Microsoft Entra ID (formerly Azure Active Directory) (SCIM)

High-Level Procedure

• Part 1: Configure Entra ID

  • Step 1 - Creating an application in Entra ID

  • Step 2 - Configuring API Permissions

  • Step 3 - Configuring Secret Key for the Application

• Part 2: Configuring SASE IdP

• Part 3: Configuring SCIM

Part 1: Configure Entra ID

Step 1 - Creating an application in Entra ID

1. Access the Microsoft Azure Portal using administrator credentials.

2. From Azure services, click Microsoft Entra ID.
   

3. Click Overview.

   

4. From the Basic information section, make a note of the License.

5. Go to Manage > Enterprise applications.

   

6. Go to All applications.

7. Click New application.

   

8. In the Browse Microsoft Entra Gallery page, click Create your own application.

   

9. In the Create your own application panel that appears on the right, enter the application name (for example, SASE) and click Create.

   

   Once the application is created, the Overview page appears.
   

10. Click the icon next to Application ID to copy it.

    

11. Click Assign users and groups and then click Add user/group.

    

12. In the Users section, click None Selected.

    

13. Select the users and groups you want to add to the application and click Select.

    

14. Click Assign.

    
    Once assigned, the Home page appears.

15. Click Microsoft Entra ID.

16. From the left panel, click App registrations.
    

17. In the All applications tab, click the application you created.
    

18. Go to Manage > Authentication (Preview) and click Add Redirect URI.
    

19. In the Select a platform to add redirect URI panel that appears on the right, select Web.

20. In the Redirect URIs field, enter your workspace name and click Configure:

    • For EU based platform - https://workspace.eu.sase.checkpoint.com

    • For US based platform - https://workspace.perimeter81.com

    • For AU based platform - https://workspace.au.sase.checkpoint.com

    • For IN based platform - https://workspace.in.sase.checkpoint.com
      

21. In the Redirect URIs section, click Add URI and add these:

    • For EU based platform - https://auth.eu.sase.checkpoint.com/login/callback

    • For US based platform - https://auth.perimeter81.com/login/callback

    • For AU based platform - https://auth.au.sase.checkpoint.com/login/callback

    • For IN based platform - https://auth.in.sase.checkpoint.com/login/callback
      

22. Click Configure

23. Click Settings. In the Front-channel logout URL section, enter your workspace name:

    • For EU based platform - https://workspace.eu.sase.checkpoint.com

    • For US based platform - https://workspace.perimeter81.com

    • For AU based platform - https://workspace.au.sase.checkpoint.com

    • For IN based platform - https://workspace.in.sase.checkpoint.com
      
      

24. In the Supported account types section, select the applicable option for supported account types and click Save.

Step 2 - Configuring API Permissions

1. From the left panel, click Manage > API permissions and then click Add a permission.

   

   The Request API permissions panel appears to the right.

2. Select Microsoft APIs tab and then select Microsoft Graph.

3. Click Delegated permissions.

   

4. Click Directory to view the permissions and then select Directory.Read.All.

   

5. Click User to view the permissions and then select User.Read.

   

6. Scroll to the top of the page and click Application permissions.

   

7. Click Directory to view the permissions and then select Directory.Read.All.

8. Click Add permissions.

   

9. Click Grant admin.

   The Grant admin consent confirmation window appears.

10. Click Yes.

    

Step 3 - Configuring Secret Key for the Application

1. From the left panel, select Certificates & secrets and click the Client secrets tab.

2. Click New client secret.

   

   Note - You must use this client secret (password) as the Client Secret when connecting with the SASE IdP.

3. In the Add a client secret panel that appears on the right, specify these:

   • Description - Enter a description.

   • Expires - Select the secret expiration from the list.

     

4. Click Add.

5. To copy the secret value, in the Value field, click .

   

Part 2: Configuring Harmony SASE IDP

1. Access the SASE Administrator Portal.

2. Go to Settings > Identity Providers.

3. Click Add Provider.

   

   The Add identity provider window appears.

4. Select Microsoft Azure AD and click Continue.

   

5. Enter these details:

   • Microsoft Azure AD Domain

   • (Optional) Domain Aliases

   • Client ID

   • Client Secret (you copied while configuring the key)

     

6. Select the SCIM Integration checkbox.

7. Click Done.

   The Azure AD gets created successfully.

8. In the Microsoft Azure AD section, click Settings.

   

9. Click Generate Token.

   

   The Azure AD SCIM Data window appears.

10. Copy the URL and Token and then click Close.

    

Part 3: Configuring SCIM

1. Access the Microsoft Azure Portal using administrator credentials.

2. Go to Microsoft Entra ID > Enterprise Applications and locate the application previously created in Step 1 - Creating an application in Entra ID.

3. Click the application name to open the configuration.

4. Click Get Started in the Provision User Accounts tile.
   

5. Click Provisioning.
   

6. From the Provisioning Mode list, select Automatic.

   

7. Expand Admin Credentials.

8. In the Tenant URL field, enter the SCIM URL.

• For US based platform - https://api.perimeter81.com/api/scim

• For EU based platform - https://api.eu.sase.checkpoint.com/api/scim

• For AU based platform - https://api.au.sase.checkpoint.com/api/scim

• For IN based platform - https://api.in.sase.checkpoint.com/api/scim

9. In the Secret Token field, paste the token you copied in Part 2: Configuring Harmony SASE IDP section step 11.

10. Click Test Connection.

11. Click Save at the top left corner.

    

12. Expand Mappings.

    

13. Make sure that these options are enabled:

    1. Provision Microsoft Entra ID Groups

    2. Provision Microsoft Entra ID Users

14. Click Provision Microsoft Entra ID Users.

    

15. In the Attribute Mappings section, for userName, click Edit.

    

16. From the Source attribute list, select mail.

17. From the Match precedence list, select 2.

    

18. Click OK.

19. Locate the emails[type eq “work”].value attribute and click Edit.

20. From the Source attribute list, select userPrincipalName.

21. From the Match objects using this attribute list, select Yes.

22. From the Matching precedence list, select 3.
    

23. Click OK.

24. Go back to Attribute Mappings section and click Add New Mapping.

25. From the Source attribute list, select objectId.

26. From the Target attribute list, select nickName.

27. From the Match objects using this attribute list, select Yes.

28. From Matching precedence list, select 1.

29. From the Apply this mapping list, select Only during object creation.
    

30. Click OK.

31. Retain these attributes and delete other attributes:

    • nickName

    • emails[type eq “work”].value

    • userNamemail

    • active

    • name.givenName

    • name.familyNamesurname

    

32. Click Save.

33. Go to SCIM Application and select Users and groups.

34. Click Add users/group.

35. In the Users section, click None Selected.

36. Select the user(s).

37. Click Select and then click Assign.

    

38. Go to the SCIM application.

39. Go to Overview.

40. Click Start provisioning.