Table of Contents
Prerequisites
Configuration is simple. Here's what you need:
- ThousandEyes account assigned a role with below permissions:
- View Users
- Edit Users
- API Access
- An Azure AD subscription.
Supported Features
- User provisioning (creation)
- User deletion
- User modification
- Display name
Configuration
- To start login to Azure AD with this special link, this disables the Azure v2 Provisioning Client which is not compatible with ThousandEyes SCIM. If you have already setup SSO with Azure AD or have a custom Enterprise App. skip to step 7.
- Go to Azure Active Directory > Enterprise applications > Add an application and search for ThousandEyes
- Click the ThousandEyes Enterprise application and Add
- Once you click Add, the Enterprise Application will open up as below:
- Users can be assigned to the app using the Assign users and groups option.
- Consult the How to configure Single Sign-On with Azure Active Directory article for guide on setting up SSO. We would focus on setting up SCIM here. SSO and SCIM are distinct features and hence one is not required to setup the other.
- Click Provisioning (1) and change the Provisioning Mode (2) to Automatic.
- Go to Profile tab of Account Settings > Users and Roles in ThousandEyes and grab the OAuth Bearer Token. Paste the token in Secret Token(1) field under Admin Credentials section in Azure and click the Test Connection (2) button. The enterprise application will now test the token and display results(3).
- Now Expand the Mappings section and click Synchronize Azure Active Directory Users to ThousandEyes hyperlink to open up mappings.
- Enable provisioning here check the Create, Update and Delete boxes. Make sure the Attribute Mappings match the below table and Save
Azure Active Directory Attribute
|
ThousandEyes Attribute
|
Matching precedence
|
---|---|---|
userPrincipalName
|
userName
|
1
|
mail
|
emails[type eq "work"].value
|
2
|
Switch([IsSoftDeleted], , "False", "True", "True", "False")
|
active
|
|
displayName
|
displayName
|
|
- Turn on the Provisioning Status (1) radio button , set Scope (2) to Sync only assigned users and groups and Save.
Status
Once the Initial Cycle runs, the Current Status section will show results with number of users that are synchronized with ThousandEyes. This cycle runs once an hour to maintain sync between Azure AD and ThousandEyes. A cycle can be forced by checking the Clear current state and restart synchronization box followed by Save.The View Audit Logs will reveal under the hood activity, this can be a very valuable troubleshooting tool:
Opening up Modified Properties tab of an Import event will reflect the Attribute Mappings in action: