Page Comparison

Insert excerptIL:External Directory PrerequisitesIL:External Directory PrerequisitesnopaneltrueAfter setting up Azure and publishing the EmpowerID Azure AD SCIM connector allows organizations microservice to your Azure tenant, you need to connect EmpowerID to the tenant to bring the user and group data in their Box system to information in that tenant into EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

Account Management
- Inventory Azure AD user accounts
- Create, Update and Delete Azure AD user accounts
- Enable and Disable Azure AD user accounts
- Update passwords for Azure AD user accounts
Group Management
- Inventory Azure AD groups
- Inventory Azure AD group memberships
- Create and Delete Azure AD groups
- Add and Remove members to and from Azure AD groups
Attribute Flow
Users in Azure AD are inventoried as accounts in EmpowerID, which are then linked EmpowerID Person objects. The below table shows the attribute mappings of Box user attributes to EmpowerID Person attributes.

Azure AD Attribute

Corresponding EmpowerID Attribute

Description

Name

Name of the user

name.familyName

LastName

Last name of the user

name.givenName

FirstName

First name of the user

name.middleName

MiddleName

Middle name of the user

displayName

FriendlyName

Display Name of the user

name.honorificSuffix

GenerationalSuffix

title

Title

Title of the user

email[?(@type=='work')].value

Email

Work email address of the user

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['department']

Department

Department of the user

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['EmployeeNumber']

EmployeeID

Employee ID of the user

addresses[?(@.type=='work')].streetAddress

StreetAddress

Street address of the user

addresses[?(@.type=='work')].locality

City

City in which the user resides or works

addresses[?(@.type=='work')].region

State

State in which the user resides or works

addresses[?(@.type=='work')].country

Country

Country of the user

addresses[?(@.type=='work')].postalCode

PostalCode

Postal code of the user

phoneNumbers[?(@.type=='home')].value

HomeTelephone

Home telephone of the user

preferredLanguage

PreferredLanguage

Preferred language of the user

phoneNumbers[?(@.type=='other')].value

Telephone

Telephone number for the person

phoneNumbers[?(@.type=='fax')].value

Fax

Fax number for the person

Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Azure AD user accounts for any person within your organization based on your policy requirements.

Note

To connect EmpowerID to Azure AD, In order to connect EmpowerID to Azure AD, the following prerequisites need to be met:

Your organization must have an Azure subscription with Azure Active Directory.
You need to register an application for EmpowerID in Azure Active Directory in the Registering an application for EmpowerID in Azure AD topic.
You need to create an App Service in EmpowerID by following the instructions outlined in the Creating an App Service in Azure topic.
You need to publish the EmpowerID SCIM Microservice to your Azure tenant by following the instructions outlined in the Publishing the EmpowerID SCIM Microservice to Azure topic.

EmpowerID “Proxy” or Connection Account Requirements

EmpowerID uses highly privileged user accounts when connecting to user directories such as Azure Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc).

To create an Azure AD SCIM account store in EmpowerID

On the navbar, expand Admin > Applications and Directories and then click

Step 1 – Create an account store for Azure AD

On the navbar, expand Azure License Manager and select Configuration.
Select the Tenants tab and click the Add button on the Tenant grid header.
Image Added
Enter the following information in the Tenant form that appears:
- Account Store Name – Name of your tenant
- Azure App Service URL – URL for the SCIM app service you created in Azure
- Azure Application (Client) ID – Client ID of the service principal application you registered in Azure for EmpowerID
- Azure Directory (Tenant) ID – Your Tenant ID
- Azure App Certificate Thumbprint – Thumbprint of the certificate you uploaded to Azure for the service principal application
  Image Added
Click Save.

EmpowerID creates the Azure AD account store and the associated resource system. The next step is to verify the resource system parameters match your tenant information.

