan SCIM AD Azure application
  2. Once there, go to Users and groups and then click on the user you wish to change
  3. When the Profile page opens, click on Edit
  4. Find the Department field in the section Job info and enter the department you wish to add the user to
  5. Save the configuration
  6. Once everything is set up, make sure that you start provisioning the users to the Joan Portal. Navigate to "Provisioning" and click "Start provisioning" and that is it!

13_korak_departments

 

If you encounter any issues, please contact support@getjoan.com.