Configure SCIM with Azure

Instead of manually copying and updating users, Lattice allows you to automatically configure Azure to send user profile updates to Lattice using SCIM. The supported features include:

1. Create Users: When a user is created or activated in Azure, they will automatically be created or reactivated in Lattice.
2. Update User Attributes: When a user attribute is changed in Azure, the corresponding user in Lattice will automatically be updated.
3. Deactivated Users: When a user is deactivated or disabled in Azure, the corresponding user in Lattice will automatically be deactivated.

Before you start

• If your organization wishes to deactivate Lattice employee profiles through your custom enterprise SCIM application, be sure to append your SCIM tenant URL with “aadOptscim062020”. 
  • For example, “https://api.latticehq.com/scim/v2?aadOptscim062020”
• Lattice’s SCIM API does not yet support SCIM Groups, SCIM Bulk Updates, Azure patch or filter options in attribute mapping
• Learn more about known issues for application provisioning in Azure Active Directory

To configure SCIM with Azure complete the following steps:

• Step 1: Create a Custom Enterprise Application in Azure for your Lattice SCIM connector
• Step 2: Enable provisioning for the custom Lattice SCIM application
• Step 3: Map user attributes
• Step 4: Add additional user attributes
• Step 5: Enable user provisioning

Step 1: Create a Custom Enterprise Application in Azure for your Lattice SCIM connector

You will need to create a custom Azure enterprise application to integrate. 

1. Log in to the Azure portal as an administrator. 
2. Enter the Azure Active Directory. 
3. Within the Azure sidebar menu, navigate to Enterprise Applications > + New Application.
4. Click + Create your own application.
5. Enter the name of your app (i.e. Lattice SCIM).
6. Under What are you looking to do with your application, select Integrate any other application you don't find in the gallery (Non-gallery).
7. Select Create. 
8. Under Getting Started, follow steps 1 and 3.
   • Assign users and groups access to the application
   • Provision user accounts to automatically create and delete user accounts in the application.

Step 2: Enable provisioning for the custom Lattice SCIM application

Once user and group records have been assigned to the Lattice custom Azure application, you can proceed to provision user accounts. 

1. Within the Provisioning page, select Get started.
2. Click on the Provisioning Mode dropdown and select the desired option. 
   • Manual: User and group entities will only be pushed to Lattice if synced manually
   • Automatic (recommended): User and group entities are pushed to Lattice every 45 minutes
3. If automatic provisioning is enabled, you must enter the following Lattice SCIM API details:
   • Tenant URL: https://api.latticehq.com/scim/v2
   • Secret Token: Lattice API Key [SCIM API must be enabled] Note: This key is only visible once so be sure to store it for copy into Azure and store in a secure place for retrieval.
4. Select Test Connection to ensure the credentials are authorized to enable provisioning.
5. After receiving a successful test, select Save.
6. (Optional) Configure additional Mappings and provisioning Settings. 

Step 3: Map user attributes

1. Confirm that the mapping for each source object is enabled. Note: These should be enabled by default after the successful provisioning test. 
2. Click on Provision Azure Active Directory Users to complete the following options: 
   • Enable/Disable the source object mapping
   • Under Source Object Scope, set the scoping filters for the object record queries that will be initiated for each provisioning cycle.
   • Under Target Object Actions, select the target object actions in scope for each provisioning cycle (Create/Update/Delete). 
   • Under Attribute Mappings, define how attributes are synchronized between Azure AD and the Lattice SCIM app.
3. To ensure the Attribute Mappings are aligned to Lattice attributes, the following fields need to be removed from the mapping: 
   • preferredLanguage
   • mail
   • physicalDeliveryOfficeName
   • streetAddress
   • city
   • state
   • postalCode
   • country
   • mobile
   • facsimileTelephoneNumber
4. Find and click on the field mailNickname. 
5. Change the source attribute to objectID.
6. Set the Matching precedence to 2.
7. Click Save.

Note: Once this is complete, the userPrincipalName will be set as matching precedence “1” and objectId will be set as matching precedence “2”. This ensures a secondary matching precedence can be used to match user records from Azure objectId attribute to Lattice externalId attribute if no matches are found using the primary matching precedence of Azure userPrincipalName attribute to Lattice’s userName attribute.

Next, add additional user attribute mappings or continue to turn on provisioning in Azure.