How to Configure SCIM with Azure Active Directory

ThousandEyes users can be added, deleted and modified using SCIM 2.0 and 1.1 compatible identity providers, dramatically decreasing time to provision users into ThousandEyes. This document describes the integration between identity provider Azure Active Directory and ThousandEyes.

Prerequisites

Configuration is simple. Here's what you need:

  • ThousandEyes account assigned a role with below permissions:

    • View Users

    • Edit Users

    • API Access

  • An Azure AD subscription.

Supported Features

  • User provisioning (creation)

  • User deletion

  • User modification

    • Display name

Group information or other user attributes cannot be translated into Account Groups, Roles or any other ThousandEyes structure.

Configuration

  1. To start login to Azure AD with this special link, this disables the Azure v2 Provisioning Client which is not compatible with ThousandEyes SCIM. If you have already setup SSO with Azure AD skip to step 7.

  2. Go to Azure Active Directory > Enterprise applications > Add an application and search for ThousandEyes. Skip to step 4 if configuring a custom application.

  3. Click the ThousandEyes Enterprise application and Add

  4. Once you click Add, the Enterprise Application will open up as below:

  5. Users can be assigned to the app using the Assign users and groups option.

  6. Consult the How to configure Single Sign-On with Azure Active Directory article for guide on setting up SSO. We would focus on setting up SCIM here. SSO and SCIM are distinct features and hence one is not required to setup the other.

  7. Click Provisioning (1) and change the Provisioning Mode (2) to Automatic.

  8. Go to Profile tab of Account Settings > Users and Roles in ThousandEyes and grab the OAuth Bearer Token. Paste the token in Secret Token(1) field under Admin Credentials section in Azure and click the Test Connection (2) button. The enterprise application will now test the token and display results(3).

  9. Now Expand the Mappings section and click Synchronize Azure Active Directory Users to ThousandEyes hyperlink to open up mappings.

  10. Enable provisioning here check the Create, Update and Delete boxes. Make sure the Attribute Mappings match the below table and Save

    Azure Active Directory Attribute

    ThousandEyes Attribute

    Matching precedence

    userPrincipalName

    userName

    1

    mail

    emails[type eq "work"].value

    2

    Switch([IsSoftDeleted], , "False", "True", "True", "False")

    active

    displayName

    displayName

  11. Turn on the Provisioning Status (1) radio button , set Scope (2) to Sync only assigned users and groups and Save.

Status

Once the Initial Cycle runs, the Current Status section will show results with number of users that are synchronized with ThousandEyes. This cycle runs once an hour to maintain sync between Azure AD and ThousandEyes. A cycle can be forced by checking the Clear current state and restart synchronization box followed by Save.

The View Audit Logs will reveal under the hood activity, this can be a very valuable troubleshooting tool:

Opening up Modified Properties tab of an Import event will reflect the Attribute Mappings in action: