Azure AD B2C SCIM Connector Features

The EmpowerID Azure AD B2C Connector supports real-time synchronization of user data between EmpowerID and Azure AD B2C, ensuring consistent and up-to-date information across both platforms. This enhancement contributes to a more secure environment and a better user experience for customers. The connector is designed as a microservice and provides the following capabilities:

Create and Manage Users in Azure AD B2C: This function facilitates the creation and management of user records in Azure AD B2C.
Group Management: Manages records of B2C group owners and members.
Full Inventory: Maintains a comprehensive inventory of users, group owners, and members in Azure AD B2C.
Incremental Inventory: Captures only changes in users, group owners, and members since the last inventory to optimize performance.

Supported Operations by SCIM Microservice

The SCIM microservice for Azure AD B2C exposes multiple endpoints that facilitate identity management tasks and data synchronization between Azure AD B2C and other systems supporting SCIM. Below are the specific operations and their corresponding endpoints:

Operation	Description	End Point

Operation	Description	End Point
Get User	Retrieve a user by their ID	GET /v1.0/users/{Id}
Query Users	Retrieve users based on filters supported by the Graph API.	GET /v1.0/users?filter={filter}&count={pageSize}
Query Users Paged	Retrieve users with pagination support to the filters mentioned earlier.	GET /v1.0/users/EIDExtension/Paged?filter={filter}&count={pageSize}&skipToken={skipToken}
Get Deleted Users	Retrieve deleted users in a specified time range.	GET /v1.0/users/EIDExtension/Deleted?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime}
Get New or Updated Users	Retrieve users that have been updated or created within a specified time range.	GET /v1.0/users/EIDExtension/NewOrUpdated?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime}
Update User	Update a user detail by their ID.	PUT /v1.0/users/{Id}
Create User	Create a user account.	POST /v1.0/users
Delete User	Delete a user Account.	Delete /v1.0/users/{Id}
Password reset	Reset user password.	POST /v1.0/users/EIDExtension/PasswordResetRequest
Get group	Retrieve a group based on the group ID.	GET /v1.0/groups/{Id}
Query groups	Retrieve groups based on filters supported by the Graph API.	GET /v1.0/groups?filter={filter}&count={pageSize}
Query Groups Paged	Retrieve groups with pagination support and filters.	GET /v1.0/groups/EIDExtension/Paged?filter={filter}&count={pageSize}&skipToken={skipToken}
Get New or Updated Groups	Retrieve groups that have been updated or created within a specified time range.	GET /v1.0/groups/EIDExtension/NewOrUpdated?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime}
Update Group	Update a group by its ID.	PUT /v1.0/groups/{Id}
Create Group	Create a new group.	POST /v1.0/groups
Delete Group	Delete a group.	Delete /v1.0/groups/{Id}
Get Group Members	Retrieve the members of a group by its ID.	GET /v1.0/groups/EIDExtension/MemberQuery/{Id}
Get Group Owners	Retrieve the owners of a group by the ID.	GET /v1.0/groups/EIDExtension/OwnerQuery/{Id}
Add/Remove Members or Owners to a Group	Add or remove members or owners to/from a group.	PATCH /v1.0/groups/{Id}
Get Deleted Groups	Get groups that have been deleted within a specified time range	GET /v1.0/groups/EIDExtension/Deleted?Filter=AuditLogStartTime eq {startTime} and AuditLogEndTime eq {endTime}

Inventory

The Azure AD B2C Connector offers two types of inventory processes, which are standard in every EmpowerID connector:

Incremental Inventory: Monitors the LastTimeStamp of the previous inventory run and imports only the changes in user and group identity data since then.
Full Inventory: Conducts a complete inventory of all Azure B2C users and groups each time the inventory job is executed.

Additional Inventory Jobs

Apart from the standard inventory jobs, the B2C connector includes additional jobs that gather important information about group ownership and membership within the B2C tenant. These jobs create JSON documents that are securely stored in the AzureJsonInbox table:

GroupOwnershipFullInventory: Collects information about group owners for all groups in the B2C tenant and creates JSON documents containing group ownership details.
[ { "groupId": "<group Object ID>", "owners": [ { "id": "<Owner account Object ID>", "type": "<user/group/serviceaccount>" } // ... ] } // ... ]
GroupMembershipFullInventory: Gathers information about group memberships for all groups in the B2C tenant and creates JSON documents containing group membership details.

