Provision Users and Groups from Azure AD

Secure Access supports the provisioning of users and groups from Azure Active Directory (Azure AD). With your Secure Access System for Cross-domain Identity Management (SCIM) token, configure the Cisco User Management for Secure Access app on the Azure portal. Once you add users and groups in the app, Azure begins to exchange the user and group information with Secure Access.

Note: You do not need to deploy an on-premises Secure Access Active Directory (AD) Connector.

Table of Contents

• Prerequisites
• Limitations
• Procedure
• Configure the Cisco User Management for Secure Access App
• View Provisioned Users and Groups in Secure Access
• Refresh SCIM Token

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• A valid Azure AD subscription with a premium Azure AD license.
• No concurrent provisioning of the same user or group identities from on-premises AD and Azure AD. If you are using the on-premises Secure Access AD Connector to import users and groups and choose to import the same users and groups from Azure, ensure that the on-premises Secure Access AD connector is switched off or that the OpenDNS Connector service on the connector machine is stopped.
• For IP-to-user mapping deployments, you must use an on-premises Secure Access AD connector. Azure does not store the private IP to Active AD user mappings.
• Import the ObjectGUID attribute from Azure AD to Secure Access. The on-premises Secure Access AD Connector and Cisco Secure Client rely on the ObjectGUID attribute for user identification. If all of your endpoints are running the Cisco Secure Client, you do not have to import the ObjectGUID attribute from Azure.
  • Before you set up the import of the ObjectGUID attribute, ensure that the on-premises Secure Access AD Connector that is synchronizing these identities is switched off or that the OpenDNS Connector service on the connector machine is stopped.
  • To ensure that the ObjectGUID attribute for users is synchronized from Azure AD to Secure Access, your endpoints must authenticate against on-premises AD and run the Cisco Secure Client. For more information about importing the ObjectGUID attribute for users, see Tutorial: Configure Cisco Secure Access User Management for automatic user provisioning.
• If you previously configured a policy against groups imported from on-premises AD, and then chose to import the same groups from Azure, you must reconfigure the policy to map it to the Azure groups instead of the on-premises AD groups. In a policy, on-premises AD group names display with the domain name preceding the group name (for example: Domain1\ADGroup1). For Azure, only group names are displayed on the policy page (for example: ADGroup1).

Limitations

• You can provision up to 200 groups from Azure to Secure Access. You can provision an unlimited number of users from Azure.
• Concurrent synchronization of the same users and groups from the Secure Access AD Connector and the Cisco Secure Access Azure app is not supported and leads to inconsistent policy enforcement.
• To ensure that all users are provisioned, create a dynamic All Users group and assign this group to the Cisco Secure Access app. For more information, see Dynamic Membership Rules for Groups in Azure Active Directory. You can assign additional groups as required for group-based policy rule enforcement.
• Provisioning large numbers of users and groups to Secure Access may take several hours.
• Azure does not support nested group memberships for group-based assignment to any SaaS application.
• After the initial provisioning of users and groups, Azure synchronizes changes to Secure Access every 40 minutes. Synchronization of updates to identities from Azure to Secure Access may take up to one hour.

Procedure

1. Navigate to Connect > Users and Groups > Configuration Management > Provision Users and Groups > Identity provider (IDP) .

2. Under Choose Identity Provider, select from the drop-down menu, Azure, and click Next.

3. Click Generate Token.

   

4. Copy and save your generated token.

5. Copy and save the Azure Active Directory Provisioning URL, [https://api.umbrella.com/identity/v2/scim](https://api.sse.cisco.com/identity/v2/scim).

Note: We recommend that you refresh your token at least once every 180 days. To ensure that provisioning of users and groups is not impacted, immediately copy your new token to the Cisco Umbrella app in the Azure AD portal.

Configure the Cisco User Management for Secure Access App

With your Secure Access SCIM token and API Identity URL, set up the Cisco Secure Access app in Azure AD and provision users and groups. For more information, see Tutorial: Configure Cisco Secure Access User Management for automatic user provisioning.

1. Navigate to the Cisco User Management for Secure Access app in Azure AD.

2. On the Provisioning page, complete the following fields:
   • In the Secret Token field, add your Secure Access SCIM API token.
   • In the Tenant URL field, add the Secure Access API Identity URL.
3. Click Test Connection to confirm that you can use your Secure Access SCIM token to connect the Secure Access API with Azure AD.

View Users and Groups Provisioned from Azure

1. In Secure Access, navigate to Connect > Users and Groups.
   1. See View User Details
   2. See View Group Details

Refresh the SCIM Token

Refreshing the SCIM token is the responsibility of the administrator. We recommend that you refresh the token at least once every 180 days. When you refresh it, copy the new token to the Cisco Secure Access app on Azure immediately so that provisioning is not impacted.

Provision Users and Groups from Okta < Provision Users and Groups from Azure AD > View User Details