User Provisioning-Azure Active Directory
The User Provisioning Azure Active Directory (AAD) has replaced the AAD User Source. User Provisioning Azure AD uses the SCIM protocol to synchronize AAD with Ivanti Neurons for MDM and allows for partial user and group sync. User Provisioning Azure AD uses the SCIM protocol to automatically create and update user and group objects sourced from Azure AD to Ivanti Neurons for MDM. Ivanti Neurons for MDM Administrators can choose to sync either the entire directory service or sync specific user and group objects to Ivanti Neurons for MDM. Just like the current integration with Azure AD, the users and groups provisioning process is automated; if changes are made to the user or group in Azure AD, the same changes are reflected in Ivanti Neurons for MDM. The most important difference is that User Provisioning Azure AD now allows for specific users and groups to be provisioned. This provides administrators with tighter controls to identify which users and groups are added, updated, and disabled in Ivanti Neurons for MDM. The User Provisioning Azure AD page in the Ivanti Neurons for MDM administrative portal displays the workflow stages of users and user group migration from Azure AD to Ivanti Neurons for MDM.
Since the username value is unique in Ivanti Neurons for MDM, the User Principal Name attribute cannot be updated in Azure AD if the user is already provisioned.
This section contains the following topics:
- Generate a token from the Ivanti Neurons for MDM
- Establish the connection between Azure AD and Ivanti Neurons for MDM
- Provision assigned users and groups
- Provision all users and groups
- Verify the provisioning of a group
Generate a token from the Ivanti Neurons for MDM
To start User Provisioning Azure AD generate a token and the target URL from Ivanti Neurons for MDM.
Ensure that you save the token and the target URL.
A maximum of 2 tokens can be generated at any time.
Procedure
- Log in to the Ivanti Neurons for MDM administrative portal.
- Go to Admin > Identity > User Provisioning.
- From the Choose Identity Provider (IdP) drop-down list select Azure AD.
- To generate a new token, click Generate. A notification message appears, click Generate. A new page opens with the details of the Token and the Target SCIM URL.
- Click Copy to copy either the token or the SCIM URL.
- Refresh the page. The User Provisioning Azure AD page displays the Token Status table.
Change the Token Status from Ivanti Neurons for MDM
You can change the state of an existing token.
Procedure
- Click the Select drop-down menu on the User Provisioning Azure AD page.
- Click Select and make the following changes to the token:
- Set to Active
- Set to Inactive
- Renew
- Remove
View the Token Status from Audit Trials
You can view the logs of actions / events that took place on a SCIM token from the Audit Trials section. The SCIM token can have one of the following statuses:
- SCIM Token Created - A SCIM token has been created.
- SCIM Token Enabled - The SCIM token has been enabled.
- SCIM Token Disabled - The SCIM token has been disabled.
- SCIM Token Renewed - The SCIM token has been renewed.
- SCIM Token Deleted - The SCIM token has been deleted.
The DETAILS column also lists the SCIM vendor name (IDP) such as Azure, Okta, etc. which makes it easy to communicate with Ivanti Neurons for MDM.
Establish the connection between Azure AD and Ivanti Neurons for MDM
After you create the users and groups on your Azure AD Enterprise application, you can establish the connection between Azure AD and Ivanti Neurons for MDM.
Migration considerations
- When migrating from AAD User Source to User Provisioning Azure AD (SCIM), select Sync All Users and Groups.
- After users and groups are updated with a SCIM AAD source, return to the Azure Provisioning page in Azure and set the specific users and groups to be managed by User Provisioning Azure AD using the Sync only assigned users and groups option.
- When the sync is complete, you can remove the users and groups that are not defined in Azure from the Ivanti Neurons for MDM Users and Groups lists.
- When the migration starts, the AAD User Source page is accessible in a read-only state.
Procedure
- Log in to the Azure AD portal.
- Go to Enterprise Application > Click + Create your own application. The Create your own application window opens.
- Specify the name of your app (Default: Non-gallery) and click Create. For example, Ivanti Neurons for MDM User Provisioning.
- Go to Provisioning > Edit provisioning > Admin Credentials.
- Copy and paste the Target SCIM URL from the Ivanti Neurons for MDM admin portal in the Tenant URL field in the Azure AD portal.
- Copy and paste the Token from the Ivanti Neurons for MDM in the Secret Token field in the Azure AD portal.
- Perform one of the following steps:
- Select Sync only assigned users and groups. For more information, see Provision assigned users and groups
- Select Sync all users and groups. For more information, see Provision all users and groups.
Select the Sync All Users and Groups option for migrating users.
- Click Test Connection. A pop-up with a green check confirms the connection.
- Click Save.
Procedure
1. | Expand Mappings from the Provisioning page on the Azure AD portal. |
2. | Click Provision Azure Active Directory Users. The Attribute Mapping page opens. |
3. | Click Delete against the unsupported attributes. |
Provision assigned users and groups
After the connection is established between Azure AD and Ivanti Neurons for MDM, you can provision users or groups.
When provisioning groups, Azure AD does not add members of the nested groups to the selected group. Azure AD adds immediate members and group names to the group only and not the subgroup members during the sync process.
Procedure
- Log in to the Ivanti Neurons for MDM administrative portal.
- In the application go to Users and groups > click + Add User/Group. The Add Assignment page opens.
- Search for the user or group from the Search field, click Select, and then Assign. The Users and Groups page opens.
- Select the corresponding user or group checkbox.
- Click Provisioning and then click Start Provisioning. The details of the successful configuration are displayed.
Provision all users and groups
After the connection is established between the Azure AD and Ivanti Neurons for MDM, you can provision users or groups.
Procedure
- Click Provisioning and then click Start Provisioning. The page opens with the details of the successful provision and the user will be provisioned to Ivanti Neurons for MDM.
Verify the provisioning of an assigned user
After an assigned user is provisioned on the Azure AD portal, verify the provisioning on the Ivanti Neurons for MDM administrative portal.
Procedure
- Log in to the Ivanti Neurons for MDM administrative portal.
- Go to the Users tab under the main menu. The user that was provisioned will be present in the list of the users in this page.
The provisioning process may take up to an hour.
Verify the provisioning of a group
After a group is provisioned on the Azure AD portal, verify the provisioning on Ivanti Neurons for MDM.
Procedure
- Log in to the Ivanti Neurons for MDM administrative portal.
- Go to the Users tab > User groups. The group that was provisioned will be present in the list of the groups in this page.
The provisioning process may take up to an hour.
Edit Settings
This topic helps you configure the Azure Active Directory settings.
Procedure
-
Go to Admin > Microsoft Azure > User Provisioning Azure AD.
-
Click Generate Token and copy the token.
-
Refresh the page. The AAD Settings page opens.
- Click Edit Settings.
- Set Automatically invite users imported from AAD - Manage whether users imported from AAD to Ivanti Neurons for MDM are automatically invited to register via email.
- Set Managed Apple ID - This option is disabled by default. Click the toggle button to turn it ON and sync Managed Apple ID for the AAD users.
- User email address
- (Optional) select the Include "appleid" subdomain option to avoid conflict with existing Apple IDs.
- (Optional) Click Add Custom Attribute - Specify custom user attributes from your directory service that you want to apply to device management. Each attribute can then be referenced by ${attributeName} in configuration fields that support variables. Use of this option requires consistent implementation of custom attributes across AAD servers. If an AAD server included in your implementation does not use this attribute, then features dependent on this attribute might not work as expected. The Attribute Type column displays IDP attribute in the Custom Attributes table in the Edit Settings section.
- Click Save Changes after modifying the AAD settings.