How to Configure SCIM with Azure Active Directory

You can add, delete, and modify ThousandEyes users using SCIM 2.0- and 1.1-compatible identity providers. This method dramatically decreases the time needed to provision users into ThousandEyes. This article describes how to integrate between the Azure Active Directory (Azure AD) identity provider and ThousandEyes.

Prerequisites

A ThousandEyes account that is assigned a role with the following permissions:
- View users
- Edit users
- API access
- Edit users in all account groups
An Azure AD subscription

Supported Features

User provisioning (user account creation)
User deletion
User modification
- Display name

Azure AD group information or other user attributes cannot be translated into account groups, roles, or any other ThousandEyes structure.

Configuration

To start, log in to Azure AD with this special link. This disables the Azure v2 Provisioning Client, which is not compatible with ThousandEyes SCIM. If you have already set up SSO with Azure AD, skip to step 7.
Go to Azure Active Directory > Enterprise applications > Add an application and search for ThousandEyes. If you are configuring a custom application, skip to step 4.
Click the ThousandEyes Enterprise application and Add.
Once you click Add, the Enterprise Application opens as below:
To assign users can be assigned to the app, use the Assign users and groups option.
For a guide on setting up SSO, see How to Configure Single Sign-On with Azure Active Directory. Here, we focus on setting up SCIM here. Because SSO and SCIM are distinct features, one is not required in order to set up the other.
Click Provisioning (1) and change the Provisioning Mode (2) to Automatic.
In the ThousandEyes platform, go to Account Settings > Users and Roles > Profile tab and copy the OAuth Bearer Token. In Azure's Admin Credentials section, paste the token into the Secret Token(1) field and click Test Connection (2). The enterprise application tests the token and displays results(3).
Expand the Mappings section and click Synchronize Azure Active Directory Users to ThousandEyes to open the mappings.

Enable provisioning: Check the Create, Update, and Delete checkboxes. Make sure the Attribute Mappings match the following table; then click Save.
Enable the Provisioning Status (1) radio button, set Scope (2) to Sync only assigned users and groups, and click Save.

Status

Once the initial cycle has run, the Current Status section shows results with the number of users that are synchronized with ThousandEyes. This cycle runs once an hour to maintain a sync between Azure AD and ThousandEyes. You can force a cycle by checking Clear current state and restart synchronization and then Save.

To reveal under-the-hood activity, see View Audit Logs. This can be a very valuable troubleshooting tool:

To see the attribute mappings in action, open the Modified Properties tab of an Import event:

PreviousThousandEyes Support for SCIM NextHow to Configure SCIM with Okta

Last updated 8 months ago