User Provisioning setup with Entra ID (Azure AD)
  • 3 Minutes to read

    User Provisioning setup with Entra ID (Azure AD)


      Article Summary

      User provisioning is the IAM process of creating user accounts with specifically designated rights and permissions per the user’s role within a company. The process enables monitoring, management, and modification of the user’s account throughout their lifecycle in an organization — onboarding, promotions, transfers, and offboarding. The de-provisioning process follows, which covers deleting the account.

      Azure AD is a leading user provisioning tool with which NordLayer fully integrates. Admins manage the process through a centralized platform rather than logging into their NordLayer Control Panel.

      How to setup User Provisioning with Microsoft Azure AD

      Here’s a step-by-step guide on how to set up user provisioning with NordLayer organizations and Microsoft Azure Active Directory (Azure AD):

      Note: This guide is for those using the new Azure admin panel. To switch to the new design, follow the instructions given by Azure.

      1. Go to Microsoft Azure (https://portal.azure.com/) and log in

      1.1. Go to Azure Active Directory

      1.png

      1.2. Select Enterprise applications in the left sidebar menu;

      2.png

      1.3. Select New application -> Create your own application

      3.png

      4.png

      1.4. Enter the name of your application and choose Integrate any other application you don’t find in the gallery (Non-gallery)

      5.png

      1.5. On the application page, select Users and Groups in the left sidebar menu and add users

      6.png

      1.6. Open Provisioning in the left sidebar menu and click Get started

      7.png

      1. Log into NordLayer SMP Panel

      2.1. Click on the organization you wish to sync with Azure AD

      Note: If you're a Partner, you'll automatically enter the Administrator Mode.

      2.2. Go to Settings - Login methods

      2.3. Turn the toggle on for SCIM Provisioning with Azure AD

      2.4. In the new window (modal), you will see SCIM credentials. Copy credentials (Tenant URL & Secret token) and press Continue

      Note: The Secret Token generated for Azure AD provisioning does not have an expiration date. You do not need to regenerate it periodically.
      1. Go back to Azure

      3.1. Under Provisioning Mode, select Automatic and enter the admin credentials you saw in the NordLayer Control Panel

      11.png

      3.2. Click Test Connection and wait while the check takes place

      Note: Make sure to click on "Continue" in step 2.4 before proceeding to "Test Connection" in the Microsoft Azure tab

      12.png

      3.3. Once the check is complete, click Save and then close the window

      13.png

      3.4. Select Start provisioning

      14.png

      3.5. Beginning the user provisioning process will sync your NordLayer and Azure AD accounts.

      3.6. Go back to the NordLayer Control Panel on our website, navigate to Settings - Login Methods, and set up Azure AD authentication.

      Note: You can now inform your users that Azure SSO is available as a login option to the NordLayer application.

      For more information visit How do I enable Azure AD 3rd party authentication?

      User Provisioning with Microsoft Azure AD in Control Panel

      When User Provisioning with Microsoft Azure AD is enabled, it will look like this with an important message reminding you to enable Azure AD as a login method.

      Note: Be aware that you will lose the integration between SCIM and your Control Panel if the feature is disabled or if you add new credentials to Azure settings.

      Once enabled and you have provisioned at least one member or team, you will receive a message indicating that you can only edit provisioned members or teams in their source (Azure AD in this case). It means provisioned members and teams become read-only; you won’t be able to edit or delete them in the NordLayer Control Panel.

      Also, provisioned members and teams will have the Windows icons on their avatar to separate them from manually created members and teams.

      You can still invite members and create teams manually when this feature is enabled. It means there’s the possibility to have provisioned and manually created members and teams in your organization.

      1. Manually created members cannot be added to provisioned teams. It means when you are inviting new members (via the “Invite new member” button in the member list), teams listed under “Assign to team (optional)” are automatically filtered to only display manually created teams.

      2. Provisioned members can be added to manually created teams (“Create team” in teams list or “Add a member” in inner team page).

      If this feature is disabled and you have provisioned members, these members will become editable. The Windows icon will still be seen on the member’s or team’s avatars to separate them.

      Note: If you edited provisioned info, i.e., a team’s name, and you turn on Provisioning again, be aware Azure won’t be able to find the team and will create a new one. The same condition will apply to members if they change their email addresses.

      See logged actions like turning on or off the feature and any other actions triggered by SCIM Provisioning under Activity log - Actions tab:

      Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.


      Was this article helpful?