Configure SCIM provisioning with Azure AD

You can synchronize users and groups from Azure AD via SCIM 2.0.

Note that user emails must be manually updated in 360Learning if you change them in Azure AD, since they act as the identifier (primary key).

Prerequisites

Before you begin, you have configured the SCIM integration in your 360Learning platform.

Step 1: Create an enterprise application

Add an enterprise application representing the 360Learning platform in Microsoft Azure.

1. Go to your Azure portal and sign in.
2. Click Azure Active Directory.
3. In the left panel, click Enterprise applications.
4. Click New application.
5. Click Create your own application.
6. Enter a name for your application.
7. Select Integrate any other application you don’t find in the gallery (Non-gallery).
8. Click Create.

The new enterprise application for the 360Learning platform is created.

Step 2: Configure provisioning in your enterprise application

1. In your Azure portal, click Azure Active Directory.
2. In the left panel, click Enterprise applications.
3. Click the application that you created for 360Learning.
4. In the left panel, click Provisioning.
5. In the Provisioning Mode list, select Automatic.
6. Enter the Admin Credentials:
   • In the Tenant URL field, paste the Endpoint URL you retrieved when configuring the SCIM integration.
   • In the Secret Token field, paste the authorization token you retrieved when configuring the SCIM integration.
7. Click Test connection to test the credentials.
8. Click Save.

Step 3: Configure attribute mapping

Configure attribute mappings for users and groups.

Note that user emails must be manually updated in 360Learning if you change them in Azure AD, since they act as the identifier (primary key).

Step 3.1: Configure user attributes mapping

1. In your Azure portal, click Azure Active Directory.
2. In the left panel, click Enterprise applications.
3. Click the application that you created for 360Learning.
4. In the left panel, click Provisioning.
5. Under Mappings, click Provision Azure Active Directory Users to map Azure AD attributes.
6. In Attribute Mapping, map the customappsso attributes to these Azure AD attributes:
   
   

   Azure Active Directory attribute	customappsso attribute (360Learning)
   userPrincipalName	userName
   "Switch([IsSoftDeleted], , "False", "True", "True", "False")"	active
   givenName	name.givenName
   surname	name.familyName
   jobTitle	title
   mail	emails[type eq "work"].value
   manager	urn:ietf:params:scim:schemas:extension:entreprise:2.0:User:manager
   organization	urn:ietf:params:scim:schemas:extension:entreprise:2.0:User:organization
   "Mid([preferredLanguage], 1, 2)"	preferredLanguage

7. Click Save.

Please note that while Azure Active Directory provides a displayName attribute for both groups and users, this attribute should not be mapped for user objects in our system. Our platform specifically utilizes the givenName and familyName attributes to manage user names. Attempting to map the displayName attribute for users will lead to an "Invalid or forbidden key found: displayName" error during the synchronization process.

Step 3.2: Configure group attributes mapping

1. Under Mappings, click Provision Azure Active Directory Groups to map Azure AD attributes.
2. In Attribute Mapping, map the customappsso attributes to these Azure AD attributes:
   
   

   Azure Active Directory attribute	customappsso attribute (360Learning)
   displayName	displayName
   objectID	externalID
   members	members

3. Click Save.

Step 4: Assign users and groups

After you create the application in Azure AD, you need to assign the application to the relevant users and groups. Only these users and groups will be provisioned to the 360Learning platform.

1. In your Azure portal, click Azure Active Directory.
2. In the left panel, click Enterprise applications.
3. Click the application that you created for 360Learning.
4. Click Assign users and groups.
5. Click Add user/group.
6. Click None selected.
7. Identify the users and groups you want to assign to the application, then click Select.
8. At the bottom left of the screen, click Assign.

Step 5: Start provisioning

You can now start provisioning users and groups.

1. In your Azure portal, click Azure Active Directory.
2. In the left panel, click Enterprise applications.
3. Click the application that you created for 360Learning.
4. In the left panel, click Provisioning.
5. Click Start provisioning.

It might take up to 40 minutes before you start seeing users and groups in your 360Learning platform. The first initial run might take some time depending on the size of your directory.

Once the provisioning is complete, a report is available in your Azure portal.

Configure 360Learning custom fields in Azure AD

You can create custom fields on the 360Learning platform. Since these are not included in the default mappings, you will have to link these fields manually. Subsequent updates will be performed automatically.

Before you begin, create custom fields on the 360Learning platform. Then, in your Azure portal:

1. Click Azure Active Directory.
2. In the left panel, click Enterprise applications.
3. Click the application that you created for 360Learning.
4. In the left panel, click Provisioning.
5. Under Mappings, click Provision Azure Active Directory Users.
6. Select the Show advanced options check box.
7. Click Edit attribute list for customappsso.
8. Enter a new target attribute in the blank box at the bottom of the list. Use the urn:ietf:params:scim:schemas:extension:360learning:2.0:User:custom_field syntax, where urn:ietf:params:scim:schemas:extension:360learning:2.0:User is the fixed source object, and custom_field should be replaced with the name of the custom field in 360Learning.
   • For example, if your 360Learning user has a custom attribute named “employeeNumber”, enter the following target attribute urn:ietf:params:scim:schemas:extension:360learning:2.0:User:employeeNumber.
9. Click on the dropdown next to the target attribute name to match the attribute type with the attribute type in 360Learning.
10. Click Save.
11. Return to the Attribute Mapping page.
12. Click Add new mapping at the bottom of the table.
13. Select the Source attribute in Azure AD that will map to the target attribute in the 360Learning application.
    • For example, if you want to map the 360Learning "employeeNumber" custom attribute to Azure AD's "employeeId", select employeeId as Source attribute.
14. Select the Target attribute created during step 8.
    • For example, if you want to map the 360Learning "employeeNumber" custom attribute to Azure AD's "employeeId", select urn:ietf:params:scim:schemas:extension:360learning:2.0:User:employeeNumber as Target attribute.
15. Click Ok.
16. Once all target attributes for 360Learning custom fields have been created and mapped to Azure AD attributes, click Save.