Entra ID (AAD)

Entra ID (AAD) SCIM Server UserSync¶

Entra ID (AAD or Azure AD) can be configured to sync identities with Privacera UserSync.

Prerequisites¶

Entra ID (AAD) Administrator account access.

Privacera UserSync Configuration¶

Self Managed and Data PlanePrivaceraCloud

These Privacera Manager variables need to be set in ~/privacera/privacera-manager/config/custom-vars/vars.privacera-usersync.scimserver.yml:
Add :
SCIM_SERVER_BEARER_TOKEN: “{BEARER_TOKEN_VALUE}”
Update:
SCIM_SERVER_ATTRIBUTE_EMAIL: "emails[type-work].value"

In Configure Connector > Authentication Type, select Bearer and click Generate Token and Copy, making sure to save the token value for later.
In the Base User Attributes section, update the Email Address value to emails[type-work].value

Entra ID (AAD) Configuration¶

For additional information regarding configuring a SCIM client in AAD, see the Microsoft documentation.

Create application¶

Select Enterprise applications from the left pane. Then + New application > + Create your own application.
Enter an application name (e.g. “Privacera Provisioning”).
Select “Integrate any other application you don’t find in the gallery (Non-gallery)” and click the Create button.
On the app management screen, select Provisioning in the left panel. Then click Get Started.
Choose Automatic for the Provisioning Mode.
Configure the Privacera credentials from the Usersync configuration.
- PrivaceraCloud - URL that was generated for you, and the Username/Password or Bearer Token you provided in your PrivaceraCloud account in Configure SCIM Server in PrivaceraCloud.
- Self Managed - https://{SCIM_SERVER_HOST}}/api/pus/public/scim/v2/{connectorName} .

Configure mappings¶

It is important to only include attributes configured in both Privacera and Azure AD. Below is a list of default attributes supported by Privacera Usersync, any additional attributes should be removed from the Azure AD mapping unless added to the Privacera Usersync configuration as well.

Groups:
displayName     :   displayName     
members         :   members

Users:
userPrincipalName           :   userName        
Switch([IsSoftDeleted]...)  :   active      
mail                        :   emails[type eq “work”].value        
givenName                   :   name.givenName      
surname                     :   name.familyName

Limitations

Microsoft Azure AD does not support syncing service principals or nested groups, thus Privacera also cannot support these specific capabilities.

Configure scope¶

Select Sync all users and groups or Sync only assigned users and groups.

Prev topic: SCIM Server Integration
Next topic: Advanced Configuration