Provision users and groups using Microsoft Entra (SCIM)

You can utilize Apty’s SCIM integration with Microsoft Entra ID to automatically provision users/groups in Apty based on their assignments in Microsoft Entra ID.

• Requirements
• Add Apty in Microsoft Entra ID
• Apty User Management with Microsoft Entra ID SCIM
• Assignment of roles/applications via groups

Requirements

To proceed effectively, you need an understanding of:

• You should have SSO Enabled for your tenant.

• System for Cross-domain Identity Management (SCIM).

• Apty’s role and application-based access control.

• You need to be an Administrator in your Microsoft Entra ID account, and a System Administrator in Apty.

Add Apty in Microsoft Entra ID​

In Microsoft Entra ID:

1. Click on Add and select Enterprise Application.

2. Click Create your own application, and give your application a name (example: Apty).

3. Choose “Integrate any other application you don't find in the gallery (Non-gallery)” and click Create.

4. Once the app is created, select Provisioning under Manage.

5. Choose Automatic for provisioning mode.

6. To configure the Admin Credentials, sign in to Apty Admin with System Admin user access.

   1. Navigate to System Settings .

   2. Click on Open API and generate a key, if not already created.

   3. Navigate to the SCIM Config tab and copy the Tenant URL (SCIM Endpoint) and Secret Token(API Key) here.

7. Click on Test Connection if configurations are correct you will get a success message.

8. Select Save.

9. Under Mappings

   1. Select Provision Microsoft Entra ID Users and Delete all other mappings than

      1. userName (Used as username/email for provisioned user)

      2. active

      3. displayName (Name of user)
         The above 3 attributes are synchronized from Microsoft Entra ID to Apty.

   2. Click on Save.

   3. Make sure User and Group Provisioning is enabled in mappings.

10. Click Save.

Apty User Management with Microsoft Entra ID SCIM

Utilizing the Microsoft Entra ID SCIM integration requires you to manage users, user groups, and user/group attributes in Microsoft Entra ID, rather than in Apty. Changes are synced from Microsoft Entra ID to Apty approximately every 40 minutes. Data you must manage in Microsoft Entra ID includes:

• Adding, removing, and editing group members. Group membership must be managed in Microsoft Entra ID.

• Renaming user groups. Groups can only be renamed in Microsoft Entra ID.

• Deleting user groups. Groups can only be deleted in Microsoft Entra ID.

• Editing user email addresses, full names, and group assignments.

  • These details cannot be edited in Apty.

  • If adjustments to a user’s group are needed (for example, to change their permissions), the user's group membership must be changed within Microsoft Entra ID.

  • Deleting Microsoft Entra ID-provisioned users from Apty must also be done through Microsoft Entra ID.

• Microsoft Entra ID soft deletes users for the first 30 days, during which users in Apty will be in a Suspended state.

• Users not part of any group with an assigned role will default to the Content Creator role

Role and resource group assignments are not managed in Microsoft Entra ID. permissions must be assigned to user groups within Apty.

Assignment of roles/applications to users via groups.

Following the provisioning of users and groups from Entra, administrators can oversee the allocation of roles and applications to users through group management.

1. Navigate to System Settings.

2. Choose User Groups.

3. All provisioned groups will be displayed here.

4. Assigning roles or applications to a group grants users within that group access to those applications/roles