In this guide, we’ll show you how to set up SCIM in Nulab Pass and Microsoft Entra ID to allow for user provisioning.
Prerequisites
- User provisioning by SCIM (available with Nulab Pass)
- Configured SAML
Supported features
Nulab Pass supports the following user provisioning features:
- Create Managed Accounts
- Update Managed Account attributes
- Deactivate Managed Accounts
- Delete Managed Accounts
Setup in Nulab Pass and Entra ID
Configure the following settings in Entra ID and Nulab Pass.
Setup in Nulab Pass
- Go to your organization settings.
- Select Organization > User provisioning to open the SCIM configuration screen.
- If user provisioning is not enabled:
- Select the “Manage” button.
- Select the “Enable” checkbox.
- Select “Save.”
- Record the SCIM URL somewhere safe.
- If no token has been issued:
- Select the “Generate token” link to issue a token.
- Record your SCIM token somewhere safe.
Setup in Microsoft Entra ID
- Log in to Microsoft Entra Admin Center.
- Select “Enterprise Applications.”
- Select All applications > New application.
- Select “Create your own application.”
- Select “Integrate other applications not found in gallery” from the search options, and select “Create.”
- Select “Provisioning” from the menu on the left.
- Select “Get started.”
- Select “Automatic” for provisioning mode.
- Enter the following information in “Administrative Credentials”:
- Tenant URL: SCIM URL
- Secret token: SCIM token
- Select “Test connection.”
If the connection is successful, the following message is shown: “The specified credentials have permission to enable provisioning.”
4. Create an app role in Microsoft Entra ID
These three app roles should be created:
- ADMIN
- USER
- GUEST
To create the roles:
- Select Applications > App Registrations.
- Select “All Applications.”
- Select the desired app and then App Roles > Create App Role.
- Create the following 3 roles:
Display name | Allowed member types | Value | Description | Would you like to enable this app role? |
Enter any name | User or group | ADMIN | Descriptive text | Check |
Enter any name | User or group | USER | Descriptive text | Check |
Enter any name | User or group | GUEST | Descriptive text | Check |
- After entering the information, select “Apply.”
5. Disable Provision Microsoft Entra ID Groups
Provision Microsoft Entra ID Groups are enabled by default. To disable them:
- Select your application.
- Select “Provisioning” from the menu on the left.
- Select “Provision Microsoft Entra ID Groups” under “Mapping.”
- Select “No” for “Enabled.”
- Select “Save.”
6. Configure attribute mapping
- Select your application.
- Select “Provisioning” from the menu on the left.
- Select “Provision Microsoft Entra ID Users” under “Mapping.”
- Edit mapping attributes. Do not remove required attributes.
Good to know The Microsoft Entra ID attribute settings are just an example. Various settings can be made based on your organization as shown in the Microsoft Entra ID tutorial. Make sure to:
|
- Select “Add new mapping” to add attributes to map Managed Accounts and roles.
Fill in the fields below, and select “OK”:- Mapping type: Expression
- Source attribute: SingleAppRoleAssignment([appRoleAssignments])
- Target attribute: roles[primary eq "True"].value
The following attributes can be synchronized:
Attribute | Microsoft Entra ID property | Details |
externalId | userPrincipalName | Uniquely identifies your account such as a unique ID assigned within the IdP. Not shown on the Nulab service screen. |
userName (required) | userPrincipalName | Email used to uniquely identify an account and used to sync a Managed Account. The default value is user.userprincipalname, but Nulab Pass (Backlog, Cacoo, Typetalk) requires this to be mapped to the Managed Account email. Use the user.mail attribute from the list, or use the appropriate attribute value based on your organization's configuration. |
displayName (required) | displayName | Username |
preferredLanguage1 | preferredLanguage | Language. If not specified by the user in their device’s Settings and Privacy, the language of the token issuer will be used to create the Managed Account. Language isn’t updated when updating a Managed Account. |
timezone |
Switch([country], "Asia/Tokyo","United States","America/New_York","Netherlands","Europe/Amsterdam") *The above is just an example. Please modify according to your own settings. Please refer to Entra ID help. |
Time zone. If not specified by the user, the time zone of the token issuer will be used to create the Managed Account. Time zone isn’t updated when updating a Managed Account. |
active (required) | Switch([isSoftDeleted],, “False”, “True”, “True”, “False”) |
Activate/deactivate a Managed Account ・false: stop |
roles[primary eq "True"].value | SingleAppRoleAssignment([appRoleAssignments]) |
・ADMIN: Administrator ・GUEST: Guest If not specified, it will be GUEST. |
Good to know If an account role is downgraded to guest due to synchronization:
|
7. Assign users
Only assigned users are synchronized with Managed Accounts in user provisioning.
- Select Users & Groups > Add User or Group.
- Select “None selected” under “Users and Groups” and search for users from the search field.
- Select the user and then “Select.”
- Select “Not selected” from “Select a role” and assign it to the user role. The selected role will be the role of the Managed Account (admin, member, guest). If you select a role that is different from the existing Managed Account role, the role will be updated.
- Select “Assign” to add the user.
Good to know To delete a Managed Account while continuing to use Microsoft Entra ID, remove the user from the list of users assigned to the Nulab Pass application on the Entra ID. |
8. Start provisioning
When you start user provisioning, information is synchronized only if the Managed Account's email and the user email on the IdP are the same. Non-Managed Accounts or Managed Accounts that haven’t been updated won’t be synchronized even if they have the same email.
- Select Overview > Start Provisioning.
- Wait for synchronization to finish. Check your IdP’s settings to determine how long it will take.
Good to know If you select “Sync all users and groups” in Scope> Settings for provisioning, all users registered in Microsoft Entra ID will be subject to user provisioning. |
- If user provisioning was successful, the “Provisioned Managed Account” label will be displayed on the member list screen.
Good to know Due to a known bug in Microsoft Entra ID’s SCIM client, active synchronization may not work properly. If you get an error, add “?aadOptscim062020” to the end of the SCIM URL to resolve it. |
Stop user provisioning
- Sign in with an administrator account to the Microsoft Azure portal.
- Select the application with provisioning enabled.
- Select “Provisioning” from the menu on the left.
- Select “Stop Provisioning.”
- Select “OK.”
Disable user provisioning for Nulab organizations
- Select Organization Settings > Organization > User Provisioning.
- Select “Manage.”
- Uncheck the “Enable” checkbox.
- Select “Save.”
Delete the token
- Select “Delete token” on the user provisioning screen.
- Select “Delete token” in the dialog to confirm your choice.