Configuring user provisioning in the Microsoft Entra Portal

You can configure user provisioning in the Microsoft Entra Portal to synchronize users and groups automatically from the Microsoft Entra Portal to MaaS360®. Use the Microsoft Entra Portal to view and manage a MaaS360 app that is configured for single sign-on in a directory. It helps manage automatic user account provisioning for MaaS360.

Before you begin

To configure user provisioning in the Microsoft Entra Portal, administrators must have a Premium subscription at the tenant level. For example, administrators must have a Microsoft Entra ID P1 or P2 license. For more information, see Microsoft Documentation.

Important: Microsoft Entra ID does not support automatic provisioning of nested groups.

Procedure

  1. Sign in to the Microsoft Entra Admin Centre with a Global Administrator account.
  2. Click Applications > Enterprise applications. A list of all configured apps is displayed, including the apps added from the gallery.
  3. Click New application > Create your own application.
  4. In the Create your own application section, configure the following.
    1. For the What's the name of your app? Question, enter a suitable name to your user provisioning application.
    2. Answer the What are you looking to do with your application application? Question by selecting the Integrate any other application you don’t find in the gallery (Non-gallery) option, and then click Create.
    3. On the Overview page, click Get started.
  5. Go to the Overview (preview) page.
  6. Select Provisioning, then click New configuration or Connect your application.
    On the Admin credentials, enter the following.
    • In the Tenant URL, enter the URL that you copied from the MaaS360 Portal.
    • In the Secret Token field, enter the secret code that you copied from the MaaS360 Portal.
  7. Click Test Connection to connect the Tenant ID to the MaaS360 application.
    • If the connection is successful, a confirmation message is displayed that the credentials are authorized to enable user provisioning and save the provisioning application.
    • If the connection fails, verify that the copied Tenant URL and Secret code are correct and the MaaS360 environment is up and running. If the error persists, contact IBM® Support.
    Important: The Mapping section is displayed only when the test connection is successful.
  8. Configure the Mappings section.
    1. Expand the Mappings section to view the Provision Microsoft Entra ID Groups and Provision Microsoft Entra ID Users options. For more information, see Microsoft Documentation.
      Note:
      • For Provision Microsoft Entra ID Groups, the mappings must be kept unchanged.
      • For Provision Microsoft Entra ID Users, you must review and adjust the mappings between the Microsoft Entra ID user attributes and the customappsso Attribute (MaaS360 user attributes).
    2. Click the Provision Microsoft Entra ID Users option. The Attribute Mappings page is displayed.
    3. In the Attributes Mappings section, click Edit for the mailNickname attribute.
    4. On the Edit Attribute page, select objectId from the Source attribute list, and then click Ok.
    5. Click Delete corresponding to an attribute to delete the mapping attribute that is not supported by MaaS360.
    6. Map the Microsoft Entra ID user attributes and the customappsso Attribute (MaaS360 user attributes) as shown in the following table:
      Customappsso Attribute Microsoft Entra ID Attribute Matching precedence
      userName userPrincipalName 1
      active Switch([IsSoftDeleted], , "False", "True", "True", "False")  
      title jobTitle  
      emails[type eq "work"].value mail  
      name.givenName givenName  
      name.familyName surname  
      name.formatted Join(" ", [givenName], [surname])  
      addresses[type eq "work"].streetAddress streetAddress  
      addresses[type eq "work"].locality city  
      phoneNumbers[type eq "work"].value telephoneNumber  
      phoneNumbers[type eq "mobile"].value mobile  
      externalId objectId  
      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber employeeId  
      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department department  
      Important: Apart from the objectId and userName attributes, all other attribute mappings can be modified as needed. When the mapping changes, the user provisioning application initiates a full directory synchronization. Ensure that the correct attribute mappings are selected before initial provisioning.
    7. By default, the userName attribute is mapped to the userPrincipalName attribute. However, if a different mapping is required, then follow the steps based on the required username format.
      Option1: Use userPrincipalName prefix as username (Default Mapping)
      The userName attribute is mapped to userPrincipalName, where users in MaaS360 are created with the userPrincipalName prefix as their unique identifier.
      Option 2: Use userPrincipalName as a unique identifier
      • In the Attribute Mappings section, click Edit corresponding to the userName attribute.
      • Change the Mapping Type to Expression.
      • Update the Expression field with the following value: Append(Append([userPrincipalName],"@"),Item(Split([userPrincipalName],"@"),2))
      • Click Save .
      Option 3: Use different user attribute as a unique user identifier
      • In the Attribute Mappings section, click Edit corresponding to the userName attribute.
      • Select the required attribute as the Microsoft Entra ID Attribute .
      • Also, map userPrincipalName to provide this information to MaaS360 by following these steps.
        • Select the Show advanced options section in Attribute Mappings and click Edit attribute list for customappsso.
        • To add a new user attribute, use the following format: urn:ietf:params:scim:schemas:extension:ibmmaas360:2.0:User:userPrincipalName
        • Click Save .
        • Go to the Add New Mapping section and map the newly created user attribute to userPrincipalName.
      • Click Save .
      Note: If the attribute value contains a domain value, you can also add an expression mapping to user identifier attribute by appending the domain. For example: Append(Append([email],"@"),Item(Split([email],"@"),2)).
    8. Add an attribute mapping to synchronize user domain values. This step helps ensure that the user domain is aligned between the IBM MaaS360 portal and Microsoft Entra Portal.
      Important: You need to do this step only if the user domain in the IBM MaaS360 portal is different from the domain in the Microsoft Entra Portal.
      1. In the Attribute Mappings section, select the Show advanced options.
      2. Click Edit attribute list for customappsso and add new user attribute using following format urn:ietf:params:scim:schemas:extension:ibmmaas360:2.0:User:userPrincipalName
      3. Click Save.
      4. Go to the Add New Mapping section and map the newly created user attribute to userPrincipalName.
      5. Click Save.
    9. (Optional) If custom user attribute mapping is required, you must create a custom user attribute in the MaaS360 Portal and map with Microsoft Entra ID user attribute. For more information, see Creating custom user attribute and mapping.
    10. Click Save.
  9. Configure the Settings section.
    1. Expand the Settings section and select the Sync only assigned users and groups option in the Scope list.