Step 2 – Verify Resource System Parameters

On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
On the Find Account Stores Store page, click Create Account Store.
Image Removed
Under System Types, search for Azure AD SCIM.
Click Azure AD SCIM to select the type and then click Submit.
Image Removed
On the Azure AD SCIM settings page that appears, fill in the following information:
1. Account Store Name — Enter a name for the Azure AD SCIM account store.
2. App Service Url — Enter the URL for the Azure App Service.
3. Name Format — Leave blank.
4. Friendly Name Format — Leave blank.
5. Group Logon Name Format — Leave blank.
6. ExternalSysSupportGetDeleted — Choose this option.
7. ExternalSystemSupportIncrementalMember — Choose this option.
8. Application ID — Enter the ID for the EmpowerID application you registered for EmpowerID in Azure AD.
9. Tenant ID — Enter the ID of your Tenant.
10. Auth Certificate Thumbprint — Enter the thumbprint of the certificate you uploaded for the application.
  Image Removed
When ready, click Submit to create the account store.
EmpowerID creates the account store and the associated resource system. The next step is to configure attribute flow between the account store and EmpowerID.select the Account Stores tab and search for the Azure AD account store you just created.
Click the Account Store link for the account store.
Image Added

This directs you to the Account Store and Resource System page for the account store. This page contains several tabs related to the account store that you can access to view and manage the account store and resource system.
Image Added
Select the Resource System tab and then expand the Configuration Parameters accordion on the page.
Verify the following parameters are correct for your system:
Insert excerpt
IL:Azure AD Account Store Configuration Parameters
IL:Azure AD Account Store Configuration Parameters
nopanel true
To edit the value of a parameter, click the Edit button for the parameter you want to edit.
Image Added
Enter the new value in the Value field and click Save.
Repeat as needed.

Now that the Configuration Parameters have been updated, the next step is the configure Attribute Flow.

Step 3 – Configure Attribute Flow

Insert excerpt

	IL:Configure Attribute Flow Rules-V21
	IL:Configure Attribute Flow Rules-V21
nopanel	true

Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

To configure account store settings

Step 4 – Configure Account Store Settings

On the Account Store and Resource System Details page, click select the Account Store tab and then click the pencil icon Edit link to put the account store in edit mode.
Image RemovedImage Added

This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Azure AD as well as how you want EmpowerID to handle the user information it discovers in your Azure tenant during inventory. Settings that can be edited are relevant to the account store are described in the table below the image.
Image RemovedImage Added

Insert excerpt
IL:Azure AD Account Store Settings V21
IL:Azure AD Account Store Settings V21
nopanel true

Now that everything is configured, you can enable

Edit the account store as needed and then click Save to save your changes.

Step 5 – Enable the Account Inbox Permanent Workflow

and monitor inventory. Be sure inventory is enabled on the account store settings page.
Insert excerptIL:Enable Account Inbox PWIL:Enable Account Inbox PWnopaneltrue Insert excerptIL:Monitor InventoryIL:Monitor Inventorynopaneltrue

On the navbar, expand Infrastructure Admin > EmpowerID Server and Settings and select Permanent Workflows.
On the Permanent Workflows page, click the Display Name link for Account Inbox.
Image Added
On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.

Image Added
Check Enabled.
Image Added
Click Save to save your changes.

Step 6 – Enable Inventory on the Account Store

Return to the Account Store Details page for the account store.
Click the Edit link to put the account store in edit mode.
Image Added
Select the Inventory tab and check Inventory Enabled.
Image Added
Click Save.

Now that the Account Inbox Permanent workflow is turned on and inventory for the account store is enabled you can monitor the inventory of users and groups from the Users and Groups tabs of the Account Store Details page.

Image Added

2020

Div

style	float: left; position: fixed;padding: 5px;

Live Search

size

large

labels

IN THIS ARTICLE

Table of Contents

maxLevel	4
minLevel	2
style	none

Versions Compared

Old Version 3

New Version Current

Key