Register a service principal for the Azure AD SCIM Microservice

Owned by
Phillip Hanegan
Last updated: Jan 04, 2022
3 min read

To access resources secured by your Azure AD tenant, the Azure AD SCIM microservice needs to be represented within the tenant by a security principal. The security principal is an application you create in your tenant to provide the necessary authentication context needed by the microservice to call the Microsoft Graph API.

To register a service principal for the microservice, you need to complete the following tasks:

  1. Generate a self-signed certificate in EmpowerID to authenticate EmpowerID to Azure using the service principal.

  2. Download the certificate to your machine.

  3. Create an application in Azure AD and associate it with the certificate you generated in EmpowerID.

Generate a self-signed certificate in EmpowerID

  1. On the navbar of the EmpowerID Web interface, expand Apps and Authentication > SSO Connections and select SSO Components.

  2. Select the Certificates tab and then click the Add button in the grid header.

     

  3. Select Generate Self-Signed Certificate.

     

  4. Enter the following information:

    • Certificate Owner – Leave empty

    • Prefer Local Machine Store – Leave empty

    • Subject Name – Enter something suitable to the purpose of the certificate, such as CN=AzureCertificate

    • Requires Password – Select this option; this adds a private key to the certificate

    • Certificate Password – Enter a password for the certificate

  5. Click Save to create the certificate.

 

Download the certificate in Base64 format

  1. From the Certificate Details page, return to the SSO Components page by clicking the Find Certificates breadcrumb.

  2. On the SSO Components page, select the Certificates tab and search for the certificate you just created.

     

  3. Click the Name link for the certificate to navigate to the View page for the certificate.

  4. On the View page for the certificate, click Export Certificate.

     

  5. Select the desired location in which to save the certificate and click Save.

 

Register a service principal for the Azure AD microservice in Azure

  1. In Azure, navigate to your Azure Active Directory.

  2. On the Azure Active Directory navbar, click App registrations.

  3. On the App registrations page, click New registration.

     

  4. Name the application, select the supported accounts types (single or multitenant), and click Register.

  5. Once the application is registered, copy the Application (client) ID and Directory (tenant) ID from the Overview page. These values are used later.

     

  6. Navigate to the Certificates & secrets blade for the application, select the Certificates tab and click Upload certificate.

     

  7. Select the base-64 encoded certificate you downloaded from EmpowerID and click Add.

The public key certificate that you upload to Azure must have a corresponding private key in the EmpowerID certificate store; otherwise, an error will occur when calling Azure’s API.

IN THIS ARTICLE

Next Steps

Create an App Service for the SCIM microservice

Configure SCIM App Service Authentication

Publish the SCIM Microservice to Azure

Set Permissions for the SCIM Managed Identity

Connect EmpowerID to Azure Active Directory

Â