      The selected option defines which users and groups are synchronized in MaaS360 from the Microsoft Entra Portal.

      Important:
      • Ensure that you assigned the users and groups in the Microsoft Entra Portal before configuring Scope. When you assign a group to an application, only users in the group have access. The assignment does not cascade to nested groups.
      • Ensure that you have a Microsoft Entra ID P1 or P2 license to assign specific users and groups for provisioning the application.
      • If you do not have a Microsoft Entra ID P1 or P2 license, select Sync all users and groups to synchronize all users and groups in MaaS360 from the Microsoft Entra Portal.
    2. Return to the Overview page of the user provisioning application that you created.
    3. Click Users and groups > Add user/group to assign users and groups.
    4. In the Add Assignment section, select None Selected for Users and groups.
    5. In the Users and groups page, search for the users or groups that you want to assign to the application, and then click Select.
    6. In the Add Assignment section, click Assign to assign the users or groups to the application.
  10. Return to the Overview page of the user provisioning application that you created.
  11. Click Provisioning from the left navigation page. The provisioning overview page is displayed with user provision details.
  12. Set the Provisioning Status toggle to On.
  13. Click Save.

What to do next

Validate your provisioning settings
  1. Sign in to the Microsoft Entra Admin Centre with a Global Administrator account.
  2. Click Applications > Enterprise applications. A list of all configured apps is displayed, including the apps added from the gallery.
  3. Select your user provisioning application. The Overview page is displayed for the application.
  4. Click Provisioning from the left navigation page. The provisioning overview page is displayed with user provision details.
    You can check the status of user provisioning settings and view the user and group details that are assigned.
    • To edit or add other settings, select a specific option in the Manage provisioning section based on your requirement.
    • To view the provision intervals and other details, expand the required field in the Statistics to date section.
Monitor your deployment
When you have configured user provisioning, use these Microsoft resources to monitor your deployment:
  • Use the provisioning logs to see which users are provisioned successfully or unsuccessfully.
  • Check the progress bar to see the status of the user provisioning cycle and how close it is to completion.
  • If the user provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. For more information, see here.