Set up SCIM provisioning with Microsoft Azure AD, now renamed to Microsoft Entra ID.
Note: Lattice does not have an official integration with Microsoft Azure/Entra. These are guidelines to help you if you wish to create a custom integration.
Having a custom Microsoft Azure/Entra integration with Lattice Lattice allows you to automatically configure Microsoft to send user profile updates to Lattice using SCIM. The supported features include:
- Create Users: When a user is created or activated in Entra, they will automatically be created or reactivated in Lattice.
- Update User Attributes: When a user attribute is changed in Entra, the corresponding user profile in Lattice will automatically be updated.
- Deactivate Users: When a user is deactivated or disabled in Entra, the corresponding user in Lattice will automatically be deactivated.
The SCIM API can be enabled on the integrations page by navigating to Admin > Settings > Platform > Integrations > Enable SCIM.
Before you start
As this is a custom integration, there are limitations such as some fields will not be synced or that we will need extra steps in order to create a connection:
- The API token must be generated by a Lattice superadmin. IT Admin permissions are not sufficent to generate an API key with SCIM permissions.
- If you want to deactivate users, be sure to append your SCIM tenant URL with aadOptscim062020. For example, https://api.latticehq.com/scim/v2?aadOptscim062020. Please note that aadOptscim062020 is specific to Entra. Please do not append this if you are using another SCIM provider.
- Lattice’s SCIM API does not yet support SCIM Groups, SCIM Bulk Updates, Entra patch or filter options in attribute mapping.
- Mapping to the default Job Architecture fields and Compensation fields is currently not available.
- In order to map the manager field, follow these steps.
- Some default attributes contain filters and will need to be removed.
- Learn more about known issues for application provisioning in Microsoft Entra ID
Create a Custom Enterprise Application in Microsoft Entra
- In the Entra portal, go to Microsoft Entra ID.
- On the left panel, go to Enterprise applications > All applications > click New application.
- Click + Create your own application.
- Enter the name of your app (i.e. Lattice SCIM).
- Under What are you looking to do with your application, select Integrate any other application you don't find in the gallery (Non-gallery).
- Select Create.
- Under Getting Started, follow step 1. Assign users and groups
Enable provisioning for the custom Lattice SCIM application
Once user and group records have been assigned to the custom Lattice SCIM application, you can proceed to provision user accounts.
- While still on your custom Lattice application page, navigate to Provisioning > click Get started.
- Click on the Provisioning Mode dropdown and select the desired option.
- Manual: User and group entities will only be pushed to Lattice if synced manually
- Automatic (recommended): User and group entities are pushed to Lattice every 45 minutes
- If automatic provisioning is enabled, you must enter the following Lattice SCIM API details:
- Tenant URL: https://api.latticehq.com/scim/v2 (append ?aadOptscim062020 if you also want to deactivate users)
- EMEA Tenant URL: https://api.emea.latticehq.com/scim/v2 (append ?aadOptscim062020 if you also want to deactivate users)
- Secret Token: Lattice API Key (SCIM must be enabled and this key is only visible once, so be sure to paste it in Entra and store it in a secure place for retrieval. This key must be generated by a Lattice superadmin.)
- Select Test Connection to ensure the credentials are authorized to enable provisioning.
- After receiving a successful test, select Save.
- Select Start Provisioning.
- (Optional) Configure additional Mappings and provisioning Settings.
Next, map your user attributes, add additional user attribute mappings or continue to turn on provisioning in Microsoft Entra ID.