How to Configure SCIM with Azure Active Directory

You can add, delete, and modify ThousandEyes users using SCIM 2.0- and 1.1-compatible identity providers. This method dramatically decreases the time needed to provision users into ThousandEyes. This article describes how to integrate between the Azure Active Directory (Azure AD) identity provider and ThousandEyes.

Prerequisites

  • A ThousandEyes account that is assigned a role with the following permissions:

    • View users

    • Edit users

    • API access

    • Edit users in all account groups

  • An Azure AD subscription

Supported Features

  • User provisioning (user account creation)

  • User deletion

  • User modification

    • Display name

Azure AD group information or other user attributes cannot be translated into account groups, roles, or any other ThousandEyes structure.

Configuration

  1. To start, log in to Azure AD with this special link. This disables the Azure v2 Provisioning Client, which is not compatible with ThousandEyes SCIM. If you have already set up SSO with Azure AD, skip to step 7.

  2. Go to Azure Active Directory > Enterprise applications > Add an application and search for ThousandEyes. If you are configuring a custom application, skip to step 4.

  3. Click the ThousandEyes Enterprise application and Add.

  4. Once you click Add, the Enterprise Application opens as below:

  5. To assign users can be assigned to the app, use the Assign users and groups option.

  6. For a guide on setting up SSO, see How to Configure Single Sign-On with Azure Active Directory. Here, we focus on setting up SCIM here. Because SSO and SCIM are distinct features, one is not required in order to set up the other.

  7. Click Provisioning (1) and change the Provisioning Mode (2) to Automatic.

  8. In the ThousandEyes platform, go to Account Settings > Users and Roles > Profile tab and copy the OAuth Bearer Token. In Azure's Admin Credentials section, paste the token into the Secret Token(1) field and click Test Connection (2). The enterprise application tests the token and displays results(3).

  9. Expand the Mappings section and click Synchronize Azure Active Directory Users to ThousandEyes to open the mappings.

  1. Enable provisioning: Check the Create, Update, and Delete checkboxes. Make sure the Attribute Mappings match the following table; then click Save.

    Azure Active Directory Attribute

    ThousandEyes Attribute

    Matching Precedence

    userPrincipalName

    userName

    1

    mail

    emails[type eq "work"].value

    Switch([IsSoftDeleted], , "False", "True", "True", "False")

    active

    displayName

    displayName

  2. Enable the Provisioning Status (1) radio button, set Scope (2) to Sync only assigned users and groups, and click Save.

Status

Last updated