Our SCIM integration with Azure AD allows admins to add and remove users within Azure itself, without ever having to sign into Genea. Newly boarded users will receive an email about how to download their mobile key, and their key with be assigned with their appropriate access rights to the office.
The SCIM push-based system treats your Azure directory as it's source of truth. When changes are made in Azure, they automatically get pushed to Genea. This means you never have to worry about your Genea employee directory being out of sync with Azure.
The following instructions walk through the process of integrating Azure AD with Genea. You will need admin privileges in both Azure AD and Genea to complete this integration.
- The primary email address and phone number listed in Azure will be the email address and phone number listed in the Genea employee directory.
- When adding or updating employees, Genea will match based upon the primary email address listed for the Azure user. If the primary email address is not found within Genea, a new employee will be added to the Genea employee directory.
Step 1 : Prepare to enable the Genea + Azure provisioning integration.
- Create Access Groups - You can grant permissions to specific door groups in Genea based upon your Azure groups or any other attributes. Please create the appropriate Access Groups in Genea based upon your specific office needs (this could reflect your Azure groups structure). For example, let's say you've created Employees, Contractors, and IT Admin access groups.
- If you have multiple office locations enabled with Genea, decide whether you’d like to sync all users to all locations, or to sync specific users per location. This will affect how you set up the integration.
- Decide whether you would like to assign mobile keys to all newly boarded users by default.
Step 2 : Enable Genea + Azure provisioning integration on Genea
- Login to the Genea Web application and navigate to the 'Integrations' page.
- Find Azure and click 'Install.’
Step 3 : Azure Integration Install Wizard.
There are three simple steps in Install Wizards.
- Login to your Microsoft Azure account and grant permission.
Provide your login credentials. On the next screen, grant permission to Genea to access your Microsoft account data.
Note: The user authenticating the integration in Genea must be a Global Administrator in your Azure AD.
2. Azure Integration Token
In this step, you will be assigned a secure token for your Azure provisioning integration. Please copy this token as you will need it in the next step when we apply it to your Azure portal.
For more information on the SCIM app token, see How to re-authenticate your Azure AD integration with Genea?
3. Configure Rules for Employee Sync
All your properties will be listed on the Rules screen where you can manage rules for respective properties. There must be at least one rule specified for each property in order for synchronization to occur successfully.
- On the 'Rules' tab, click 'Add new rule'.
- Provide a ‘Name’ for the rule.
- Click ‘Add condition’ to add a new condition to the rule.
Note: Multiple conditions can be added for a rule.
- Select ‘Operand’ and ‘Operator’ values from the provided drop-down and provide ‘Value’ in the text box for the condition.
- Select ‘any/all’ from the matches drop-down in the case of multiple conditions.
- A rule can also be removed by pressing the 'Remove' button.
Note: This option will only be available once we add more than one condition for a rule.
- Select which ‘Access Group’ to which users who match the given rule will be assigned from the available access groups.
- Select which ‘Role’ to which users will be assigned from the available roles.
- Select ‘Yes’ or ‘No’ for the 'Assign a Mobile Key' option. If you select ‘Yes’, newly boarded users will automatically receive a Mobile Key. We recommend keeping it enabled for an easy on-boarding experience.
While setting up your integration, you may choose to enable or disable certain user updates from Azure Active Directory to Genea.
If your integration set-up includes a few basic and/or broad rules, or if you plan on changing user attributes manually within Genea after users have been synced via Azure, we recommend disabling the ‘Override Roles on Update’ and ‘Override Access Groups on Update’ update flags. If enabled, these User Update flags may override manual changes made to your users’ roles and/or access groups in Genea.
Delete User If No Rules Match: if changes have been made to a user’s profile within Azure that no longer qualify them for any of your integration rules, the user will be deactivated within Genea. IMPORTANT NOTE: This flag will only come into play during directory updates. If you deactivate or suspend a user within your directory, the user will automatically be deactivated within Genea, regardless of whether this User Update flag is enabled or not.
IMPORTANT NOTE: If your integration does not include a specialized rule for provisioning system administrators, we recommend disabling the ‘Override Roles on Update’ flag as system administrator privileges may be revoked for existing administrators during updates. To avoid losing administrative privileges while keeping this flag enabled, we recommend creating a specialized rule within your integration that will provision system administrators. Ensure that this rule is placed first within your rule priority list so that system administrators will be provisioned first, then remaining users will be matched to the following rules accordingly.
Step 4: Configure your Azure Account.
Applications that support the SCIM profile described in this article can be connected to Azure Active Directory using the "non-gallery application" feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronization process every 20 minutes where it queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.
To connect an application that supports SCIM:
- Sign in to the Azure portal.
- Browse to 'Azure Active Directory' > 'Enterprise Applications,' l > select 'New Application' > 'All' > 'Non-gallery Application.'
- Enter a name for your application, and click 'Add Icon' to create an app object.
- On the resulting screen, select the 'Provisioning' tab in the left column.
- On the Provisioning Mode menu, select 'Automatic.'
- In the Tenant URL field, enter the URL : https://scim-api.sequr.io/scim/v2
- Copy the OAuth bearer token (https://access.sequr.io/integrations/azure/manage) into the 'Secret Token' field.
- Click the 'Test Connection' button to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempts fail, the error information will be displayed.
- If the attempt to connect to the application succeeds, then click 'Save' to save the admin credentials.
10. If the user details are to be updated from the Genea web application, please disable the update option from ‘Users’ mapping to avoid any updates being overridden from Azure AD (Recommended).
11. Under Settings, the Scope field defines which users and/or groups are synchronized. Selecting "Sync only assigned users and groups" (recommended) will only sync users and groups assigned in the Users and groups tab.
12. Once your configuration is complete, change the 'Provisioning Status' to 'On.'
13. Click 'Save' to start the Azure AD provisioning service.
Test your integration setup before applying it to all the users in scope:
Azure AD Connect cloud provisioning has a feature called "on-demand provisioning", that allows you to test configuration changes quickly, by applying the changes to a single user. You can use this to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Azure AD.
After setting up the integration between Genea and Azure, you may like to test the integration to see if the user provisioning is working as expected before applying it to all the users in scope. You can create some test users, test rules in Genea application, and play with different functionalities to get a better idea of how SCIM provisioning, our rule engine, etc, work. The automatic Azure AD provisioning service currently operates on a cyclic basis. The service runs typically every 40 minutes. That means, once you make any change in Azure and want to test it with Genea application, then you will have to wait for around 40-45 minutes before you could see if configuration changes are working well or not. The on-demand provisioning capability allows you to pick a user and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again. Unlike automatic sync,on-demand provisioning typically takes less than 30 seconds.
How to use on-demand provisioning:
1. Sign in to the Azure portal.
2. Go to All services > Enterprise applications.
3. Select your application, and then go to the provisioning configuration page.
4. Configure provisioning by providing your admin credentials.
5. Select Provision on-demand.
6. Search for a user by first name, last name, display name, user principal name, or email address.
7. Select Provision at the bottom of the page.
1. On-demand provisioning of groups and roles isn't supported. You can select one user at a time and test your integration with other applications.
2. On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users won't appear when you search for a user.
For more details, please refer to this document from Azure.
If you have any questions about the Genea Access Control + Azure Active Directory Integration, please reach out to Genea Support at email@example.com.