Skip to main content

Sync users and groups from Microsoft Entra ID using SCIM

Cedar.AI supports System for Cross-domain Identity Management (SCIM) to automatically provision and de-provision users and groups from Microsoft Entra ID (formerly Azure Active Directory). This allows you to manage user access centrally within your identity provider.

Prerequisites

  • Cedar.AI Admin Access: You must be able to log in to the Cedar.AI Admin Portal to retrieve client credentials.
  • Azure AD Admin Access: You need permissions to create Enterprise Applications in your Microsoft Entra ID tenant.

Configuration Steps

1. Create an Enterprise Application in Azure

  1. Log in to the Microsoft Entra Admin Center.
  2. Navigate to Identity > Applications > Enterprise applications.
  3. Click New application.
  4. Click Create your own application.
  5. Enter a name for your application (e.g., “Cedar.AI SCIM”).
  6. Select Integrate any other application you don’t find in the gallery (Non-gallery).
  7. Click Create.

2. Configure Provisioning

  1. In your newly created application, go to the Provisioning blade in the left menu.
  2. Click Get started.
  3. Set the Provisioning Mode to Automatic.

3. Admin Credentials

Cedar.AI uses the OAuth 2.0 Client Credentials grant flow for SCIM authentication. You will need to configure the connection details provided below. Expand the Admin Credentials section and enter the following values:
  • Tenant URL: 
    https://api-k.arms-dev.cedarai.com/scim/<your_tenant_id>/
    Replace <your_tenant_id> with your specific Azure Tenant ID.
  • Authentication Method: Cedar.AI uses OAuth 2.0. Ensure your provisioning configuration is set to use OAuth 2.0 Client Credentials Grant (if available in your specific connector options) or follow the specific authentication workflow prompted by Azure. You will need the following credentials from the Cedar.AI Admin Portal:
    • Token Endpoint: https://auth.accounts-dev.cedarai.com/oauth2/token
    • Client Identifier: (Obtain from Admin Portal)
    • Client Secret: (Obtain from Admin Portal)
    Note: If the standard Azure “Non-gallery” SCIM connector only requests a “Secret Token”, you may need to generate a long-lived bearer token using the client credentials or contact Cedar.AI support for the appropriate configuration pattern for your tenant.

4. Test Connection and Save

  1. Click Test Connection to ensure Azure can communicate with the Cedar.AI SCIM endpoint.
  2. Once the test passes, click Save.

5. Assign Users and Groups

Azure AD only provisions users and groups that are explicitly assigned to the application.
  1. Go to the Users and groups blade for your application.
  2. Click Add user/group.
  3. Select the users and groups you want to sync to Cedar.AI.
    • Groups: Assigning a group provisions the group itself and its direct members. Nested groups are not supported by the standard SCIM connector (flattening may be required).
    • Users: Users must be assigned directly or through a group to be provisioned.
  4. Click Assign.

6. Start Provisioning

  1. Under Mappings, review the user and group attribute mappings to ensure they align with your requirements.
  2. Go back to the Provisioning overview.
  3. Set the Provisioning Status to On.
  4. Click Save.
Azure AD will now start an initial synchronization cycle, followed by periodic incremental cycles (typically every 40 minutes). You can monitor progress in the Provisioning logs.

Important Considerations

  • Scope: By default, Azure AD provisions only assigned users and groups. Ensure “Sync only assigned users and groups” is selected in the Provisioning settings unless you intend to sync your entire directory.
  • De-provisioning: When a user is unassigned from the application or disabled in Azure AD, a SCIM disable (soft delete) request is sent to Cedar.AI. The user will lose access immediately.
  • Group Updates: Renaming a group in Azure AD will update the group name in Cedar.AI. Removing a user from a group in Azure AD will remove them from the corresponding group in Cedar.AI.