Syncing Users and Groups with SCIM via Microsoft Entra
Beginning in v7.1.2, Metric Insights introduces support for syncing Users and Groups from Microsoft Entra using SCIM (System for Cross-domain Identity Management). This integration enables automated synchronization of new or updated users and groups at regular intervals, without requiring a full dataset refresh. One of the key advantages of SCIM user synchronization is efficiency: instead of transferring large amounts of data, only the attributes, users, or groups that have changed are updated.
NOTES:
- All synced Users are created as Regular Users.
- Tracked events include: creation/deletion of Users and Groups, attribute changes, and assignment, reassignment, or removal of Users in Groups.
- Provisioning interval is fixed at 40 minutes, but provisioning can also be triggered on demand.
- Only the selected Users/Groups are synced.
- Only documented fields are supported; unsupported fields will be ignored.
- For Users synced via SCIM, the authentication method is displayed as SSO.
TABLE OF CONTENTS:
1. Create a New Enterprise App
Access Microsoft Azure
- [+ New application]
- [+ Create your own application]
- Name your application
- Select Integrate any other application you don't find in the gallery (Non-gallery)
- [Create]
2. Set Up Mapping
Access Attribute mapping (Preview)
2.1. Set Up User Attribute Mapping
- Set values for the following User Attributes:
customappsso Attribute | Microsoft Entra ID Attribute |
---|---|
externalId | objectId |
userName | userPrincipalName |
active | Switch([IsSoftDeleted], , "False", "1",
"True", "0") |
name.givenName | givenName |
name.familyName | surname |
emails[type eq "work"].value |
- [Save]
2.2. Set Up Group Attribute Mapping
- Set values for the following Group Attributes:
customappsso Attribute | Microsoft Entra ID Attribute |
---|---|
externalId | objectId |
displayName | displayName |
description | description |
- To add missing attributes: [Show advanced options] > [Edit attribute list for customappsso]
- [Save]
3. Select Users and Groups for Provisioning
NOTES:
- Each User must have an
email
address defined. - Usernames cannot exceed 100 characters.
- Access User & groups
- [+ Add user/group]
- Under User and groups, click [None Selected]
- Choose the Users and Groups to sync
- [Select]
Attribute Mapping Between Microsoft Azure and Metric Insights
The table below shows mapping between Microsoft Azure and Metric Insights for User and Group attributes:
Microsoft Azure | Metric Insights |
---|---|
Users | |
User principal name | Username |
First name | First Name |
Last name | Last Name |
Account status | User is (enabled/disabled) |
Groups | |
Group name | Name |
Group description | Description |
Object Id | Group Alias |
4. Configure Provisioning
- Access Provisioning
- [Connect your application]
-
Tenant URL:
https://<MI hostname>/scim/v2
-
Secret token: Enter a personal MI API Token
- NOTE: The token must be assigned to an Admin user
- [Test connection]
- Once the connection is established, [Create]
6. Start Provisioning
- Access Overview (Preview)
- [Start provisioning]
- [Yes]
Once provisioning has started, it will run automatically at a fixed interval of 40 minutes, synchronizing all new or updated data without requiring a full sync.
6.1. Provision on Demand
It is possible to launch provisioning on demand if you need to sync new changes immediately, without waiting for the scheduled 40-minute interval.
- [Provision on demand]
- Upon successful provisioning, proceed to verification.
7. View Provisioning Logs
To verify user sync results:
- Access Provisioning logs
- Locate the relevant sync action
- Check Modified Properties
8. Verify Sync in Metric Insights
Access Admin > Users & Groups
Confirm that synced Users and Groups are visible.
9. Configure User Deletion and SCIM Logging
Access Admin > System > System Variables
- Enter "SCIM" in the search box
- Configure the following parameters:
-
ENABLE_SCIM_REQUEST_LOGGER
: Set to "Y" to enable logging for SCIM requests. The logs are saved to the/opt/mi/web/backend/data/temp/scim
directory under theweb
container. The default value is "N". -
SCIM_REMOVE_USER_ON_SOFT_DELETE
:- "Y": When a User is deleted in Microsoft Azure, they are deleted from Metric Insights.
- If the User is restored in Microsoft Azure, they are re-created in Metric Insights with the same User attributes.
- "N" (default): When a User is deleted in Microsoft Azure, they are disabled in Metric Insights. A special prefix is added to their username.
- If the User is restored in Microsoft Azure, they are enabled in Metric Insights. The special prefix is removed from the username.
- "Y": When a User is deleted in Microsoft Azure, they are deleted from Metric Insights.
-
- [Commit Changes]