Adding SCIM application in Azure

After generating a SCIM access token, you should create the SCIM application in Microsoft Entra ID so that admins can provision/deprovision users directly in Microsoft Entra and have those users automatically created, attributes edited, or disabled within Forcepoint Data Security Cloud.

Before you begin

Before setting up SCIM provisioning, it is important that you fill out the User's Email field attribute (under contact info) in Microsoft Entra ID. This field is required by the SCIM code when pulling the user over. This email must be an email that is part of the company's domain and it is suggested that you copy and use the value from that user's userPrincipalName (UPN) field (since this will already be the users valid company email domain).


To learn more about using SCIM with Azure AD, refer to the Microsoft Guide.

Follow the below steps to add SCIM application in Azure:

Steps

  1. On the left pane, navigate to Microsoft Entra ID > Enterprise Applications.
  2. On the Enterprise Applications page, navigate to All applications > New application.


  3. On the Browse Microsoft Entra Gallery page, click Create your own application.
  4. On the Create your own application dialog that appears on the right:
    1. Enter a recognizable application name.
    2. Ensure Integrate any other application you don't find in the gallery (Non-gallery) is selected.


    3. Click Create. It may take a few moments for the app to be created.
  5. On the resulting page, select Provisioning from the left pane or Get started from the 3. Provision User Accounts tile and then select Get started to automatically create, update, and delete accounts when users join, leave, and move within your organization.


  6. On the Provisioning page, select Automatic from the Provisioning Mode drop-down.


  7. Expand the Admin Credentials section:
    1. Copy the Base URL from the Admin > SCIM page in Forcepoint Data Security Cloud and paste it in the Tenant URL field.
    2. Copy the SCIM access Token that you generated during the SCIM token generation in Forcepoint Data Security Cloud and paste it in the Secret Token field.
    3. To test connection for entered Tenant URL and Token, click Test Connection.
  8. To save the details entered, click Save.

    Once you save, you will see options to configure users or groups are going to be provisioned as well as which attributes.



  9. Under the Mappings section, adjust the user attribute properties match the users in your app.
    1. To open the Attribute Mapping page for users, click the Provision Microsoft Entra ID Users link.
    2. Adjust the fields of user attribute mapping to match the following:


      customappsso Attribute Microsoft Entra ID Attribute
      userName userPrincipalName
      active Switch([IsSoftDeleted], , "False", "True", "True", "False")
      displayName displayName
      title jobTitle
      emails[type eq "work"].value mail
      preferredLanguage preferredLanguage
      name.givenName givenName
      name.familyName surname
      name.formatted Join(" ", [givenName], [surname])
      addresses[type eq "work"].formatted physicalDeliveryOfficeName
      addresses[type eq "work"].streetAddress streetAddress
      addresses[type eq "work"].locality city
      addresses[type eq "work"].region state
      addresses[type eq "work"].postalCode postalCode
      addresses[type eq "work"].country country
      phoneNumbers[type eq "work"].value telephoneNumber
      phoneNumbers[type eq "mobile"].value mobile
      phoneNumbers[type eq "fax"].value facsimileTelephoneNumber
      externalId objectId
      emails[type eq "home"].value otherMails
      name.middleName surname
      Note: Microsoft Entra allows to map only unique Target Attribute value with each Source attribute. For example, the Target Attribute drop-down will not display the externalid option as externalid is mapped to some other source attribute by default. So, you have to update the existing mapping of externalid.
    3. Click Save on the Attribute Mapping page and click Yes on the Save Changes dialog.
  10. Under the Mappings section of the Provisioning page, adjust the groups attribute properties match the groups in your app.
    1. To open the Attribute Mapping page for groups, click the Provision Microsoft Entra ID Groups link.
    2. Adjust the fields of groups attribute mapping to match the following:


      customappsso Attribute Microsoft Entra ID Attribute
      displayName displayName
      externalId objectId
      members members
      Note: Microsoft Entra allows to map only unique Target Attribute value with each Source attribute. For example, the Target Attribute drop-down will not display the externalid option as externalid is mapped to some other source attribute by default. So, you have to update the existing mapping of externalid.
    3. Click Save on the Attribute Mapping page and click Yes on the Save Changes dialog.
  11. Expand the Settings section of the Provisioning page:
    1. To enable an email notification when a failure occurs, select the Send an email notification when a failure occurs checkbox.


    2. Enter an email to notify you if a failure occurs in the Notification Email field.
    3. From the Scope drop-down, choose which users/groups are synced over.
      • Sync all users and groups - Select this option to sync all users and groups to Forcepoint Data Security Cloud.
      • Sync only assigned users and groups - Select this option to sync only assigned users and groups to Forcepoint Data Security Cloud.
    4. To save the details entered, click Save.
  12. To only sync over specific users or groups, you will need to add them to the application.
    1. In the left column, select Users and groups and then click Add user/group.


    2. On the Add Assignment page, select the Users and groups option to select the specific user(s) and/or group(s) that you want to provision.
    3. Once you have made all of your selections, click Select at the bottom.


    4. Click Assign to assign selected users and groups to application.
  13. On the Provisioning page, turn the Provisioning Status to On to sync users and groups into Forcepoint Data Security Cloud.


  14. Click Save to start the synchronization of selected users and groups into Forcepoint Data Security Cloud.

Result

In Forcepoint Data Security Cloud, you can see the all the users and groups that you have pushed in Okta in the following pages:
  • Users in Admin > Users page
  • Groups in Admin > Groups page

Next steps

  • Now you are set to use Microsoft Entra ID as the IdP to login to Forcepoint Data Security Cloud.
  • Now you can enforce users from the specific username domain to get authenticated by the selected Microsoft Entra ID IdP. To configure username domain, refer to Adding a new username domain.