Our SCIM integration with Microsoft Entra ID allows admins to add and remove users within Microsoft Entra itself, without ever having to sign into Genea. Newly boarded users will receive an email about how to download their mobile key, and their key with be assigned with their appropriate access rights to the office.
The SCIM push-based system treats your Microsoft Entra ID as it's source of truth. When changes are made in Microsoft Entra ID, they automatically get pushed to Genea. This means you never have to worry about your Genea employee directory being out of sync with Microsoft Entra ID.
The following instructions walk through the process of integrating Microsoft Entra ID with Genea. You will need admin privileges in both Microsoft Entra ID and Genea to complete this integration.
Important Notes:
The primary email address and phone number listed in Microsoft Entra will be the email address and phone number listed in the Genea employee directory.
When adding or updating employees, Genea will match based upon the primary email address listed for the Microsoft Entra user. If the primary email address is not found within Genea, a new employee will be added to the Genea employee directory.
Step 1 : Prepare to enable the Genea + Microsoft Entra ID integration.
Create Access Groups - You can grant permissions to specific door groups in Genea based upon your Microsoft Entra ID groups or any other attributes. Please create the appropriate Access Groups in Genea based upon your specific office needs (this could reflect your Microsoft Entra ID groups structure). For example, let's say you've created Employees, Contractors, and IT Admin access groups.
If you have multiple office locations enabled with Genea, decide whether you’d like to sync all users to all locations, or to sync specific users per location. This will affect how you set up the integration.
Decide whether you would like to assign mobile keys to all newly boarded users by default.
Step 2 : Enable Genea + Microsoft Entra ID integration on Genea
Login to the Genea Web application and navigate to the 'Integrations' page.
Find Microsoft Entra ID and click 'Install.’
Step 3 : Microsoft Entra ID Integration Install Wizard.
There are three simple steps in Install Wizards.
Login to your Microsoft Entra ID account and grant permission.
Provide your login credentials. On the next screen, grant permission to Genea to access your Microsoft account data.
Note: The user authenticating the integration in Genea must be a Global Administrator in your Microsoft Entra ID.
2. Microsoft Entra ID Integration Token
In this step, you will be assigned a secure token for your Microsoft Entra ID integration. Please copy this token as you will need it in the next step when we apply it to your Microsoft Entra ID portal.
For more information on the SCIM app token, see How to re-authenticate your Microsoft Entra ID integration with Genea?
3. Configure Rules for Employee Sync
All your properties will be listed on the Rules screen where you can manage rules for respective properties. There must be at least one rule specified for each property in order for synchronization to occur successfully.
On the 'Rules' tab, click 'Add new rule'.
Provide a ‘Name’ for the rule.
Click ‘Add condition’ to add a new condition to the rule.
Note: Multiple conditions can be added for a rule.
Select ‘Operand’ and ‘Operator’ values from the provided drop-down and provide ‘Value’ in the text box for the condition.
Select ‘any/all’ from the matches drop-down in the case of multiple conditions.
A rule can also be removed by pressing the 'Remove' button.
Note: This option will only be available once we add more than one condition for a rule.
Select which ‘Access Group’ to which users who match the given rule will be assigned from the available access groups.
Select which ‘Role’ to which users will be assigned from the available roles.
Select ‘Yes’ or ‘No’ for the 'Assign a Mobile Key' option. If you select ‘Yes’, newly boarded users will automatically receive a Mobile Key. We recommend keeping it enabled for an easy on-boarding experience.
Provisioning Rules When Apple Wallet is Installed
When Apple Wallet is installed, you can get more specific with the rule engine to make sure certain groups of users in your organization are enabled for Apple Wallet pass.
As shown below, Add Rule page will have option to select Apple Wallet. You can select BLE option too. Selecting both will have BLE and Apple Wallet both the passes (keys).
Summary of the rule table will have ability to see which rule has which mobile access assigned. Other functionality of rearranging and priority of the rule remains the same.
You can edit the rule and make necessary changes too.
UPDATE FLAGS
While setting up your integration, you may choose to enable or disable certain user updates from Microsoft Entra ID to Genea.
If your integration set-up includes a few basic and/or broad rules, or if you plan on changing user attributes manually within Genea after users have been synced via Microsoft Entra, we recommend disabling the ‘Override Roles on Update’ and ‘Override Access Groups on Update’ update flags. If enabled, these User Update flags may override manual changes made to your users’ roles and/or access groups in Genea.
Delete User If No Rules Match: if changes have been made to a user’s profile within Microsoft Entra that no longer qualify them for any of your integration rules, the user will be deactivated within Genea. IMPORTANT NOTE: This flag will only come into play during directory updates. If you deactivate or suspend a user within your directory, the user will automatically be deactivated within Genea, regardless of whether this User Update flag is enabled or not.
IMPORTANT NOTE: If your integration does not include a specialized rule for provisioning system administrators, we recommend disabling the ‘Override Roles on Update’ flag as system administrator privileges may be revoked for existing administrators during updates. To avoid losing administrative privileges while keeping this flag enabled, we recommend creating a specialized rule within your integration that will provision system administrators. Ensure that this rule is placed first within your rule priority list so that system administrators will be provisioned first, then remaining users will be matched to the following rules accordingly.
