Syncing Users and Groups with SCIM via Microsoft Entra

Beginning in v7.1.2, Metric Insights introduces support for syncing Users and Groups from Microsoft Entra using SCIM (System for Cross-domain Identity Management). This integration enables automated synchronization of new or updated users and groups at regular intervals, without requiring a full dataset refresh. One of the key advantages of SCIM user synchronization is efficiency: instead of transferring large amounts of data, only the attributes, users, or groups that have changed are updated.

NOTES:

  • User Type can be optionally configured via Custom Security Attributes.
  • Tracked events include: creation/deletion of Users and Groups, attribute changes, and assignment, reassignment, or removal of Users in Groups.
  • Provisioning interval is fixed at 40 minutes, but provisioning can also be triggered on demand.
  • Only the selected Users/Groups are synced.
  • Only documented fields are supported; unsupported fields will be ignored.
  • For Users synced via SCIM, the authentication method is displayed as SSO.

TABLE OF CONTENTS:

  1. Create a New Enterprise App
  2. Set Up Mapping
    1. Set Up User Attribute Mapping
    2. Set Up Group Attribute Mapping
  3. Configure Users and Groups
  4. Optional: Configure User Type Sync via Custom Security Attributes
    1. Add New Custom Security Attribute Set
    2. Add Custom Security Set Definition
    3. Assign User Type
  5. Configure Provisioning
  6. Enable Provisioning
  7. Start Provisioning
    1. Provision on Demand
  8. View Provisioning Logs
  9. Verify Sync in Metric Insights
  10. Configure User Deletion and SCIM Logging

1. Create a New Enterprise App

Access Microsoft Azure

  1. [+ New application]
  2. [+ Create your own application]
  3. Name your application
  4. Select Integrate any other application you don't find in the gallery (Non-gallery)
  5. [Create]

2. Set Up Mapping

Access Attribute mapping (Preview)

2.1. Set Up User Attribute Mapping

  1. Set values for the following User Attributes:

 

customappsso Attribute
Microsoft Entra ID Attribute
externalIdobjectId
userName
userPrincipalName
active
Switch([IsSoftDeleted], , "False", "1", "True", "0")
name.givenName
givenName
name.familyNamesurname
emails[type eq "work"].valuemail
miUserTypeextensionAttribute1
  1. [Save]

2.2. Set Up Group Attribute Mapping

  1. Set values for the following Group Attributes:

 

customappsso Attribute
Microsoft Entra ID Attribute
externalIdobjectId
displayName
displayName
description
description
membersmembers
  1. To add missing attributes: [Show advanced options] > [Edit attribute list for customappsso]
  2. [Save]

3. Select Users and Groups for Provisioning

NOTES:

  • Each User must have an email address defined.
  • Usernames cannot exceed 100 characters.
  1. Access User & groups
  2. [+ Add user/group]
  3. Under User and groups, click [None Selected]
  4. Choose the Users and Groups to sync
  5. [Select]

How Microsoft Azure User and Group Attributes Are Shown In Metric Insights

The table below explains how User and Group attributes from the Microsoft Azure UI are displayed in the Metric Insights User and Group Editors; i.e., it shows how field names from the Microsoft Azure UI appear in the Metric Insights UI.

NOTE: The table does not include attributes that are used for mapping but are not directly displayed in the UI of both systems.

 

Microsoft Azure Metric Insights
Users
User principal name Username
First name First Name
Last name Last Name
Email Email
Account status User is (enabled/disabled)
Groups
Group name Name
Group description Description
Object Id Group Alias

The screenshot below illustrates that the values in the table refer to field names as they appear in the Microsoft Azure Portal and in the Metric Insights UI.

4. Optional: Configure User Type Sync via Custom Security Attributes

By default, all users are synchronized as Regular Users in Metric Insights. Optionally, you can change this behavior by configuring a Custom security attribute for each user, as described below. You will need to create a Custom security attribute set, a Custom security attribute definition, and then assign the Custom security attribute to each user who should have a User Type other than Regular User.

4.1. Add New Custom Security Attribute Set

See the official Microsoft documentation: https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-add?tabs=ms-powershell#add-an-attribute-set

  1. Attribute set name: MiUserAttributeSet

4.2. Add Custom Security Set Definition

See the official Microsoft documentation: https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-add?tabs=ms-powershell#add-a-custom-security-attribute-definition

  1. Attribute name: MiUserType
  2. Data Type: String
  3. Allow multiple values to be assigned: No
  4. Only allow predefined values to be assigned: Yes
  5. Add the following predefined values:
    • admin
    • power
    • regular
    • system
  6. [Save]

4.3. Assign User Type

Access Users > Select a User > Custom security attributes

  1. [+ Add assignment]
  2. Choose the following values:
    • Attribute set: MiUserAttributeSet
    • Attribute name: MiUserType
    • Assigned values: Select the User Type:
      • admin (Administrator)
      • power (Power User)
      • regular (Regular User)
      • system (System Administrator)
  3. [Save]

5. Configure Provisioning

  1. Access Provisioning
  2. [Connect your application]
  3. Tenant URL: https://<MI hostname>/scim/v2
  4. Secret token: Enter a personal MI API Token
    • NOTE: The token must be assigned to an Admin user
  5. [Test connection]
  6. Once the connection is established, [Create]

6. Enable Provisioning

  1. Access Provisioning
  2. Access Settings > [Enable Provisioning Status]

7. Start Provisioning

  1. Access Overview (Preview)
  2. [Start provisioning]
  3. [Yes]

Once provisioning has started, it will run automatically at a fixed interval of 40 minutes, synchronizing all new or updated data without requiring a full sync.

7.1. Provision on Demand

It is possible to launch provisioning on demand if you need to sync new changes immediately, without waiting for the scheduled 40-minute interval.

  1. [Provision on demand]
  2. Upon successful provisioning, proceed to verification.

8. View Provisioning Logs

To verify user sync results:

  1. Access Provisioning logs
  2. Locate the relevant sync action
  3. Check Modified Properties

9. Verify Sync in Metric Insights

Access Admin > Users & Groups

Confirm that synced Users and Groups are visible.

10. Configure User Deletion and SCIM Logging

Access Admin > System > System Variables

  1. Enter "SCIM" in the search box
  2. Configure the following parameters:
    • ENABLE_SCIM_REQUEST_LOGGER: Set to "Y" to enable logging for SCIM requests. The logs are saved to the /opt/mi/web/backend/data/temp/scim directory under the web container. The default value is "N".
    • SCIM_REMOVE_USER_ON_SOFT_DELETE:
      • "Y": When a User is deleted in Microsoft Azure, they are deleted from Metric Insights.
        • If the User is restored in Microsoft Azure, they are re-created in Metric Insights with the same User attributes.
      • "N" (default): When a User is deleted in Microsoft Azure, they are disabled in Metric Insights. A special prefix is added to their username.
        • If the User is restored in Microsoft Azure, they are enabled in Metric Insights. The special prefix is removed from the username.
  3. [Commit Changes]