Provision and manage users from Azure AD

Joan uses a System for Cross-Domain Identity Management (SCIM) to enable the automatic provisioning of users from Azure AD (AAD). When enabled, all user management will be done only in Azure AD and disabled on Joan's side

More information on the SCIM integration can be found in a Microsoft guide here.

1. Enable SCIM integration in the Joan Office portal

Navigate to user directory and click on SCIM. When a new window opens, enable the integration and generate a new token. That token will be used to authenticate the connection between Azure AD and Joan.

scim_7

2. Create a new enterprise application in Azure AD

Login to your Azure Portal account and navigate to the Active Directory section.

scim_1


Continue to the Enterprise applications section to create a new non-gallery application.scim_2


scim_3

scim_4



scim_5

3. Configure Joan SCIM Azure AD application

Go to the Provisioning section of the newly created application to connect it to your Joan account.scim_6

 

scim_8

Make sure to set:

- Provisioning Mode to Automatic

- Tenant URL: https://portal.getjoan.com/api/scim/v2/

- Secret Token: Copied from the Joan SCIM configuration page

Click on Test Connection to confirm that the connection between your Azure AD and Joan is functional. After confirming that the connection works, click Save. Once Save is clicked, additional options will appear below the Admin Credentials option.

3. Configure Mappings

Joan supports the mapping of Users, while Group mapping is currently not available. Click on "Provision Azure Active Directory Groups" and disable it. Also, make sure to enable the Provisioning Status, while we're at it.

Screenshot from 2021-08-03 10-39-27

 

NOTE: You need to have at least one active user added under Users and groups otherwise disabling the Azure Active Directory Groups will not work.
4404648391186

The next step is to map Azure user attributes to Joan ones. Click on "Provision Azure Active Directory Users" and set the attribute mappings as per the table below. Joan supports the following mapping user attributes: Users (Create, Update, Delete)

Azure attribute Joan
attribute
Matching
pre-
cedence
Comment
userPrincipalName userName 1 User email used for user matching
Switch([IsSoftDeleted], , "False", "True", "True", "False") active    
givenName name.givenName    
surname name.familyName    
objectId externalId    
Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "Admin", "Office Manager") userType   Used for user groups matching.
In this example, Admin role will map to Office Manager.
Joan user group and all others will have User group (empty string)
department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department  
 
 Used for assigning the user to a department
 
 NOTE: You can safely remove other Attributes that were created by default if you wish since they will not be used.

By default, Azure should already set everything correctly except:

  1. The objectId -> externalId mapping. In our case, it is mapping mailNickname instead. Simply click it and choose objectId instead. The final table should look like this:Atribute_mapping
  2. The App role assignments aren't set yet. To set them up, please refer to chapter 4 of this article and also add a new mapping as per the below screenshot (copy the text from the table above so that you don't need to type it)
    Screenshot from 2021-08-03 10-11-49 (4)


IMPORTANT: After you finish setting the mappings, don't forget to hit Save.

Screenshot from 2021-08-03 10-47-22

 

That's it. You can now start adding groups or/and users. They will automatically synchronize with your Joan account. 

 

4. Configuring Roles

We currently support two roles - a User and an Office Manager.

To also provision the roles, please go to App registrations and select the application created for the SCIM integration. 

4404648479762

NOTE: Don't forget to choose All applications if you can't see your app.



Under the App roles click Create app role.

download (1)


Make sure to put Admin as the value and as the display name. The description isn't important.

Screenshot from 2021-08-03 09-25-51


Now we need to go back to the root directory and to Enterprise applications and select the application again that was created for the Joan SCIM integration.​

Screenshot from 2021-08-03 09-31-01



Roles can be changed by clicking Add user/group.

Screenshot from 2021-08-03 09-35-33

NOTE: You can't change the role by clicking the user, you must go through the Add user/group and reassign it.



On this page, click None Selected under Users/Groups and choose the Users/Groups that you wish to change the roles for.

Screenshot from 2021-08-03 09-39-30 (1)

NOTE: You can choose multiple users and select them.


Screenshot from 2021-08-03 09-39-59 (1)

NOTE: Choose the role we just created.


Once you click assign, you're done!Screenshot from 2021-08-03 09-40-16 (1)

 

5. Configuring the department

To assign a department to the user, first navigate to your Joan SCIM AD Azure application. Once there, navigate to Users and groups and then select the user.

When the Profile page of the user opens, click on Edit and find the Department field in the section Job info. Next, enter the department you wish the user to belong to and save the configuration.

Once everything is set up, make sure that you start provisioning the users to the Joan Portal. Navigate to "Provisioning" and click "Start provisioning" and that is it!

scim-azure-ad-start-provisioning-1

The changes should be visible on the Joan Portal after the next synchronization cycle.

 

If you encounter any issues, please contact support@getjoan.com.