Azure Active Directory (SCIM)

Registering Application through the Microsoft Azure Portal

1. Log in to your Microsoft Azure Portal.

2. Navigate to Azure Active Directory in the left pane.

   

3. Go to Manage > Enterprise applications.

   

4. Click New application.

   

5. Click Create your own application.

   

6. In the What's the name of your app filed, enter a name for your application.

   

   Note - Do not change the default setting.

7. Click Create.

   The Microsoft Azure application is created.

8. Browse to App registrations, locate and select your application.

9. Click Manage > Authentication > Add a platform.

   

   The Configure platforms window appears.

10. Select Web.

    

11. In the Redirect URI (Optional) field, select Web from the type of application list and enter the relevant URI where the access token is sent to:

    • For US data residency - https://workspace.perimeter81.com

    • For EU data residency - https://workspace.eu.sase.checkpoint.com

    • For AU data residency - https://workspace.au.sase.checkpoint.com

    • For IN data residency - https://workspace.in.sase.checkpoint.com

    

12. Click Configure.

13. In the Redirect URIs section, enter:

    • For US data residency - https://auth.perimeter81.com/login/callback

    • For EU data residency - https://auth.eu.sase.checkpoint.com/login/callback

    • For AU data residency - https://auth.au.sase.checkpoint.com/login/callback

    • For IN data residency - https://auth.in.sase.checkpoint.com/login/callback

    

14. In the Front-channel logout URL section, enter your workspace name:

    • For US data residency - https://{{WORKSPACE}}.perimeter81.com

    • For EU data residency - https://{{WORKSPACE}}.eu.sase.checkpoint.com

    • For AU data residency - https://{{WORKSPACE}}.au.sase.checkpoint.com

    • For IN data residency - https://{{WORKSPACE}}.in.sase.checkpoint.com
      where {{WORKSPACE}} refers to your Check Point SASE workspace name.

    

15. To allow access from external organizations, in the Supported account types section, select Accounts in any organizational directory (Any Azure AD directory - Multitenant).

    

16. Click Save.

Configuring the Permissions for the Application

To configure the permissions for the application:

1. Log in to your Microsoft Azure Portal.

2. Click Identity > Applications > App registrations > All applications.

3. Select your application.

4. Click Overview > Manage > API Permissions.

   

5. Click Add a permission.

   

   The Request API permissions page appears.

6. Click Microsoft APIs and select Microsoft Graph from the list of available APIs to change the access level.

   

7. Click Delegated permissions.

8. Select the User.Read and Directory.Read.All checkbox to modify the permissions so your application can read the directory..

   

   

9. Click Add permissions > Configured permissions > Grant admin consent for approval of your app API permissions.

10. Click Yes.

    Your application gets the granted permissions.

11. To enable user group support, enable:

    1. Application Permissions: Read directory data.

    2. Delegated permissions: Access the directory as the signed in user.

12. Click Save to save the changes.

13. To remove the Windows Azure Active Directory API permission, see Appendix A - Removing Microsoft Entra ID (formerly Azure AD) API Permissions.

Configuring the Key

1. Log in to your Microsoft Azure Portal.

2. Go to Identity > Applications > App registrations > All applications.

3. Browse to App registrations, locate and select your application.

4. Go to Manage > Certificates & secrets.

5. Click New client secret.

   

   The Add a Client secret window appears.

6. In the Description filed, enter a name for the key.

7. In the Expires field, select the expiry:

   • In 1 year

   • In 2 years

   • Never

   

8. Click Add.

   The new key is added.

9. To get the secret value of the key, go to the Client secrets tab and copy the secret Value.

   This value is the Client Secret in SASE Admin console. .

   Note - The Secret value of the key need to be copied before you close the screen. If not, you need to create a new key.

   

Configuring SCIM Integration within SASE Administrator Portal

1. Access the SASE Administrator Portal and click Settings > Identity Providers.

   The Identity Providers page appears.

