Our SCIM integration with Microsoft Entra ID allows admins to add and remove users and groups within Microsoft Entra itself, without ever having to sign into Genea. Newly boarded users will receive an email about how to download their mobile key, and their key with be assigned with their appropriate access rights to the office.
The SCIM push-based system treats your Microsoft Entra ID as it's source of truth. When changes are made in Microsoft Entra ID, they automatically get pushed to Genea. This means you never have to worry about your Genea employee directory being out of sync with Microsoft Entra ID.
The following instructions walk through the process of integrating Microsoft Entra ID with Genea. You will need admin privileges in both Microsoft Entra ID and Genea to complete this integration.
Important Notes:
The primary email address and phone number listed in Microsoft Entra will be the email address and phone number listed in the Genea employee directory.
When adding or updating employees, Genea will match based upon the primary email address listed for the Microsoft Entra user. If the primary email address is not found within Genea, a new employee will be added to the Genea employee directory.
When a group is created in Microsoft Entra and assigned Genea Application, it'll get provisioned to Genea along with the members within the group.
For User Group-enabled Portals
Step 1: Enable Genea + Microsoft Entra ID integration on Genea
Login to the Genea Web application and navigate to the 'Integrations' page.
Find Microsoft Entra ID and click 'Install.’
Step 2: Microsoft Entra ID Integration Token
In this step, you will be assigned a secure token for your Microsoft Entra ID integration. Please copy this token as you will need it in the next step when we apply it to your Microsoft Entra ID portal.
For more information on the SCIM app token, see How to re-authenticate your Microsoft Entra ID integration with Genea?
Step 3: Configure your Microsoft Entra ID Account
Applications that support the SCIM profile described in this article can be connected to Microsoft Entra ID using the "non-gallery application" feature in the Microsoft Entra ID application gallery. Once connected, Microsoft Entra ID runs a synchronization process every 40 minutes where it queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.
To connect an application that supports SCIM:
Sign in to the Microsoft Entra ID portal.
Browse to 'Microsoft Entra ID' > 'Identity' > 'All Applications' > 'Enterprise Applications.'
Select 'New Application' > 'Create Your Own Application.'
Enter a name for your application, and select Non-gallery application option and click on 'Create'.
On the resulting screen, select the 'Provisioning' tab in the left column.
On the Provisioning Mode menu, select 'Automatic.'
In the Tenant URL field, enter the URL : https://scim-api.sequr.io/scim/v2
Copy and paste the Genea Integration token into the 'Secret Token' field.
Click the 'Test Connection' button to have Microsoft Entra ID attempt to connect to the SCIM endpoint. If the attempts fail, the error information will be displayed.
If the attempt to connect to the application succeeds, then click 'Save' to save the admin credentials.
11. To ensure that all the latest updates from Microsoft Entra ID are integrated into Genea, kindly activate the options for creating, updating, and deleting in the 'Users' and 'Groups' mapping.
12. Update the current user attribute mapping for External ID from 'mailNickname' to 'objectId'. Note: Ensure the mapping is updated for seamless provisioning.
13. Under Settings, the Scope field defines which users and/or groups are synchronized. Selecting "Sync only assigned users and groups" (recommended) will only sync users and groups assigned in the Users and groups tab.
14. Once your configuration is complete, change the 'Provisioning Status' to 'On.'
15. Click 'Save' to start the Microsoft Entra ID provisioning service.
Test your integration setup before applying it to all the users in scope:
Microsoft Entra ID Connect cloud provisioning has a feature called "on-demand provisioning", that allows you to test configuration changes quickly, by applying the changes to a single user. You can use this to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Microsoft Entra ID.
Step 4: Provision Groups from Microsoft Entra ID to Genea
1. Browse to 'Microsoft Entra ID' > 'Identity' > 'All Applications' > 'Enterprise Applications.'
2. Select your application, and then go to the 'Users and groups' and click on '+Add user/group' to add a group to the respective application.
Does Genea Support Multiple Entra Instances?
Yes, it is possible to connect multiple Entra instances to a single Genea portal for user group-enabled portals. Here are a few considerations to keep in mind:
External ID Mapping: Ensure that the external ID is mapped to the object ID for user provisioning; else, the user may lose access.
Unique Group Names: Genea doesn’t support duplicate user group names. Ensure that each Entra instance uses distinct group names to avoid any potential errors.
Moving to single Entra Instances: If you plan to transition from multiple Entra instances to a single one, it’s essential to have a clear migration plan. You can either manage this transition internally or collaborate with Genea to ensure a smooth migration without service disruptions.
For further assistance, please reach out to Genea Support.
Perform On-Demand Provisioning for Users and Groups:
After setting up the integration between Genea and Microsoft Entra ID, you may like to test the integration to see if the user provisioning is working as expected before applying it to all the users and groups.
The automatic Microsoft Entra ID provisioning service currently operates on a cyclic basis. The service runs typically every 40 minutes. That means, once you make any change in Microsoft Entra and want to test it with Genea application, then you will have to wait for around 40-45 minutes before you could see if configuration changes are working well or not. The on-demand provisioning capability allows you to pick a user/group and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again. Unlike automatic sync,on-demand provisioning typically takes less than 30 seconds.
How to use on-demand provisioning:
1. Sign in to the Microsoft Entra ID portal.
2. Go to All services > Enterprise applications.
3. Select your application, and then go to the provisioning configuration page.
4. Configure provisioning by providing your admin credentials.
5. Select Provision on-demand.
6. Search for a user by first name, last name, display name, user principal name, or email address.
7. Select Provision at the bottom of the page.
How to assign Home Location via Microsoft Entra ID?
With the introduction of the Home Location attribute, user can create and map this attribute in Microsoft Entra ID, thereby eliminating the need for manual input in the Genea web application.
To automate the assignment of Home Location in the Genea web application using Microsoft Entra ID, follow these steps:
Sign in to the Microsoft Entra ID portal.
Browse to 'Microsoft Entra ID' > 'Identity' > 'All Applications' > 'Enterprise Applications.'
Select your 'Application'
On the resulting screen, select the 'Provisioning' tab in the left column.
Click on 'Edit Provisioning' to add Home Location attribute.
6. Navigate to 'Mapping' and select 'Provision Microsoft Entra ID Users'
7. Check the 'Show advanced options' checkbox and select 'Edit attribute list'
8. Under 'Edit attribute list for customappsso,' enter the following extended Home Location attribute:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:homeLocation
Click 'Save' to update the attribute list.
9. Select 'Add Mapping' to map the Microsoft Entra attribute with the Home Location attribute through an expression.
Below is a sample expression that can be customized based on your operations. This expression can be configured on any user attribute (e.g., Country, Region, State) in Microsoft Entra.
Switch([city], "None", "Berlin", "Genea - Berlin", "Netherlands", "Genea - Netherlands", "Paris", "Genea - Paris")
According to the expression, when the user's city is set as 'Berlin' in Microsoft Entra, the 'Genea - Berlin' Home Location will be assigned to the respective user in the Genea web application.
If no city is set or if it is removed from the user's profile, the assigned Home Location will be removed.
Notes:
If the location name has been changed in Genea, you must update the expression in Microsoft Entra.
If a new location is added in Genea, you must update the existing expression with the new location in Microsoft Entra.
Limitations:
1. On-demand provisioning of groups and roles isn't supported. You can select one user at a time and test your integration with other applications.
2. On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Microsoft Entra ID. Those users won't appear when you search for a user.
For more details, please refer to this document from Microsoft Entra.
If you have any questions about the Genea Access Control + Microsoft Entra ID Integration, please reach out to Genea Support at acsupport@getgenea.com.