Azure AD B2C SCIM Connector Features

The EmpowerID Azure AD B2C Connector supports real-time synchronization of user data between EmpowerID and Azure AD B2C, ensuring consistent and up-to-date information across both platforms. This enhancement contributes to a more secure environment and a better user experience for customers. The connector is designed as a microservice and provides the following capabilities:

  • Create and Manage Users in Azure AD B2C: This function facilitates the creation and management of user records in Azure AD B2C.

  • Group Management: Manages records of B2C group owners and members.

  • Full Inventory: Maintains a comprehensive inventory of users, group owners, and members in Azure AD B2C.

  • Incremental Inventory: Captures only changes in users, group owners, and members since the last inventory to optimize performance.

Supported Operations by SCIM Microservice

The SCIM microservice for Azure AD B2C exposes multiple endpoints that facilitate identity management tasks and data synchronization between Azure AD B2C and other systems supporting SCIM. Below are the specific operations and their corresponding endpoints:

Operation

Description

End Point

Operation

Description

End Point

Get User

Retrieve a user by their ID

GET /v1.0/users/{Id}

Query Users

Retrieve users based on filters supported by the Graph API.

GET /v1.0/users?filter={filter}&count={pageSize}

Query Users Paged

Retrieve users with pagination support to the filters mentioned earlier.

GET  /v1.0/users/EIDExtension/Paged?filter={filter}&count={pageSize}&skipToken={skipToken}

Get Deleted Users

Retrieve deleted users in a specified time range.

GET /v1.0/users/EIDExtension/Deleted?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime}

Get New or Updated Users

Retrieve users that have been updated or created within a specified time range.

GET /v1.0/users/EIDExtension/NewOrUpdated?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime}

Update User

Update a user detail by their ID.

PUT /v1.0/users/{Id}

Create User

Create a user account.

POST /v1.0/users

Delete User

Delete a user Account.

Delete /v1.0/users/{Id}

Password reset

Reset user password.

POST /v1.0/users/EIDExtension/PasswordResetRequest

Get group

Retrieve a group based on the group ID.

GET /v1.0/groups/{Id}

Query groups

Retrieve groups based on filters supported by the Graph API.

GET /v1.0/groups?filter={filter}&count={pageSize}

Query Groups Paged

Retrieve groups with pagination support and filters.

GET  /v1.0/groups/EIDExtension/Paged?filter={filter}&count={pageSize}&skipToken={skipToken}

Get New or Updated Groups

Retrieve groups that have been updated or created within a specified time range.

GET /v1.0/groups/EIDExtension/NewOrUpdated?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime}

Update Group

Update a group by its ID.

PUT /v1.0/groups/{Id}

Create Group

Create a new group.

POST /v1.0/groups

Delete Group

Delete a group.

Delete /v1.0/groups/{Id}

Get Group Members

Retrieve the members of a group by its ID.

GET /v1.0/groups/EIDExtension/MemberQuery/{Id}

Get Group Owners

Retrieve the owners of a group by the ID.

GET /v1.0/groups/EIDExtension/OwnerQuery/{Id}

Add/Remove Members or Owners to a Group

Add or remove members or owners to/from a group.

PATCH /v1.0/groups/{Id}

Get Deleted Groups

Get groups that have been deleted within a specified time range

GET /v1.0/groups/EIDExtension/Deleted?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime}

Inventory

The Azure AD B2C Connector offers two types of inventory processes, which are standard in every EmpowerID connector:

  • Incremental Inventory: Monitors the LastTimeStamp of the previous inventory run and imports only the changes in user and group identity data since then.

  • Full Inventory: Conducts a complete inventory of all Azure B2C users and groups each time the inventory job is executed.

Additional Inventory Jobs

Apart from the standard inventory jobs, the B2C connector includes additional jobs that gather important information about group ownership and membership within the B2C tenant. These jobs create JSON documents that are securely stored in the AzureJsonInbox table:

  • GroupOwnershipFullInventory: Collects information about group owners for all groups in the B2C tenant and creates JSON documents containing group ownership details.

    [ { "groupId": "<group Object ID>", "owners": [ { "id": "<Owner account Object ID>", "type": "<user/group/serviceaccount>" } // ... ] } // ... ]

     

  • GroupMembershipFullInventory: Gathers information about group memberships for all groups in the B2C tenant and creates JSON documents containing group membership details.

