Secure Access Help Center

Provision Users and Groups from Azure

Cisco Secure Access supports the provisioning of users and groups from Azure Active Directory (Azure AD). With your Secure Access System for Cross-domain Identity Management (SCIM) token, configure the Cisco User Management for Secure Access app on the Azure portal. Once you add users and groups in the app, Azure begins to exchange the user and group information with Secure Access.

Note: You do not need to deploy an on-premises Secure Access Active Directory (AD) Connector.

Table of Contents

Prerequisites

  • Full Admin user role. For more information, see Manage Accounts.
  • A valid Azure AD subscription with a premium Azure AD license.
  • No concurrent provisioning of the same user or group identities from on-premises AD and Azure AD. If you are using the on-premises Secure Access AD Connector to import users and groups and choose to import the same users and groups from Azure, ensure that the on-premises Secure Access AD connector is switched off or that the OpenDNS Connector service on the connector machine is stopped.
  • For IP-to-user mapping deployments, you must use an on-premises Secure Access AD connector. Azure does not store the private IP to Active AD user mappings.
  • Import the ObjectGUID attribute from Azure AD to Secure Access. The on-premises Secure Access AD Connector and Cisco Secure Client rely on the ObjectGUID attribute for user identification. If all of your endpoints are running the Cisco Secure Client, you do not have to import the ObjectGUID attribute from Azure.
    • Before you set up the import of the ObjectGUID attribute, ensure that the on-premises Secure Access AD Connector that is synchronizing these identities is switched off or that the OpenDNS Connector service on the connector machine is stopped.
    • To ensure that the ObjectGUID attribute for users is synchronized from Azure AD to Secure Access, your endpoints must authenticate against on-premises AD and run the Cisco Secure Client.
  • If you previously configured a policy against groups imported from on-premises AD, and then choose to import the same groups from Azure, you must reconfigure the policy to map it to the Azure groups instead of the on-premises AD groups. In a policy, on-premises AD group names are displayed with the domain name preceding the group name, for example: Domain1\ADGroup1. For Azure, only group names are displayed on the policy page, for example: ADGroup1.


Limitations

  • You can provision no more than 200 groups from Azure to Secure Access. Secure Access supports the provisioning of an unlimited number of users from Azure.
  • Concurrent synchronization of the same users and groups from the Secure Access AD Connector and the Cisco Secure Access Azure app is not supported and leads to inconsistent policy enforcement.
  • To ensure that all users are provisioned, create a dynamic All Users group and assign this group to the Cisco Secure Access app. For more information, see Dynamic Membership Rules for Groups in Azure Active Directory. You can assign additional groups as required for group-based policy rule enforcement.
  • Provisioning large numbers of users and groups to Secure Access may take several hours.
  • Azure does not support nested group memberships for group-based assignment to any SaaS application.

Configure the Cisco User Management for Secure Access App

With your Secure Access SCIM token and API Identity URL, set up the Cisco Secure Access app in Azure AD and provision users and groups. For more information, see Tutorial: Configure Cisco Secure Access User Management for automatic user provisioning.

  1. Navigate to the Cisco User Management for Secure Access app in Azure AD.
  1. Add your Secure Access SCIM API token to the Secret Token field.
  2. Add the Secure Access API Identity URL to the Tenant URL field.
  3. Click Test Connection to confirm that you can use your Secure Access SCIM token to connect the Secure Access API with Azure AD.

View Provisioned Users and Groups in Secure Access

  1. Navigate to Connect > Users and Groups to view the users and groups provisioned from Azure.
    1. See View User Details
    2. See View Group Details

Refresh SCIM Token

Secure Access recommends that you refresh the SCIM token at least once every 180 days. Refresh the token in Secure Access and immediately copy the new token to the Cisco Secure Access app on Azure so that provisioning is not impacted. Refreshing the SCIM token is the full responsibility of the administrator. Secure Access does not perform this action.

Provision Users and Groups from Okta < Provision Users and Groups from Azure > View User Details

Updated about 1 month ago