[ { "groupId": "<group Object ID>", "members": [ { "id": "<member account Object ID>", "type": "<user/group/serviceaccount>" } // ... ] } // ... ]

Attribute Mappings

User Attributes

As part of the inventory process for AzureAD B2C and EmpowerID, user accounts from Azure AD B2C are treated as accounts within the EmpowerID system. TThe following table shows how Azure AD B2C user attributes map to corresponding EmpowerID account attributes:

Azure AD B2C Attribute	EmpowerID Attribute	Description

Azure AD B2C Attribute	EmpowerID Attribute	Description
['urn:ietf:params:scim:schemas:azureAdB2C:2.0:UserProfile'].['identities'][?(@.signInType=='userName')].['issuerAssignedId']	UserName	The user's username for sign-in.
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['manager'].['value']	Manager	The user's manager's ID.
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].department	Department	The user's department within the organization.
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].employeeNumber	EmployeeID	The user's employee identification number.
addresses[?(@.type=='work')].formatted	OfficeLocation	The user's office location or address.
addresses[?(@.type=='work')].postalCode	ZipCode	The postal code of the user's office location.
addresses[?(@.type=='work')].streetAddress	StreetAddress	The street address of the user's office location.
city	City	The user's city.
companyName	Company	The user's company name.
country	Country	The user's country.
displayName	DisplayName	The user's display name.
emails[?(@.type=='work')].value	Email	The user's work email address.
externalId	Alias	An external alias or identifier for the user.
name.familyName	LastName	The user's last name.
name.givenName	FirstName	The user's first name.
name.honorificSuffix	GeneratonalSuffix	A generational suffix in the user's name.
name.middleName	MiddleName	The user's middle name.
phoneNumbers[?(@.type=='fax')].value	Fax	The user's fax number.
phoneNumbers[?(@.type=='home')].value	HomePhone	The user's home phone number.
phoneNumbers[?(@.type=='mobile')].value	MobileNumber	The user's mobile phone number.
phoneNumbers[?(@.type=='other')].value	Telephone	Another telephone number associated with the user.
phoneNumbers[?(@.type=='work')].value	BusinessPhone	The user's business phone number.
photos[?(@.type=='work')].value	PhotoURL	The URL to the user's work photo.
preferredLanguage	PreferredLanguage	The user's preferred language.
profileUrl	AboutMe	Information about the user's profile.
state	State	The user's state or region.
title	JobTitle	The user's job title.
userName	LogonName
userType	EmployeeType	The type of employee (e.g., full-time, part-time).

Group Attributes

As part of the AzureAD B2C and EmpowerID inventory process, group accounts from Azure AD B2C are treated as groups within the EmpowerID system. The following table shows how Azure AD B2C group attributes map to corresponding EmpowerID group attributes:

Azure AD B2C Attribute	EmpowerID Attribute	Description

Azure AD B2C Attribute	EmpowerID Attribute	Description
description	Description	The description or additional information about the group.
displayName	DisplayName	The display name of the group.
externalID	Alias	An external identifier or alias associated with the group.
GroupType	groupType	The type or category of the group.
members	Members	Members of the group.
owners	Owners	Owners or administrators of the group.
ownersToAdd	ownersToAdd	Owners to be added to the group.
ownersToRemove	ownersToRemove	Owners to be removed from the group.

Role Attributes

As part of the AzureAD B2C and EmpowerID inventory process, roles from Azure AD B2C are treated as roles within the EmpowerID system. The following table shows how Azure AD B2C role attributes map to corresponding EmpowerID role attributes:

Azure AD B2C Attribute	EmpowerID Attribute	Description

Azure AD B2C Attribute	EmpowerID Attribute	Description
description	Description	The description or additional of the role.
displayName	FriendlyName	The friendly or display name of the role.
externalId	Alias	An external identifier or alias associated with the role.
Name	Name	The name of the role.
ParentID	ParentPath	The parent identifier of the role entity within a hierarchical structure.

Location Attributes

As part of the Azure AD B2C and EmpowerID inventory process, locations from Azure AD B2C are treated as Business Roles and Locations (BRL) within the EmpowerID system. The following table shows how Azure AD B2C location attributes map to corresponding EmpowerID BRL attributes:


description	Description	A textual or descriptive information about the location, providing details about what it represents.
displayName	FriendlyName	It typically refers to the name or label that is displayed for this location.
externalId	Alias	An identifier used to reference the location in an external system or context.
Name	Name	The name or identifier of the location.
ParentID	ParentPath	If this location is part of a hierarchical structure, the ParentID would typically reference the identifier of the parent location.

IN THIS ARTICLE