You can configure user provisioning in the Microsoft Entra
Portal to synchronize
users and groups automatically from the Microsoft Entra
Portal to MaaS360®. Use the Microsoft Entra
Portal to view and manage a MaaS360 app that is configured for single sign-on in a directory. It helps manage automatic user account provisioning for MaaS360.
Before you begin
To configure user provisioning in the Microsoft Entra
Portal, administrators
must have a Premium subscription at the tenant level. For example, administrators must have a Microsoft Entra ID P1 or P2 license. For more information,
see Microsoft
Documentation.
Important: Microsoft Entra
ID does not support
automatic provisioning of nested groups.
Procedure
- Sign in to the Microsoft
Entra Admin Centre with
a Global Administrator account.
- Click . A list of all configured apps is displayed, including the
apps added from the gallery.
- Click .
- In the Create your own application section, configure the
following.
- For the What's the name of your app? Question, enter a suitable
name to your user provisioning application.
- Answer the What are you looking to do with your application
application? Question by selecting the Integrate any other application you
don’t find in the gallery (Non-gallery) option, and then click
Create.
- On the Overview page, click Get
started.
- Go to the Overview (preview) page.
- Select Provisioning, then click New
configuration or Connect your application.
On the
Admin credentials, enter the following.
- In the Tenant URL, enter the URL that you copied from the MaaS360 Portal.
- In the Secret Token field, enter the secret code that you copied from the
MaaS360 Portal.
- Click Test Connection to connect the Tenant ID to the MaaS360 application.
- If the connection is successful, a confirmation message is displayed that the credentials are
authorized to enable user provisioning and save the provisioning application.
- If the connection fails, verify that the copied Tenant URL and Secret code are correct and the
MaaS360 environment is up and running. If the error
persists, contact IBM® Support.
Important: The Mapping section is displayed only when the test
connection is successful.
- Configure the Mappings section.
- Expand the Mappings section to view the Provision
Microsoft Entra
ID
Groups and Provision Microsoft Entra
ID Users
options. For more information, see Microsoft
Documentation.
Note:
- For Provision Microsoft Entra
ID
Groups, the mappings must be kept unchanged.
- For Provision Microsoft Entra
ID Users,
you must review and adjust the mappings between the Microsoft Entra
ID user attributes and the customappsso Attribute (MaaS360 user attributes).
- Click the Provision Microsoft Entra
ID Users
option. The Attribute Mappings page is displayed.
- In the Attributes Mappings section, click
Edit for the mailNickname attribute.
- On the Edit Attribute page, select
objectId from the Source attribute list, and then
click Ok.
- Click Delete corresponding to an attribute to delete the mapping attribute that is not supported by MaaS360.
- Map the Microsoft Entra
ID user attributes
and the customappsso Attribute (MaaS360 user attributes) as shown in the following table:
| Customappsso Attribute |
Microsoft Entra ID Attribute |
Matching precedence |
userName |
userPrincipalName |
1 |
active |
Switch([IsSoftDeleted], , "False", "True", "True", "False") |
|
title |
jobTitle |
|
emails[type eq "work"].value |
mail |
|
name.givenName |
givenName |
|
name.familyName |
surname |
|
name.formatted |
Join(" ", [givenName], [surname]) |
|
addresses[type eq "work"].streetAddress |
streetAddress |
|
addresses[type eq "work"].locality |
city |
|
phoneNumbers[type eq "work"].value |
telephoneNumber |
|
phoneNumbers[type eq "mobile"].value |
mobile |
|
externalId |
objectId |
|
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber |
employeeId |
|
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department |
department |
|
Important: Apart from the objectId and
userName attributes, all other attribute mappings can be modified as needed.
When the mapping changes, the user provisioning application initiates a full directory
synchronization. Ensure that the correct attribute mappings are selected before initial
provisioning.
- By default, the userName attribute is mapped to the
userPrincipalName attribute. However, if a different mapping is required,
then follow the steps based on the required username format.
- Option1: Use userPrincipalName prefix as username (Default Mapping)
- The userName attribute is mapped to userPrincipalName, where users in
MaaS360 are created with the userPrincipalName prefix as their unique identifier.
