Provision Users and Groups from Microsoft Entra ID
Secure Access supports the provisioning of users and groups from Microsoft Entra ID (formerly Azure Active Directory).
With your Secure Access System for Cross-domain Identity Management (SCIM) token, configure the Cisco User Management for Secure Access app on the Azure portal. When you add users and groups in the app, Microsoft Entra ID exchanges user and group information with Secure Access.
Note: You do not need to deploy an on-premises Secure Access Active Directory (AD) Connector.
Table of Contents
- Prerequisites
- Limitations
- Procedure
- View Provisioned Users and Groups in Secure Access
- Refresh SCIM Token
Prerequisites
- Full Admin user role. For more information, see Manage Accounts.
- A valid Microsoft Entra ID subscription with a premium Azure AD license.
- Add the IdP in Secure Access and generate a valid SCIM token. For more information, see Add an Identity Provider.
- No concurrent provisioning of the same user or group identities from on-premises AD and Microsoft Entra ID. If you are using the on-premises Secure Access AD Connector to import users and groups and choose to import the same users and groups from Microsoft Entra ID, ensure that the on-premises Secure Access AD connector is switched off or that the OpenDNS Connector service on the connector machine is stopped.
- For IP-to-user mapping deployments, you must use an on-premises Secure Access AD connector. Microsoft Entra ID does not store the private IP to Active AD user mappings.
- Import the
ObjectGUID
attribute from Azure AD to Secure Access. The on-premises Secure Access AD Connector and Cisco Secure Client rely on theObjectGUID
attribute for user identification. If all of your endpoints are running the Cisco Secure Client, you do not have to import theObjectGUID
attribute from Azure.- Before you set up the import of the
ObjectGUID
attribute, ensure that the on-premises Secure Access AD Connector that is synchronizing these identities is switched off or that the OpenDNS Connector service on the connector machine is stopped. - To ensure that the
ObjectGUID
attribute for users is synchronized from Microsoft Entra ID to Secure Access, your endpoints must authenticate against on-premises AD and run the Cisco Secure Client. For more information about importing theObjectGUID
attribute for users, see Tutorial: Configure Cisco Secure Access User Management for automatic user provisioning.
- Before you set up the import of the
- If you previously configured a policy against groups imported from on-premises AD, and then choose to import the same groups from Microsoft Entra ID, you must reconfigure the policy to map it to the Microsoft Entra ID groups instead of the on-premises AD groups. In a policy, on-premises AD group names are displayed with the domain name preceding the group name, for example: Domain1\ADGroup1. For Microsoft Entra ID, only group names are displayed on the policy page, for example: ADGroup1.
Limitations
- You can provision a maximum of 200 groups from Microsoft Entra ID to Secure Access. Secure Access supports the provisioning of an unlimited number of users from Microsoft Entra ID.
- Concurrent synchronization of the same users and groups from the Secure Access AD Connector and the Cisco User Management for Secure Access app is not supported and leads to inconsistent policy enforcement.
- To ensure that all users are provisioned, create a dynamic All Users group and assign this group to the Cisco User Management for Secure Access app. For more information, see Dynamic Membership Rules for Groups in Azure Active Directory. You can assign additional groups as required for group-based policy rule enforcement.
- Provisioning large numbers of users and groups to Secure Access may take several hours.
- Azure does not support nested group memberships for group-based assignment to any SaaS application.
- After the initial provisioning of users and groups, Microsoft Entra ID synchronizes changes to Secure Access once every 40 minutes. Synchronization of updates to identities from Microsoft Entra ID to Secure Access may take up to one hour.
Procedure
Configure the Cisco User Management for Secure Access App.
Configure Provisioning in Microsoft Entra ID
With your Secure Access SCIM token and API Identity URL, set up the Cisco User Management for Secure Access app in Microsoft Entra ID and provision users and groups. For more information, see Tutorial: Configure Cisco Secure Access User Management for automatic user provisioning.
- In Azure AD, navigate to the Cisco User Management for Secure Access app.
- Add your Secure Access SCIM API token to the Secret Token field.
- Add the Secure Access API Identity URL to the Tenant URL field.
- Click Test Connection to confirm that you can use your Secure Access SCIM token to connect the Secure Access API with Microsoft Entra ID.
View Provisioned Users and Groups in Secure Access
- Navigate to Connect > Users and Groups.
- See View User Details
- See View Group Details
Refresh SCIM Token
Refreshing the SCIM token is the responsibility of the administrator. Secure Access does not perform this action. We recommend that you refresh the SCIM token at least once every 180 days. Each time you do, copy the new token immediately to the Cisco Secure Access app on Azure so that provisioning is not impacted.
Provision Users and Groups from Okta < Provision Users and Groups from Microsoft Entra ID > Provision Users and Groups from Active Directory
Updated 15 days ago