Set up SCIM provisioning with Microsoft Azure AD, now renamed to Microsoft Entra ID.
Note: Lattice does not have an official integration with Azure. These are guidelines to help you if you wish to create a custom integration.
Having a custom Azure integration with Lattice Lattice allows you to automatically configure Azure to send user profile updates to Lattice using SCIM. The supported features include:
- Create Users: When a user is created or activated in Azure, they will automatically be created or reactivated in Lattice.
- Update User Attributes: When a user attribute is changed in Azure, the corresponding user profile in Lattice will automatically be updated.
- Deactivate Users: When a user is deactivated or disabled in Azure, the corresponding user in Lattice will automatically be deactivated.
The SCIM API can be enabled on the integrations page by navigating to Admin > Settings > Platform > Integrations > Enable SCIM.
Before you start
As this is a custom integration, there are limitations such as some fields will not be synced or that we will need extra steps in order to create a connection:
- If you want to deactivate users, be sure to append your SCIM tenant URL with aadOptscim062020. For example, https://api.latticehq.com/scim/v2?aadOptscim062020. Please note that aadOptscim062020 is specific to Azure. Please do not append this if you are using another SCIM provider.
- Lattice’s SCIM API does not yet support SCIM Groups, SCIM Bulk Updates, Azure patch or filter options in attribute mapping.
- Mapping to the default Job Architecture fields and Compensation fields is currently not available.
- In order to map the manager field, follow these steps.
- Some default attributes contain filters and will need to be removed.
- Learn more about known issues for application provisioning in Azure Active Directory
Create a Custom Enterprise Application in Azure
- In the Azure portal, go to Microsoft Entra ID.
- On the left panel, go to Enterprise applications > All applications > click New application.
- Click + Create your own application.
- Enter the name of your app (i.e. Lattice SCIM).
- Under What are you looking to do with your application, select Integrate any other application you don't find in the gallery (Non-gallery).
- Select Create.
- Under Getting Started, follow step 1. Assign users and groups
Enable provisioning for the custom Lattice SCIM application
Once user and group records have been assigned to the custom Lattice SCIM application, you can proceed to provision user accounts.
- While still on your custom Lattice application page, navigate to Provisioning > click Get started.
- Click on the Provisioning Mode dropdown and select the desired option.
- Manual: User and group entities will only be pushed to Lattice if synced manually
- Automatic (recommended): User and group entities are pushed to Lattice every 45 minutes
- If automatic provisioning is enabled, you must enter the following Lattice SCIM API details:
- Tenant URL: https://api.latticehq.com/scim/v2 (append ?aadOptscim062020 if you also want to deactivate users)
- EMEA Tenant URL: https://api.emea.latticehq.com/scim/v2 (append ?aadOptscim062020 if you also want to deactivate users)
- Secret Token: Lattice API Key (SCIM must be enabled and this key is only visible once so be sure to paste it in Azure and store it in a secure place for retrieval.)
- Select Test Connection to ensure the credentials are authorized to enable provisioning.
- After receiving a successful test, select Save.
- Select Start Provisioning.
- (Optional) Configure additional Mappings and provisioning Settings.
Next, map your user attributes, add additional user attribute mappings or continue to turn on provisioning in Azure.