   

2. Click Add Provider.

   The Add identity provider window appears.

   

3. Select Microsoft Azure AD.

4. Click Continue.

   The Microsoft Azure AD page appears.

   

5. In the Microsoft Azure AD Domain field, enter the domain name.

6. In the Domain Aliases field, enter the email ID(s) separated by commas or spaces.

7. In the Client ID field, enter the Application (client) ID in Microsoft Azure AD:

   1. Log in to your Microsoft Azure Portal.

   2. Go to Identity > Applications > App registrations > All applications.

   3. Browse to App registrations, locate and select your application.

   4. Go to Overview > Application (client) ID.

      

   5. Copy the Application (client) ID value.

8. In the Client Secret field, enter the secret value.

   

9. In the Azure AD Edition, select either:

   • PI

   • P2

10. Select the SCIM Integration checkbox to enable continuous sync through the SCIM protocol.

11. Click Done.

12. Click Turn On in the SCIM Integration section if you are editing an existing Azure configuration.

    

13. To get the tenant URL and secret token, click Settings in the SCIM Integration section.

    

14. Click Copy to copy the URL.

    

    This is the Tenant URL that is required when configuring SCIM Integration within Azure AD.

15. Click Generate Token.

    The secret token is generated.

16. Click Copy Token.

    

    This is the Secret Token that is required when configuring SCIM Integration within Azure AD.

17. Click Close.

Configuring SCIM Integration within Azure AD Management Portal

1. Access the Microsoft Azure Portal using administrator credentials.

2. Go to Microsoft Entra ID > Enterprise Applications and locate the application previously created in Step 1 - Creating an application in Entra ID.

3. Click the application name to open the configuration.

4. Click Get Started in the Provision User Accounts tile.
   
   

5. Click Provisioning.
   
   

6. From the Provisioning Mode list, select Automatic.

   

7. Expand Admin Credentials.

8. In the Tenant URL field, enter the SCIM URL.

• For US based platform - https://api.perimeter81.com/api/scim

• For EU based platform - https://api.eu.sase.checkpoint.com/api/scim

• For AU based platform - https://api.au.sase.checkpoint.com/api/scim

• For IN based platform - https://api.in.sase.checkpoint.com/api/scim

9. In the Secret Token field, paste the token you copied in Part 2: Configuring SASE IDP section step 11.

10. Click Test Connection.

11. Click Save at the top left corner.

    

12. Expand Mappings.

    

13. Make sure that these options are enabled:

    1. Provision Microsoft Entra ID Groups

    2. Provision Microsoft Entra ID Users

14. Click Provision Microsoft Entra ID Users.

    

15. In the Attribute Mappings section, for userName, click Edit.

    

16. From the Source attribute list, select mail.

17. From the Match precedence list, select 2.

    

18. Click OK.

19. Locate the emails[type eq “work”].value attribute and click Edit.

20. From the Source attribute list, select userPrincipalName.

21. From the Match objects using this attribute list, select Yes.

22. From the Matching precedence list, select 3.
    
    

23. Click OK.

24. Go back to Attribute Mappings section and click Add New Mapping.

25. From the Source attribute list, select objectId.

26. From the Target attribute list, select nickName.

27. From the Match objects using this attribute list, select Yes.

28. From Matching precedence list, select 1.

29. From the Apply this mapping list, select Only during object creation.
    
    

30. Click OK.

31. Retain these attributes and delete other attributes:

    • nickName

    • emails[type eq “work”].value

    • userNamemail

    • active

    • name.givenName

    • name.familyNamesurname

    

32. Click Save.

33. Go to SCIM Application and select Users and groups.

34. Click Add users/group.

35. In the Users section, click None Selected.

36. Select the user(s).

37. Click Select and then click Assign.

    

38. Go to the SCIM application.

39. Go to Overview.

40. Click Start provisioning.