Skip to content

Provisioning users and groups in Azure AD

The user/group provisioning service enables the synchronization of users and groups between Azure AD and Lime CRM. This service implements the SCIM standard (System for Cross-domain Identity Management), which uses a RESTful API to automatically provision/de-provision users and groups that exist in Azure AD.

Requirements

To be able to use the provisioning service, Azure AD login must be enabled. Please refer to this guide on how to set up Azure AD login.

Configuration - Lime side

Set the application configuration as shown below (refer to application config docs if you have no experience with it).

  • In the config part, we specify if the SCIM feature that enables user provisiong is set for the application.

  • In the secrets part, we have to specify a pre-shared key (token) which we also need to provide in the Azure SCIM configuration, as will be explained later. One way to generate this token is this: python -c "import secrets; print(secrets.token_hex(128))"

SCIM configuration

Configuration - Azure AD side

To set up user provisioning, you should already have an active directory and an enterprise application created in the Azure portal. Follow the documentation for more information.

Once the active directory and the application are ready, proceed as follows:

  • Go to "Enterprise applications" and select your application from the list.
  • Make sure that the application contains some users and/or groups by clicking on "Users and groups" in the side bar. If there are none, assign some user(s) to your application.

Users_groups

  • Select "Provisioning" in the side bar.
  • If this is the first time, set up provisioning as follows:

    • Click on the "Get started" button and choose Automatic provisioning mode.
    • In the Admin Credentials section, enter a URL of the following format in the Tenant URL field: http://{root_url}/{application_name}/api/v1/scim/. Replace the rootURL and application_name parts with the ones exctracted from your application URL, as shown below.

    admin_credentials

    • In the Secret Token field, provide the token (128 char string) that you generated for the application configuration part in Lime CRM.
    • Test the connection and if successful, save the provisioning.
  • Now you can start the provisioning process, which by default synchronizes the data every 40 minutes. You can also use "Provision on demand" to test the synchronization, but be aware that it only syncs users and not groups.

Limitations

Be aware of the following limitations:

  • Removing a user or group from your application in Azure does not delete your user from the Lime CRM database after the synchronization. Instead, the user/group will be deactivated (aka "soft delete").
  • Our current implementation supports a basic set of attribute mappings (included below for reference). Note that the attributes are mapped to field labels in Lime CRM.
Azure AD Attribute Lime CRM Field Label
userName username
displayName fullname
name.familyName lastname
name.givenName firstname
emails[type eq \"work\"].value primaryemailaddress
emails[type eq \"home\"].value secondaryemailaddre
active active
externalId sid
id id
phoneNumbers[type eq \"work\"].value businesstelephonenumber
phoneNumbers[type eq \"mobile\"].value mobiletelephonenumber
phoneNumbers[type eq \"home\"].value hometelephonenumber
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager responsiblecoworker