- Option 2: Use userPrincipalName as a unique identifier
-
- In the Attribute Mappings section, click Edit
corresponding to the userName attribute.
- Change the Mapping Type to Expression.
- Update the Expression field with the following value:
Append(Append([userPrincipalName],"@"),Item(Split([userPrincipalName],"@"),2))
- Click Save .
- Option 3: Use different user attribute as a unique user identifier
-
- In the Attribute Mappings section, click Edit
corresponding to the userName attribute.
- Select the required attribute as the Microsoft Entra ID Attribute .
- Also, map userPrincipalName to provide this information to MaaS360 by
following these steps.
- Select the Show advanced options section in Attribute Mappings
and click Edit attribute list for customappsso.
- To add a new user attribute, use the following format:
urn:ietf:params:scim:schemas:extension:ibmmaas360:2.0:User:userPrincipalName
- Click Save .
- Go to the Add New Mapping section and map the newly created user
attribute to userPrincipalName.
- Click Save .
Note: If the attribute value contains a domain value, you can also add an expression mapping to user
identifier attribute by appending the domain. For example:
Append(Append([email],"@"),Item(Split([email],"@"),2)).
- Add an attribute mapping to synchronize user domain values. This step helps ensure
that the user domain is aligned between the IBM
MaaS360 portal and Microsoft Entra
Portal.
Important: You need to do this step only if the user domain in the IBM
MaaS360 portal is different
from the domain in the Microsoft Entra
Portal.
- In the Attribute Mappings section, select the Show advanced
options.
- Click Edit attribute list for customappsso and add new user attribute
using following format
urn:ietf:params:scim:schemas:extension:ibmmaas360:2.0:User:userPrincipalName
- Click Save.
- Go to the Add New Mapping section and map the newly created user
attribute to userPrincipalName.
- Click Save.
- (Optional) If custom user attribute mapping is required, you must create a custom user attribute in the MaaS360 Portal and map with Microsoft Entra
ID user attribute.
For more information, see Creating custom user attribute and mapping.
- Click Save.
- Configure the Settings section.
- Expand the Settings section and select the Sync only
assigned users and groups option in the Scope list.
The selected option defines which users and groups are synchronized in MaaS360 from the Microsoft Entra
Portal.
Important:
- Ensure that you assigned the users and groups in the Microsoft Entra
Portal before
configuring Scope. When you assign a group to an application, only users in
the group have access. The assignment does not cascade to nested groups.
- Ensure that you have a Microsoft Entra ID P1 or P2
license to assign specific users and groups for provisioning the application.
- If you do not have a Microsoft Entra ID P1 or P2
license, select Sync all users and groups to synchronize all users and groups
in MaaS360 from the Microsoft Entra
Portal.
- Return to the Overview page of the user provisioning application
that you created.
- Click to assign users and groups.
- In the Add Assignment section, select None
Selected for Users and groups.
- In the Users and groups page, search for the users or groups that
you want to assign to the application, and then click Select.
- In the Add Assignment section, click
Assign to assign the users or groups to the application.
- Return to the Overview page of the user provisioning application
that you created.
- Click Provisioning from the left navigation page. The provisioning
overview page is displayed with user provision details.
- Set the Provisioning Status toggle to
On.
- Click Save.
What to do next
Validate your provisioning settings
- Sign in to the Microsoft
Entra Admin Centre with
a Global Administrator account.
- Click . A list of all configured apps is displayed, including the
apps added from the gallery.
- Select your user provisioning application. The Overview page is displayed
for the application.
- Click Provisioning from the left navigation page. The provisioning
overview page is displayed with user provision details.
You can check the status of user
provisioning settings and view the user and group details that are assigned.
- To edit or add other settings, select a specific option in the Manage
provisioning section based on your requirement.
- To view the provision intervals and other details, expand the required field in the
Statistics to date section.
Monitor your deploymentWhen you have configured user provisioning, use these
Microsoft resources to monitor your deployment:
- Use the provisioning logs to see which users are provisioned
successfully or unsuccessfully.
- Check the progress bar to see the status of the user provisioning cycle
and how close it is to completion.
- If the user provisioning configuration seems to be in an unhealthy state, the application goes
into quarantine. For more information, see here.