2

I have an app that is implementing SCIM 2.0. I have connected this app to my Azure AD and I am succeeding to provision users and groups to my app from from Azure AD.

I want to add a custom attribute and manage the value of that attribute in Azure AD for every user or a group and add that data to my provisioning mapping - to send it to my app as part of the provisioning process.

I can't find where in Azure AD I can do that.

I have tried to add a custom security attributes, I have assigned it to my app. But when I go to the provisioning mapping - the attribute is not in the list of source attributes that I can choose from.

I have also tried to add a custom attribute (which I was able to choose in the provisioning mapping), but I did not find where I can manage the value of this attribute to a user in the Azure AD .It looks like it can only be filled in a user flow (login with SSO) - which is not my case.

I did not find a way to create a custom attribute for a group and manage its values in the Azure AD and then add to provisioning group mapping.

I saw that there are extension attributes, but where in Azure AD I can enter data to these attributes for a specific users or groups?

Can anyone help? Is there a completely different way to add extra information to user / group and send it from Azure AD to my app using SCIM?

DinaF
  • 101
  • 2
  • 7

1 Answers1

0

• When you provision an application in Azure AD through SCIM (System for Cross-Domain Identity Management) for the purpose of provisioning the Azure AD users to the ‘Enterprise application’ created in Azure AD tenant, you enter the URL of the application’s SCIM endpoint as ‘https://api.contoso.com/scim/’ and since it requires an OAuth bearer token from an issuer other than Azure AD as it can validate this token issued by the Azure AD itself. Therefore, in the ‘Mappings’ section of the ‘Provisioning’ section for the Azure AD enterprise application, you have the option for reviewing the attributes that are synchronized from Azure AD to the SCIM provisioned app. These attributes are selected as ‘Matching’ properties and are used to match the users and groups in your app for update operations.

Also, to add the extension attributes to the user in Azure AD for them to be exported to the SCIM provisioned application, you will need to create a dynamic group with members added to them via a dynamic query as shown below. Before that, you will have to synchronize the extension attributes through Azure AD connect utility from the on-premises AD that were created there already. Then, these already created extension attributes can be selected to be mapped with the SCIM provisioned app as below: -

Azure AD Connect attribute sync Dynamic query - group custom extension attribute mapping

Complete the expression to suit your requirements. As above, the rule is set to ‘(user.extension_9d98ed114c4840d298fad781915f27e4_division -eq "Sales and marketing")’.

• Secondly, you can also create extension attributes for users that are to be synchronized from Azure AD to the SCIM provisioned application through Microsoft Graph API as shown below: -

First, create a ‘GET’ request to the object ID of the SCIM provisioned application to check the request sent status success. Then, send a ‘POST’ request to the object ID of the SCIM provisioned application as shown below with the custom extension attribute in the body of the request: -

Microsoft Graph API query

Now, since this custom extension attribute is created without any value, you will have to update this attribute with a value so that this attribute is synchronized to the SCIM provisioned application accordingly as shown below: - MS Graph API Patch Patch MS Graph attribute

Thus, as shown above, you can add custom extension attributes to any Azure AD user and synchronize these attribute values to the SCIM provisioned app.

For more detailed information on the above, please refer to the below links: -

https://learningbydoing.cloud/blog/getting-started-with-azuread-extension-attributes/#:~:text=Go%20to%20the%20Azure%20AD,settings%20default%20and%20click%20Register.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • One small nitpick - extending the schema via the MS Graph method can be done on any AAD service principal, and is not required to be done on the service principal connected to the provisioning app. – Zollnerd Oct 21 '22 at 17:09
  • Yes, that can be done on any application registration through MS Graph method but in here, since syncing and provisioning the extension attributes are considered in the SCIM application which is also an enterprise application registered in Azure AD, thus for it also, the process is the same but in this scenario, the extension attributes are first synced from on-premises AD and then provisioned in the SCIM application. – Kartik Bhiwapurkar Oct 22 '22 at 07:11
  • Thank you for your reply! But I don't want to create a group according to user attributes, I want to add an attribute to a group and that attribute will send in SCIM mapping of the group (or all the users will inherit it and the users will send them in SCIM). Is it possible? Also I am not using on premise Azure AD, I am managing the users using Azure portal. Do I have to install on premise azure to do what you have described with the extensions? @KartikBhiwapurkar – DinaF Oct 23 '22 at 06:13
  • Yes, that's how the MS Graph API method stated above in the answer shows as in the correct way to create custom and extension attributes for existing Azure AD users and their groups. If you follow the steps given above, then you surely can send the attributes in SCIM provisioned app successfully. Then you can add the custom extension attributes as stated above through the Azure portal later. – Kartik Bhiwapurkar Oct 25 '22 at 07:58