⇐ Back to FAQs

How to setup SCIM with Azure Active Directory?

Reftab users can be added, deleted and modified using SCIM 2.0

You define groups within your Azure Directory and Reftab can sync those users. This is an ideal way to save time and avoid hassle of managing user accounts. It is also an ideal security implementation.

1 – Login to Azure and click Azure Active Directory

01-Azure-SCIM

2 – Go to Manage Enterprise applications

01-Azure-SCIM

3 – Click New application

03-Azure-SCIM

4 – Create your own application

04-Azure-SCIM

5 – Name your application

05-Azure-SCIM

6 – In the new app, click Provision User Accounts

06-Azure-SCIM

7 – Get Started

07-Azure-SCIM

8 – Set provisioning mode to automatic. Fill out Tenant URL and secret token from information in your Reftab Account.

Log into Reftab as an administrator and click, “Settings” > “Integrations” > “Configure” next to SCIM

Copy Endpoint and paste it into “Tenant URL” in Azure

Copy Token and paste it into “Secret Token” in Azure

08-Azure-SCIM

Finally, click “Test Connection” and “Save”.

9 – Go to Provision Azure Active Directory User Mappings

09-Azure-SCIM

10 – Setup table as pictured below and save

11-Azure-SCIM

11 – Turn on provisioning status in the app.

12-Azure-SCIM

12 – Add any users and or groups you want to be sent to Reftab

13-Azure-SCIM

13 – Log into Reftab. Click “Settings” > “Integrations” > “Configure SCIM”

14 – Next, configure role assignments.

Notes:

Sync Frequency

You should begin to see users appear under the “Sub Accounts” page in Reftab. Subsequent syncs are triggered every 20-40 minutes.

Disabled Users

If a user was a member of a group pushed to Reftab but then taken out of that group, during the next sync, they will be set to the “Default Role (for SCIM users without groups) set on the Manage SCIM page. Otherwise, it’s possible for the source to also send a ‘disable’ user, if the user is disabled in MS Azure then Reftab will know this and set their role in Reftab to ‘Disabled’.

Role Lock:

To lock users into a Reftab access role, (for example, those who should be Reftab administrators), you’ll want to turn on “role-lock” in Reftab. What this does is lock the user into whatever access role they are currently in. This is helpful so that when a sync occurs, the user’s access role will not change.

Reach out to help@reftab.com for any questions

Next: Report on Disabled Users With Equipment

SCIM will automatically provision and disable users. It is best practice to report on users who are disabled. Follow this FAQ guide to setup an automated report to alert you of any disabled users with equipment: Click Here

⇐ Back to FAQs