How do I set up User Provisioning with Microsoft Azure AD?
User provisioning is the IAM process of creating user accounts with specifically designated rights and permissions per the user’s role within a company. The process enables monitoring, management, and modification of the user’s account throughout their lifecycle in an organization — onboarding, promotions, transfers, and offboarding. The de-provisioning process follows, which covers deleting the account.
Azure AD is a leading user provisioning tool with which NordLayer fully integrates. Admins manage the process through a centralized platform rather than logging into their NordLayer Control Panel.
How to setup User Provisioning with Microsoft Azure AD
Here’s a step-by-step guide on how to set up user provisioning with NordLayer organizations and Microsoft Azure Active Directory (Azure AD):
Note: This guide is for those using the new Azure admin panel. To switch to the new design, follow the instructions given by Azure.
1. Go to Microsoft Azure (https://portal.azure.com/) and log in
1.1. Go to Azure Active Directory
1.2. Select Enterprise applications in the left sidebar menu;
1.3. Select New application -> Create your own application
1.4. Enter the name of your application and choose Integrate any other application you don’t find in the gallery (Non-gallery)
1.5. On the application page, select Users and Groups in the left sidebar menu and add users
1.6. Open Provisioning in the left sidebar menu and click Get started
2. Go to our website
2.1. Log into the NordLayer Control Panel
2.2. Go to Settings - Login methods
2.3. Turn the toggle on for SCIM Provisioning with Azure AD
2.4. In the new window (modal), you will see SCIM credentials. Copy credentials (Tenant URL & Secret token) and press Continue
3. Go back to Azure
3.1. Under Provisioning Mode, select Automatic and enter the admin credentials you saw in the NordLayer Control Panel
3.2. Click Test Connection and wait while the check takes place
3.3. Once the check is complete, click Save and then close the window
3.4. Select Start provisioning
3.5. Beginning the user provisioning process will sync your NordLayer and Azure AD accounts.
3.6. Go back to the NordLayer Control Panel on our website, navigate to Settings - Login Methods, and set up Azure AD authentication.
Note: You can now inform your users that Azure SSO is available as a login option to the NordLayer application.
For more information visit How do I enable Azure AD 3rd party authentication?
User Provisioning with Microsoft Azure AD in Control Panel
When User Provisioning with Microsoft Azure AD is enabled, it will look like this with an important message reminding you to enable Azure AD as a login method.
Note: Be aware that you will lose the integration between SCIM and your Control Panel if the feature is disabled or if you add new credentials to Azure settings.
Once enabled and you have provisioned at least one member or team, you will receive a message indicating that you can only edit provisioned members or teams in their source (Azure AD in this case). It means provisioned members and teams become read-only; you won’t be able to edit or delete them in the NordLayer Control Panel.
Also, provisioned members and teams will have the Windows icons on their avatar to separate them from manually created members and teams.
You can still invite members and create teams manually when this feature is enabled. It means there’s the possibility to have provisioned and manually created members and teams in your organization.
1. Manually created members cannot be added to provisioned teams. It means when you are inviting new members (via the “Invite new member” button in the member list), teams listed under “Assign to team (optional)” are automatically filtered to only display manually created teams.
2. Provisioned members can be added to manually created teams (“Create team” in teams list or “Add a member” in inner team page).
If this feature is disabled and you have provisioned members, these members will become editable. The Windows icon will still be seen on the member’s or team’s avatars to separate them.
Note: If you edited provisioned info, i.e., a team’s name, and you turn on Provisioning again, be aware Azure won’t be able to find the team and will create a new one. The same condition will apply to members if they change their email addresses.
See logged actions like turning on or off the feature and any other actions triggered by SCIM Provisioning under Activity log - Actions tab: