How to Configure SCIM with Azure Active Directory
You can add, delete, and modify ThousandEyes users using SCIM 2.0- and 1.1-compatible identity providers. This method dramatically decreases the time needed to provision users into ThousandEyes. This article describes how to integrate between the Azure Active Directory (Azure AD) identity provider and ThousandEyes.
Prerequisites
A ThousandEyes account that is assigned a role with the following permissions:
View users
Edit users
API access
Edit users in all account groups
An Azure AD subscription
Supported Features
User provisioning (user account creation)
User deletion
User modification
Display name
Azure AD group information or other user attributes cannot be translated into account groups, roles, or any other ThousandEyes structure.
Configuration
To start, log in to Azure AD with this special link. This disables the Azure v2 Provisioning Client, which is not compatible with ThousandEyes SCIM. If you have already set up SSO with Azure AD, skip to step 7.
Go to Azure Active Directory > Enterprise applications > Add an application and search for ThousandEyes. If you are configuring a custom application, skip to step 4.
Click the ThousandEyes Enterprise application and Add.
Once you click Add, the Enterprise Application opens as below:
To assign users can be assigned to the app, use the Assign users and groups option.
For a guide on setting up SSO, see How to Configure Single Sign-On with Azure Active Directory. Here, we focus on setting up SCIM here. Because SSO and SCIM are distinct features, one is not required in order to set up the other.
Click Provisioning (1) and change the Provisioning Mode (2) to Automatic.
In the ThousandEyes platform, go to Account Settings > Users and Roles > Profile tab and copy the OAuth Bearer Token. In Azure's Admin Credentials section, paste the token into the Secret Token(1) field and click Test Connection (2). The enterprise application tests the token and displays results(3).
Expand the Mappings section and click Synchronize Azure Active Directory Users to ThousandEyes to open the mappings.
Enable provisioning: Check the Create, Update, and Delete checkboxes. Make sure the Attribute Mappings match the following table; then click Save.
Azure Active Directory Attribute
ThousandEyes Attribute
Matching Precedence
userPrincipalName
userName
1
mail
emails[type eq "work"].value
Switch([IsSoftDeleted], , "False", "True", "True", "False")
active
displayName
displayName
Enable the Provisioning Status (1) radio button, set Scope (2) to Sync only assigned users and groups, and click Save.
Status
Last updated