Azure Active Directory (SCIM)

Registering Application through the Microsoft Azure Portal

In the What's the name of your app filed, enter a name for your application.

Note - Do not change the default setting.

Browse to App registrations, locate and select your application.
Click Manage > Authentication > Add a platform.

The Configure platforms window appears.
Select Web.
In the Redirect URI (Optional) field, select Web from the type of application list and enter the relevant URI where the access token is sent to:
- For US data residency - https://<workspace>.perimeter81.com
- For EU data residency - https://<workspace>.eu.sase.checkpoint.com
Click Configure.
In the Redirect URIs section, enter:
- For US data residency - https://auth.perimeter81.com/login/callback
- For EU data residency - https://auth.eu.sase.checkpoint.com/login/callback
In the Front-channel logout URL section, enter https://{{WORKSPACE}}.perimeter.com where {{WORKSPACE}} refers to your Harmony SASE workspace name.
To allow access from external organizations, in the Supported account types section, select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
Click Save.

To configure the permissions for the application:

Log in to your Microsoft Azure Portal.
Click Identity > Applications > App registrations > All applications.
Select your application.
Click Overview > Manage > API Permissions.
Click Add a permission.

The Request API permissions page appears.
Click Microsoft APIs and select Microsoft Graph from the list of available APIs to change the access level.
Click Delegated permissions.
Select the User.Read and Directory.Read.All checkbox to modify the permissions so your application can read the directory..
Click Add permissions > Configured permissions > Grant admin consent for approval of your app API permissions.
Click Yes.

Your application gets the granted permissions.
To enable user group support, enable:
1. Application Permissions: Read directory data.
2. Delegated permissions: Access the directory as the signed in user.
Click Save to save the changes.
To remove the Windows Azure Active Directory API permission, see Appendix A - Removing Microsoft Entra ID (formerly Azure AD) API Permissions.

To get the secret value of the key, go to the Client secrets tab and copy the secret Value.

This value is the Client Secret in Harmony SASE Admin console. .

Note - The Secret value of the key need to be copied before you close the screen. If not, you need to create a new key.

Access the Harmony SASE Administrator Portal and click Settings > Identity Providers.

The Identity Providers page appears.
Click Add Provider.

The Add identity provider window appears.
Select Microsoft Azure AD.
Click Continue.

The Microsoft Azure AD page appears.
In the Microsoft Azure AD Domain field, enter the domain name.
In the Domain Aliases field, enter the email ID(s) separated by commas or spaces.
In the Client ID field, enter the Application (client) ID in Microsoft Azure AD:
1. Log in to your Microsoft Azure Portal.
2. Go to Identity > Applications > App registrations > All applications.
3. Browse to App registrations, locate and select your application.
4. Go to Overview > Application (client) ID.
5. Copy the Application (client) ID value.
In the Client Secret field, enter the secret value.
In the Azure AD Edition, select either:
- PI
- P2
Select the SCIM Integration checkbox to enable continuous sync through the SCIM protocol.
Click Done.
Click Turn On in the SCIM Integration section if you are editing an existing Azure configuration.
To get the tenant URL and secret token, click Settings in the SCIM Integration section.
Click Copy to copy the URL.

This is the Tenant URL that is required when configuring SCIM Integration within Azure AD.
Click Generate Token.

The secret token is generated.
Click Copy Token.

This is the Secret Token that is required when configuring SCIM Integration within Azure AD.
Click Close.

Log in to your Microsoft Azure Portal.
Navigate to Azure Active Directory in the left pane.
Go to Manage > Enterprise applications.
Search and select the enterprise application you created.
In the left navigation pane, go to Manage > Provisioning.
Click Getting Started.

The Provisioning window appears.
In the Provisioning Mode list, select Automatic.
Expand Admin Credentials and enter these:
1. Tenant URL, see step 14 in Configuring SCIM Intergration within Harmony SASE.
2. Secret Token, see step 16 in Configuring SCIM Intergration within Harmony SASE.
Click Test Connection.
Expand Mappings.
Enable the Provision Azure Active Directory Groups toggle button.
Click Provision Azure Active Directory Users.

The Attribute Mapping window appears.
In the Target Object Actions section, select the relevant actions.

These actions will trig calls to the SCIM adapter.

Configure Attribute Mappings to match these configuration by deleting all the irrelevant fields and changing userPrincipalName:

Azure Active Directory Attribute	customappsso Attribute	Matching Precedence
`userPrincipalName`	`emails[type eq “work”].value`	1
`givenName`	`name.givenName`
`surname`	`name.familyName`
`Switch([IsSoftDeleted], , "False", "True", "True", "False")`	`active`
`mail`	`userName`

Note - If the userPrincipalName and emails[type eq "work"].value do not match, map userName with mail.

To provision a user on demand, click Provision on demand tab.

The Provision on demand window appears.
Search and select the user who you want to provision or update.
Click Provision.