Syncing Users and Groups with SCIM via Microsoft Entra

Beginning in v7.1.2, Metric Insights introduces support for syncing Users and Groups from Microsoft Entra using SCIM (System for Cross-domain Identity Management). This integration enables automated synchronization of new or updated users and groups at regular intervals, without requiring a full dataset refresh. One of the key advantages of SCIM user synchronization is efficiency: instead of transferring large amounts of data, only the attributes, users, or groups that have changed are updated.

NOTES:

  • All synced Users are created as Regular Users.
  • Tracked events include: creation/deletion of Users and Groups, attribute changes, and assignment, reassignment, or removal of Users in Groups.
  • Provisioning interval is fixed at 40 minutes, but provisioning can also be triggered on demand.
  • Only the selected Users/Groups are synced.
  • Only documented fields are supported; unsupported fields will be ignored.
  • For Users synced via SCIM, the authentication method is displayed as SSO.

TABLE OF CONTENTS:

  1. Create a New Enterprise App
  2. Set Up Mapping
    1. Set Up User Attribute Mapping
    2. Set Up Group Attribute Mapping
  3. Configure Users and Groups
  4. Configure Provisioning
  5. Enable Provisioning
  6. Start Provisioning
    1. Provision on Demand
  7. View Provisioning Logs
  8. Verify Sync in Metric Insights
  9. Configure User Deletion and SCIM Logging

1. Create a New Enterprise App

  1. [+ New application]
  2. [+ Create your own application]
  3. Name your application
  4. Select Integrate any other application you don't find in the gallery (Non-gallery)
  5. [Create]

2. Set Up Mapping

Access Attribute mapping (Preview)

2.1. Set Up User Attribute Mapping

  1. Set values for the following User Attributes:

 

customappsso Attribute
Microsoft Entra ID Attribute
externalId objectId
userName
userPrincipalName
active
Switch([IsSoftDeleted], , "False", "1", "True", "0")
name.givenName
givenName
name.familyName surname
emails[type eq "work"].value mail
  1. [Save]

2.2. Set Up Group Attribute Mapping

  1. Set values for the following Group Attributes:
 
customappsso Attribute
Microsoft Entra ID Attribute
externalId objectId
displayName
displayName
description
description
  1. To add missing attributes: [Show advanced options] > [Edit attribute list for customappsso]
  2. [Save]

3. Select Users and Groups for Provisioning

NOTES:

  • Each User must have an email address defined.
  • Usernames cannot exceed 100 characters.
  1. Access User & groups
  2. [+ Add user/group]
  3. Under User and groups, click [None Selected]
  4. Choose the Users and Groups to sync
  5. [Select]

Attribute Mapping Between Microsoft Azure and Metric Insights

The table below shows mapping between Microsoft Azure and Metric Insights for User and Group attributes:

Microsoft Azure Metric Insights
Users
User principal name Username
First name First Name
Last name Last Name
Email Email
Account status User is (enabled/disabled)
Groups
Group name Name
Group description Description
Object Id Group Alias

4. Configure Provisioning

  1. Access Provisioning
  2. [Connect your application]
  3. Tenant URL: https://<MI hostname>/scim/v2
  4. Secret token: Enter a personal MI API Token
    • NOTE: The token must be assigned to an Admin user
  5. [Test connection]
  6. Once the connection is established, [Create]

5. Enable Provisioning

  1. Access Provisioning
  2. Access Settings > [Enable Provisioning Status]

6. Start Provisioning

  1. Access Overview (Preview)
  2. [Start provisioning]
  3. [Yes]

Once provisioning has started, it will run automatically at a fixed interval of 40 minutes, synchronizing all new or updated data without requiring a full sync.

6.1. Provision on Demand

It is possible to launch provisioning on demand if you need to sync new changes immediately, without waiting for the scheduled 40-minute interval.

  1. [Provision on demand]
  2. Upon successful provisioning, proceed to verification.

7. View Provisioning Logs

To verify user sync results:

  1. Access Provisioning logs
  2. Locate the relevant sync action
  3. Check Modified Properties

8. Verify Sync in Metric Insights

Access Admin > Users & Groups

Confirm that synced Users and Groups are visible.

9. Configure User Deletion and SCIM Logging

Access Admin > System > System Variables

  1. Enter "SCIM" in the search box
  2. Configure the following parameters:
    • ENABLE_SCIM_REQUEST_LOGGER: Set to "Y" to enable logging for SCIM requests. The logs are saved to the /opt/mi/web/backend/data/temp/scim directory under the web container. The default value is "N".
    • SCIM_REMOVE_USER_ON_SOFT_DELETE:
      • "Y": When a User is deleted in Microsoft Azure, they are deleted from Metric Insights.
        • If the User is restored in Microsoft Azure, they are re-created in Metric Insights with the same User attributes.
      • "N" (default): When a User is deleted in Microsoft Azure, they are disabled in Metric Insights. A special prefix is added to their username.
        • If the User is restored in Microsoft Azure, they are enabled in Metric Insights. The special prefix is removed from the username.
  3. [Commit Changes]