Configure SCIM provisioning with Microsoft Entra (formerly Azure AD)

This feature requires the SCIM Integration. For more information, contact your Customer Success Partner (CSP).

Platform admins and IT administrators can synchronize users and groups from Microsoft Entra (formerly Azure AD) to 360Learning via SCIM 2.0.

User emails must be manually updated in 360Learning if you change them in Entra ID, since they act as the identifier (primary key).

Prerequisites

Before you begin, you have configured the SCIM integration in your 360Learning platform.

Step 1: Create an enterprise application

Add an enterprise application representing the 360Learning platform in Microsoft Entra (formerly Azure).

1. Go to the Microsoft Entra admin center ↗.
2. In the left sidebar, click Entra ID, then click Enterprise applications.
3. At the top of the table, click New application.
4. At the top, click Create your own application.
5. Enter a name for your application.
6. Select Integrate any other application you don’t find in the gallery (Non-gallery).
7. At the bottom, click Create.

The new enterprise application for the 360Learning platform is created.

Step 2: Configure provisioning in your enterprise application

1. In the left sidebar, click Entra ID, then click Enterprise applications, and click on the application you just created.
   • If you came directly from step 1, creating the application opens it by default.
2. In the left sidebar of the application, click Manage, then click Provisioning.
3. In the left sidebar, click Provisioning again.
4. In Provisioning Mode, select Automatic.
5. Enter the Admin Credentials:
   • In the Tenant URL field, paste the Endpoint URL you retrieved when configuring the SCIM integration.
   • In the Secret Token field, paste the authorization token you retrieved when configuring the SCIM integration.
6. Click Test connection to test the credentials.
7. Click Save.

Step 3: Configure attribute mapping

Configure attribute mappings for users and groups.

User emails must be manually updated in 360Learning if you change them in Entra ID, since they act as the identifier (primary key).

Step 3.1: Configure user attributes mapping

1. In the left sidebar, click Entra ID, then click Enterprise applications and click on the application you just created.

   1. If you came directly from step 1, creating the application opens it by default.

2. In the left sidebar of the application, click Manage → Provisioning.

3. In Map attributes, click Edit attributes.

4. In Attribute Mapping, map the customappsso attributes to these Entra ID attributes:

   Entra ID attribute	customappsso attribute (360Learning)
   userPrincipalName	userName
   "Switch([IsSoftDeleted], , "False", "True", "True", "False")"	active
   givenName	name.givenName
   surname	name.familyName
   jobTitle	title
   mail	emails[type eq "work"].value
   manager	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
   organization	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization
   "Mid([preferredLanguage], 1, 2)"	preferredLanguage

5. Click Save.

Please note that while Entra ID provides a displayName attribute for both groups and users, this attribute should not be mapped for user objects in our system. Our platform specifically utilizes the givenName and familyName attributes to manage user names. Attempting to map the displayName attribute for users will lead to an "Invalid or forbidden key found: displayName" error during the synchronization process.

Step 3.2: Configure group attributes mapping

1. Under Mappings, click Provision Entra ID Groups to map Entra ID attributes.

2. In Attribute Mapping, map the customappsso attributes to these Entra ID attributes:

   Entra ID attribute	customappsso attribute (360Learning)
   displayName	displayName
   objectID	externalID
   members	members

3. Click Save.

Step 4: Assign users and groups

After you create the application in Entra ID, you need to assign the application to the relevant users and groups. Only these users and groups will be provisioned to the 360Learning platform.

Groups added to the application are created in 360Learning or matched with existing groups by name. By default, the group name in 360Learning always matches Microsoft Entra.

To use different group names between the two systems, edit the group attribute mappings to match on ID first, then on name. Then update the displayName attribute to only update during object creation.

If groups already exist in 360Learning, their names must match on the initial sync, or duplicate groups are created. The recommended approach is to let the integration create the groups first, then rename them in 360Learning afterward. Alternatively, you can rename the groups in 360Learning to match Entra, run the sync, then rename them back.

1. In your Entra portal, click Entra ID.
2. In the left sidebar, click Enterprise applications.
3. Click the application that you created for 360Learning.
4. Click Assign users and groups.
5. Click Add user/group.
6. Click None selected.
7. Identify the users and groups you want to assign to the application, then click Select.
8. At the bottom left of the screen, click Assign.

Step 5: Start provisioning

You can now start provisioning users and groups.

1. In your Entra portal, click Entra ID.
2. In the left sidebar, click Enterprise applications.
3. Click the application that you created for 360Learning.
4. In the left sidebar, click Provisioning.
5. Click Start provisioning.

It might take up to 40 minutes before you start seeing users and groups on your 360Learning platform. The first initial run might take some time, depending on the size of your directory.

Once the provisioning is complete, a report is available in your Entra portal.

Configure 360Learning custom fields in Entra ID

You can create custom fields on the 360Learning platform. Since these are not included in the default mappings, you will have to link these fields manually. Subsequent updates will be performed automatically.

Before you begin, create custom fields on the 360Learning platform. Then, in your Entra portal:

1. Click Entra ID.
2. In the left sidebar, click Enterprise applications.
3. Click the application that you created for 360Learning.
4. In the left sidebar, click Provisioning.
5. Under Mappings, click Provision Entra ID Users.
6. Select the Show advanced options check box.
7. Click Edit attribute list for customappsso.
8. Enter a new target attribute in the blank box at the bottom of the list. Use the urn:ietf:params:scim:schemas:extension:360learning:2.0:User:custom_field syntax, where urn:ietf:params:scim:schemas:extension:360learning:2.0:User is the fixed source object, and custom_field should be replaced with the name of the custom field in 360Learning.
   • For example, if your 360Learning user has a custom attribute named “employeeNumber”, enter the following target attribute urn:ietf:params:scim:schemas:extension:360learning:2.0:User:employeeNumber.
9. Click on the dropdown next to the target attribute name to match the attribute type with the attribute type in 360Learning.
10. Click Save.
11. Return to the Attribute Mapping page.
12. Click Add new mapping at the bottom of the table.
13. Select the Source attribute in Entra ID that will map to the target attribute in the 360Learning application.
    • For example, if you want to map the 360Learning "employeeNumber" custom attribute to Entra ID’s "employeeId", select employeeId as the Source attribute.
14. Select the Target attribute created during step 8.
    • For example, if you want to map the 360Learning "employeeNumber" custom attribute to Entra ID’s "employeeId", select urn:ietf:params:scim:schemas:extension:360learning:2.0:User:employeeNumber as the Target attribute.
15. Click Ok.
16. Once all target attributes for 360Learning custom fields have been created and mapped to Entra ID attributes, click Save.

Configure language mapping

By default, all users imported via SCIM have English set as their interface language. You can map the preferredLanguage attribute from Entra ID to assign each user's preferred language automatically.

360Learning requires a two-letter language code (for example, en for English, fr for French). Since Entra ID may store longer locale values, you must configure this mapping as an expression rather than a direct attribute.

1. In User Attribute Mapping, find the preferredLanguage row and click Edit.
2. Change the Mapping type from Direct to Expression.
3. Enter the expression Mid([preferredLanguage], 1, 2).
4. Click Save.