ThousandEyes documentation is now hosted at docs.thousandeyes.com. Content on this site will no longer be updated.
Take me to the new site...

How to setup SCIM with Azure Active Directory

Last updated: Thu Apr 09 23:43:46 GMT 2020

ThousandEyes users can be added, deleted and modified using SCIM 2.0 and 1.1 compatible identity providers, dramatically decreasing time to provision users into ThousandEyes. This document describes the integration between identity provider Azure Active Directory and ThousandEyes.

Table of Contents

Prerequisites

Configuration is simple. Here's what you need:

  • ThousandEyes account assigned a role with below permissions:
    • View Users
    • Edit Users
    • API Access
  • An Azure AD subscription. 

Supported Features

  • User provisioning (creation)
  • User deletion
  • User modification
    • Display name
Group information or other user attributes cannot be translated into Account Groups, Roles or any other ThousandEyes structure.

Configuration

  1. To start login to Azure AD with this special link, this disables the Azure v2 Provisioning Client which is not compatible with ThousandEyes SCIM. If you have already setup SSO with Azure AD or have a custom Enterprise App. skip to step 7.
  2. Go to Azure Active Directory > Enterprise applications > Add an application and search for ThousandEyes
search-for-app
  1. Click the ThousandEyes Enterprise application and Add
enterprise-app-1
  1. Once you click Add, the Enterprise Application will open up as below:
enterprise-app
  1. Users can be assigned to the app using the Assign users and groups option. 
  2. Consult the How to configure Single Sign-On with Azure Active Directory article for guide on setting up SSO. We would focus on setting up SCIM here. SSO and SCIM are distinct features and hence one is not required to setup the other.
  3. Click Provisioning (1)  and change the Provisioning Mode (2) to Automatic.
Provisioning-automatic
  1. Go to Profile tab of Account Settings > Users and Roles in ThousandEyes and grab the OAuth Bearer Token. Paste the token in Secret Token(1) field under Admin Credentials section in Azure and click the Test Connection (2) button. The enterprise application will now test the token and display results(3). 
auth
  1. Now Expand the Mappings section and click Synchronize Azure Active Directory Users to ThousandEyes hyperlink to open up mappings.
open-mappings
  1. Enable provisioning here check the Create, Update and Delete boxes.  Make sure the Attribute Mappings match the below table and Save 
 
 
Azure Active Directory Attribute
ThousandEyes Attribute
Matching precedence
userPrincipalName
userName
1
mail
emails[type eq "work"].value
2
Switch([IsSoftDeleted], , "False", "True", "True", "False")
active
 
displayName
displayName
 
mappings-verify
  1. Turn on the Provisioning Status (1) radio button , set Scope (2) to Sync only assigned users and groups and Save.
turn-on-provisioning

Status

Once the Initial Cycle runs, the Current Status section will show results with number of users that are synchronized with ThousandEyes. This cycle runs once an hour to maintain sync between Azure AD and ThousandEyes. A cycle can be forced by checking the Clear current state and restart synchronization box followed by Save
sync-status
 
The View Audit Logs will reveal under the hood activity, this can be a very valuable troubleshooting tool:
audit-logs

Opening up Modified Properties tab of an Import event will reflect the Attribute Mappings in action:
example-log