Azure AD B2C SCIM Connector Features
- Dev Raj Gautam
The EmpowerID Azure AD B2C Connector supports real-time synchronization of user data between EmpowerID and Azure AD B2C, ensuring consistent and up-to-date information across both platforms. This enhancement contributes to a more secure environment and a better user experience for customers. The connector is designed as a microservice and provides the following capabilities:
Create and Manage Users in Azure AD B2C: This function facilitates the creation and management of user records in Azure AD B2C.
Group Management: Manages records of B2C group owners and members.
Full Inventory: Maintains a comprehensive inventory of users, group owners, and members in Azure AD B2C.
Incremental Inventory: Captures only changes in users, group owners, and members since the last inventory to optimize performance.
Supported Operations by SCIM Microservice
The SCIM microservice for Azure AD B2C exposes multiple endpoints that facilitate identity management tasks and data synchronization between Azure AD B2C and other systems supporting SCIM. Below are the specific operations and their corresponding endpoints:
Operation | Description | End Point |
|---|---|---|
Get User | Retrieve a user by their ID | GET /v1.0/users/{Id} |
Query Users | Retrieve users based on filters supported by the Graph API. | GET /v1.0/users?filter={filter}&count={pageSize} |
Query Users Paged | Retrieve users with pagination support to the filters mentioned earlier. | GET Â /v1.0/users/EIDExtension/Paged?filter={filter}&count={pageSize}&skipToken={skipToken} |
Get Deleted Users | Retrieve deleted users in a specified time range. | GET /v1.0/users/EIDExtension/Deleted?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime} |
Get New or Updated Users | Retrieve users that have been updated or created within a specified time range. | GET /v1.0/users/EIDExtension/NewOrUpdated?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime} |
Update User | Update a user detail by their ID. | PUT /v1.0/users/{Id} |
Create User | Create a user account. | POST /v1.0/users |
Delete User | Delete a user Account. | Delete /v1.0/users/{Id} |
Password reset | Reset user password. | POST /v1.0/users/EIDExtension/PasswordResetRequest |
Get group | Retrieve a group based on the group ID. | GET /v1.0/groups/{Id} |
Query groups | Retrieve groups based on filters supported by the Graph API. | GET /v1.0/groups?filter={filter}&count={pageSize} |
Query Groups Paged | Retrieve groups with pagination support and filters. | GET Â /v1.0/groups/EIDExtension/Paged?filter={filter}&count={pageSize}&skipToken={skipToken} |
Get New or Updated Groups | Retrieve groups that have been updated or created within a specified time range. | GET /v1.0/groups/EIDExtension/NewOrUpdated?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime} |
Update Group | Update a group by its ID. | PUT /v1.0/groups/{Id} |
Create Group | Create a new group. | POST /v1.0/groups |
Delete Group | Delete a group. | Delete /v1.0/groups/{Id} |
Get Group Members | Retrieve the members of a group by its ID. | GET /v1.0/groups/EIDExtension/MemberQuery/{Id} |
Get Group Owners | Retrieve the owners of a group by the ID. | GET /v1.0/groups/EIDExtension/OwnerQuery/{Id} |
Add/Remove Members or Owners to a Group | Add or remove members or owners to/from a group. | PATCH /v1.0/groups/{Id} |
Get Deleted Groups | Get groups that have been deleted within a specified time range | GET /v1.0/groups/EIDExtension/Deleted?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime} |
Inventory
The Azure AD B2C Connector offers two types of inventory processes, which are standard in every EmpowerID connector:
Incremental Inventory: Monitors the LastTimeStamp of the previous inventory run and imports only the changes in user and group identity data since then.
Full Inventory: Conducts a complete inventory of all Azure B2C users and groups each time the inventory job is executed.
Additional Inventory Jobs
Apart from the standard inventory jobs, the B2C connector includes additional jobs that gather important information about group ownership and membership within the B2C tenant. These jobs create JSON documents that are securely stored in the AzureJsonInbox table:
GroupOwnershipFullInventory: Collects information about group owners for all groups in the B2C tenant and creates JSON documents containing group ownership details.
[ { "groupId": "<group Object ID>", "owners": [ { "id": "<Owner account Object ID>", "type": "<user/group/serviceaccount>" } // ... ] } // ... ]Â
GroupMembershipFullInventory: Gathers information about group memberships for all groups in the B2C tenant and creates JSON documents containing group membership details.
