Our SCIM integration with Azure AD allows admins to add and remove users within Azure itself, without ever having to sign into Sequr. Newly boarded users will receive an email about how to download their mobile key, and their key with be assigned with their appropriate access rights to the office.
The SCIM push-based system treats your Azure directory as it's source of truth. When changes are made in Azure, they automatically get pushed to Sequr. This means you never have to worry about your Sequr employee directory being out of sync with Azure.
The following instructions walk through the process of integrating Azure AD with Sequr. You will need admin privileges in both Azure AD and Sequr to complete this integration.
- The primary email address and phone number listed in Azure will be the email address and phone number listed in the Sequr employee directory.
- When adding or updating employees, Sequr will match based upon the primary email address listed for the Azure user. If the primary email address is not found in Sequr, a new employee will be added to the Sequr employee directory.
Step 1 : Prepare to enable the Sequr + Azure provisioning integration.
- Create Access Groups - You can grant permissions to specific door groups in Sequr based upon your Azure groups or any other attributes. Please create the appropriate Access Groups in Sequr based upon your specific office needs (this could reflect your Azure groups structure). For example, let's say you've created Employees, Contractors, and IT Admin access groups.
- If you have multiple office locations enabled with Sequr, decide whether you’d like to sync all users to all locations, or to sync specific users per location. This will affect how you set up the integration.
- Decide whether you would like to assign mobile keys to all newly boarded users by default.
Step 2 : Enable Sequr + Azure provisioning integration on Sequr.
- Login to the Sequr Web application and navigate to the Integrations page.
- Find Azure and click 'Install.’
Step 3 : Azure Integration Install Wizard.
There are three simple steps in Install Wizards.
- Login with your Microsoft Azure account and grant permission.
Provide your login credentials. On the next screen, grant permission to Sequr to access your Microsoft account data.
2. Azure Integration Token
In this step, you will be assigned a secure token for your Azure provisioning integration. Please copy this token as you will need it in the next step when we apply it to your Azure portal.
3. Configure Rules for Employee Sync
All your properties will be listed on the Rules screen where you can manage rules for respective properties. There must be at least one rule specified for each property for successful synchronization.
- On the Rules tab, click 'Add new rule'.
- Provide ‘Name’ for the rule.
- Click ‘Add condition’ to add a new condition for the rule.
Note: Multiple conditions can be added for a rule.
- Select ‘Operand’ and ‘Operator’ values from the provided drop-down and provide ‘Value’ in the text box for the condition.
- Select ‘any/all’ from the matches drop-down in the case of multiple conditions.
- A rule can also be removed by pressing the 'Remove' button.
Note: This option will only be available once we add more than one condition for a rule.
- Select ‘Access Group’ to be assigned as an action from the available access groups.
- Select ‘Role’ to be assigned as an action from the available roles.
- Select ‘Yes’ or ‘No’ for the 'Assign a Mobile Key' option. If you select ‘Yes’, newly boarded users will automatically receive a Mobile Key. We recommend keeping it enabled for an easy on-boarding experience.
While setting up your integration, you may choose to enable or disable certain user updates from Azure Active Directory to Sequr.
If your integration set-up includes a few basic and/or broad rules, or if you plan on changing user attributes manually within Sequr after users have been synced via Azure, we recommend disabling the ‘Override Roles on Update’ and ‘Override Access Groups on Update’ update flags. If enabled, these User Update flags may override manual changes made to your users’ roles and/or access groups in Sequr.
Delete User If No Rules Match: if changes have been made to a user’s profile within Azure that no longer qualify them for any of your integration rules, the user will be deactivated within Sequr. IMPORTANT NOTE: This flag will only come into play during directory updates. If you deactivate or suspend a user within your directory, the user will automatically be deactivated within Sequr, regardless of whether this User Update flag is enabled or not.
IMPORTANT NOTE: If your integration does not include a specialized rule for provisioning system administrators, we recommend disabling the ‘Override Roles on Update’ flag as system administrator privileges may be revoked for existing administrators during updates. To avoid losing administrative privileges while keeping this flag enabled, we recommend creating a specialized rule within your integration that will provision system administrators. Ensure that this rule is placed first within your rule priority list so that system administrators will be provisioned first, then remaining users will be matched to the following rules accordingly.
Step 4: Configure your Azure Account.
Applications that support the SCIM profile described in this article can be connected to Azure Active Directory using the "non-gallery application" feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronization process every 20 minutes where it queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.
To connect an application that supports SCIM:
- Sign in to the Azure portal.
- Browse to Azure Active Directory > Enterprise Applications, and select New Application > All > Non-gallery Application.
- Enter a name for your application, and click 'Add Icon' to create an app object.
- On the resulting screen, select the 'Provisioning' tab in the left column.
- On the Provisioning Mode menu, select 'Automatic.'
- In the Tenant URL field, enter the URL : https://scim-api.sequr.io/scim/v2
- Copy the OAuth bearer token (the token generated during Azure Installation Wizard) into the Secret Token field.
- Click the 'Test Connection' button to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempts fail, error information will be displayed.
- If the attempt to connect to the application succeeds, then click 'Save' to save the admin credentials.
10. If the user details are to be updated from the Sequr web application, please disable the update option from ‘Users’ mapping to avoid any updates being overridden from Azure AD (Recommended).
11. Under Settings, the Scope field defines which users and/or groups are synchronized. Selecting "Sync only assigned users and groups" (recommended) will only sync users and groups assigned in the Users and groups tab.
12. Once your configuration is complete, change the Provisioning Status to 'On.'
13. Click 'Save' to start the Azure AD provisioning service.
14. If syncing only assigned users and groups (recommended), be sure to select the Users and groups tab and assign the users and/or groups you wish to sync.