    [ { "groupId": "<group Object ID>", "members": [ { "id": "<member account Object ID>", "type": "<user/group/serviceaccount>" } // ... ] } // ... ]

Attribute Mappings

User Attributes

As part of the inventory process for AzureAD B2C and EmpowerID, user accounts from Azure AD B2C are treated as accounts within the EmpowerID system. TThe following table shows how Azure AD B2C user attributes map to corresponding EmpowerID account attributes:

Azure AD B2C Attribute

EmpowerID Attribute

Description

Azure AD B2C Attribute

EmpowerID Attribute

Description

['urn:ietf:params:scim:schemas:azureAdB2C:2.0:UserProfile'].['identities'][?(@.signInType=='userName')].['issuerAssignedId']

UserName

The user's username for sign-in.

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['manager'].['value']

Manager

The user's manager's ID.

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].department

Department

The user's department within the organization.

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].employeeNumber

EmployeeID

The user's employee identification number.

addresses[?(@.type=='work')].formatted

OfficeLocation

The user's office location or address.

addresses[?(@.type=='work')].postalCode

ZipCode

The postal code of the user's office location.

addresses[?(@.type=='work')].streetAddress

StreetAddress

The street address of the user's office location.

city

City

The user's city.

companyName

Company

The user's company name.

country

Country

The user's country.

displayName

DisplayName

The user's display name.

emails[?(@.type=='work')].value

Email

The user's work email address.

externalId

Alias

An external alias or identifier for the user.

name.familyName

LastName

The user's last name.

name.givenName

FirstName

The user's first name.

name.honorificSuffix

GeneratonalSuffix

A generational suffix in the user's name.

name.middleName

MiddleName

The user's middle name.

phoneNumbers[?(@.type=='fax')].value

Fax

The user's fax number.

phoneNumbers[?(@.type=='home')].value

HomePhone

The user's home phone number.

phoneNumbers[?(@.type=='mobile')].value

MobileNumber

The user's mobile phone number.

phoneNumbers[?(@.type=='other')].value

Telephone

Another telephone number associated with the user.

phoneNumbers[?(@.type=='work')].value

BusinessPhone

The user's business phone number.

photos[?(@.type=='work')].value

PhotoURL

The URL to the user's work photo.

preferredLanguage

PreferredLanguage

The user's preferred language.

profileUrl

AboutMe

Information about the user's profile.

state

State

The user's state or region.

title

JobTitle

The user's job title.

userName

LogonName

 

userType

EmployeeType

The type of employee (e.g., full-time, part-time).

Group Attributes

As part of the AzureAD B2C and EmpowerID inventory process, group accounts from Azure AD B2C are treated as groups within the EmpowerID system. The following table shows how Azure AD B2C group attributes map to corresponding EmpowerID group attributes:

Azure AD B2C Attribute

EmpowerID Attribute

Description

Azure AD B2C Attribute

EmpowerID Attribute

Description

description

Description

The description or additional information about the group.

displayName

DisplayName

The display name of the group.

externalID

Alias

An external identifier or alias associated with the group.

GroupType

groupType

The type or category of the group.

members

Members

Members of the group.

owners

Owners

Owners or administrators of the group.

ownersToAdd

ownersToAdd

Owners to be added to the group.

ownersToRemove

ownersToRemove

Owners to be removed from the group.

Role Attributes

As part of the AzureAD B2C and EmpowerID inventory process, roles from Azure AD B2C are treated as roles within the EmpowerID system. The following table shows how Azure AD B2C role attributes map to corresponding EmpowerID role attributes:

Azure AD B2C Attribute

EmpowerID Attribute

Description

Azure AD B2C Attribute

EmpowerID Attribute

Description

description

Description

The description or additional of the role.

displayName

FriendlyName

The friendly or display name of the role.

externalId

Alias

An external identifier or alias associated with the role.

Name

Name

The name of the role.

ParentID

ParentPath

The parent identifier of the role entity within a hierarchical structure.

Location Attributes

As part of the Azure AD B2C and EmpowerID inventory process, locations from Azure AD B2C are treated as Business Roles and Locations (BRL) within the EmpowerID system. The following table shows how Azure AD B2C location attributes map to corresponding EmpowerID BRL attributes:

 

 

 

 

 

 

description

Description

A textual or descriptive information about the location, providing details about what it represents.

displayName

FriendlyName

It typically refers to the name or label that is displayed for this location.

externalId

Alias

An identifier used to reference the location in an external system or context.

Name

Name

The name or identifier of the location.

ParentID

ParentPath

If this location is part of a hierarchical structure, the ParentID would typically reference the identifier of the parent location.