Step 4: Configure your Microsoft Entra ID Account.
Getting Started:
Applications that support the SCIM profile described in this article can be connected to Microsoft Entra ID using the "non-gallery application" feature in the Microsoft Entra ID application gallery. Once connected, Microsoft Entra ID runs a synchronization process every 20 minutes where it queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.
To connect an application that supports SCIM:
Sign in to the Microsoft Entra ID portal.
Browse to 'Microsoft Entra ID' > 'Identity' > 'All Applications' > 'Enterprise Applications.'
Select 'New Application' > 'Create Your Own Application.'
Enter a name for your application, and select Non-gallery application option and click on 'Create'.
On the resulting screen, select the 'Provisioning' tab in the left column.
On the Provisioning Mode menu, select 'Automatic.'
In the Tenant URL field, enter the URL : https://scim-api.sequr.io/scim/v2
Copy and paste the Genea Integration token into the 'Secret Token' field.
Click the 'Test Connection' button to have Microsoft Entra ID attempt to connect to the SCIM endpoint. If the attempts fail, the error information will be displayed.
If the attempt to connect to the application succeeds, then click 'Save' to save the admin credentials.
11. To ensure that all the latest updates from Microsoft Entra ID are integrated into Genea, kindly activate the options for creating, updating, and deleting in the 'Users' and 'Groups' mapping.
12. Under Settings, the Scope field defines which users and/or groups are synchronized. Selecting "Sync only assigned users and groups" (recommended) will only sync users and groups assigned in the Users and groups tab.
13. Once your configuration is complete, change the 'Provisioning Status' to 'On.'
14. Click 'Save' to start the Microsoft Entra ID provisioning service.
Test your integration setup before applying it to all the users in scope:
Microsoft Entra ID Connect cloud provisioning has a feature called "on-demand provisioning", that allows you to test configuration changes quickly, by applying the changes to a single user. You can use this to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Microsoft Entra ID.
Purpose :
After setting up the integration between Genea and Microsoft Entra ID, you may like to test the integration to see if the user provisioning is working as expected before applying it to all the users in scope. You can create some test users, test rules in Genea application, and play with different functionalities to get a better idea of how SCIM provisioning, our rule engine, etc, work. The automatic Microsoft Entra ID provisioning service currently operates on a cyclic basis. The service runs typically every 40 minutes. That means, once you make any change in Microsoft Entra and want to test it with Genea application, then you will have to wait for around 40-45 minutes before you could see if configuration changes are working well or not. The on-demand provisioning capability allows you to pick a user and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again. Unlike automatic sync,on-demand provisioning typically takes less than 30 seconds.
How to use on-demand provisioning:
1. Sign in to the Microsoft Entra portal.
2. Go to All services > Enterprise applications.
3. Select your application, and then go to the provisioning configuration page.
4. Configure provisioning by providing your admin credentials.
5. Select Provision on-demand.
6. Search for a user by first name, last name, display name, user principal name, or email address.
7. Select Provision at the bottom of the page.
How to assign Home Location via Microsoft Entra ID?
With the introduction of the Home Location attribute, user can create and map this attribute in Microsoft Entra ID, thereby eliminating the need for manual input in the Genea web application.
To automate the assignment of Home Location in the Genea web application using Microsoft Entra ID, follow these steps:
Sign in to the Microsoft Entra ID portal.
Browse to 'Microsoft Entra ID' > 'Identity' > 'All Applications' > 'Enterprise Applications.'
Select your 'Application'
On the resulting screen, select the 'Provisioning' tab in the left column.
Click on 'Edit Provisioning' to add Home Location attribute.
6. Navigate to 'Mapping' and select 'Provision Microsoft Entra ID Users'
7. Check the 'Show advanced options' checkbox and select 'Edit attribute list for customappsso'
8. Under 'Edit attribute list for customappsso,' enter the following extended Home Location attribute:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:homeLocation
Click 'Save' to update the attribute list.
9. Select 'Add Mapping' to map the Microsoft Entra attribute with the Home Location attribute through an expression.
Below is a sample expression that can be customized based on your operations. This expression can be configured on any user attribute (e.g., Country, Region, State) in Microsoft Entra.
Switch([city], "None", "Berlin", "Genea - Berlin", "Netherlands", "Genea - Netherlands", "Paris", "Genea - Paris")
According to the expression, when the user's city is set as 'Berlin' in Microsoft Entra, the 'Genea - Berlin' Home Location will be assigned to the respective user in the Genea web application.
If no city is set or if it is removed from the user's profile, the assigned Home Location will be removed.
Notes:
If the location name has been changed in Genea, you must update the expression in Microsoft Entra.
If a new location is added in Genea, you must update the existing expression with the new location in Microsoft Entra.
Limitations:
1. On-demand provisioning of groups and roles isn't supported. You can select one user at a time and test your integration with other applications.
2. On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Microsoft Entra ID. Those users won't appear when you search for a user.
For more details, please refer to this document from Microsoft Entra.
If you have any questions about the Genea Access Control + Microsoft Entra ID Integration, please reach out to Genea Support at acsupport@getgenea.com.