[ { "groupId": "<group Object ID>", "members": [ { "id": "<member account Object ID>", "type": "<user/group/serviceaccount>" } // ... ] } // ... ]
Attribute Mappings
User Attributes
As part of the inventory process for AzureAD B2C and EmpowerID, user accounts from Azure AD B2C are treated as accounts within the EmpowerID system. TThe following table shows how Azure AD B2C user attributes map to corresponding EmpowerID account attributes:
Azure AD B2C Attribute | EmpowerID Attribute | Description |
|---|---|---|
['urn:ietf:params:scim:schemas:azureAdB2C:2.0:UserProfile'].['identities'][?(@.signInType=='userName')].['issuerAssignedId'] | UserName | The user's username for sign-in. |
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['manager'].['value'] | Manager | The user's manager's ID. |
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].department | Department | The user's department within the organization. |
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].employeeNumber | EmployeeID | The user's employee identification number. |
addresses[?(@.type=='work')].formatted | OfficeLocation | The user's office location or address. |
addresses[?(@.type=='work')].postalCode | ZipCode | The postal code of the user's office location. |
addresses[?(@.type=='work')].streetAddress | StreetAddress | The street address of the user's office location. |
city | City | The user's city. |
companyName | Company | The user's company name. |
country | Country | The user's country. |
displayName | DisplayName | The user's display name. |
emails[?(@.type=='work')].value | The user's work email address. | |
externalId | Alias | An external alias or identifier for the user. |
name.familyName | LastName | The user's last name. |
name.givenName | FirstName | The user's first name. |
name.honorificSuffix | GeneratonalSuffix | A generational suffix in the user's name. |
name.middleName | MiddleName | The user's middle name. |
phoneNumbers[?(@.type=='fax')].value | Fax | The user's fax number. |
phoneNumbers[?(@.type=='home')].value | HomePhone | The user's home phone number. |
phoneNumbers[?(@.type=='mobile')].value | MobileNumber | The user's mobile phone number. |
phoneNumbers[?(@.type=='other')].value | Telephone | Another telephone number associated with the user. |
phoneNumbers[?(@.type=='work')].value | BusinessPhone | The user's business phone number. |
photos[?(@.type=='work')].value | PhotoURL | The URL to the user's work photo. |
preferredLanguage | PreferredLanguage | The user's preferred language. |
profileUrl | AboutMe | Information about the user's profile. |
state | State | The user's state or region. |
title | JobTitle | The user's job title. |
userName | LogonName | Â |
userType | EmployeeType | The type of employee (e.g., full-time, part-time). |
Group Attributes
As part of the AzureAD B2C and EmpowerID inventory process, group accounts from Azure AD B2C are treated as groups within the EmpowerID system. The following table shows how Azure AD B2C group attributes map to corresponding EmpowerID group attributes:
Azure AD B2C Attribute | EmpowerID Attribute | Description |
|---|---|---|
description | Description | The description or additional information about the group. |
displayName | DisplayName | The display name of the group. |
externalID | Alias | An external identifier or alias associated with the group. |
GroupType | groupType | The type or category of the group. |
members | Members | Members of the group. |
owners | Owners | Owners or administrators of the group. |
ownersToAdd | ownersToAdd | Owners to be added to the group. |
ownersToRemove | ownersToRemove | Owners to be removed from the group. |
Role Attributes
As part of the AzureAD B2C and EmpowerID inventory process, roles from Azure AD B2C are treated as roles within the EmpowerID system. The following table shows how Azure AD B2C role attributes map to corresponding EmpowerID role attributes:
Azure AD B2C Attribute | EmpowerID Attribute | Description |
|---|---|---|
description | Description | The description or additional of the role. |
displayName | FriendlyName | The friendly or display name of the role. |
externalId | Alias | An external identifier or alias associated with the role. |
Name | Name | The name of the role. |
ParentID | ParentPath | The parent identifier of the role entity within a hierarchical structure. |
Location Attributes
As part of the Azure AD B2C and EmpowerID inventory process, locations from Azure AD B2C are treated as Business Roles and Locations (BRL) within the EmpowerID system. The following table shows how Azure AD B2C location attributes map to corresponding EmpowerID BRL attributes:
 |  |  |
|---|---|---|
description | Description | A textual or descriptive information about the location, providing details about what it represents. |
displayName | FriendlyName | It typically refers to the name or label that is displayed for this location. |
externalId | Alias | An identifier used to reference the location in an external system or context. |
Name | Name | The name or identifier of the location. |
ParentID | ParentPath | If this location is part of a hierarchical structure, the ParentID would typically reference the identifier of the parent location. |