Integrations: Set up SCIM with Microsoft Entra AD (fka Microsoft Azure AD)

Your AD integration with HiThrive allows you to automatically configure AD to send user profile updates to HiThrive using SCIM.

The supported features include:

1. Create Users: When a user is created or activated in AD, they will automatically be created or reactivated in HiThrive.
2. Update User Attributes: When a user attribute is changed in AD, the corresponding user profile in HiThrive will automatically be updated.
3. Deactivate Users: When a user is deactivated or disabled in AD, the corresponding user in HiThrive will automatically be deactivated.

Before you start

As this is a custom integration, there are limitations such as some fields will not be synced or that we will need extra steps in order to create a connection: 

• HiThrive's SCIM API does not yet support SCIM Groups, SCIM Bulk Updates, Azure patch or filter options in attribute mapping.
• In order to map the manager field, follow these steps.
• Some default attributes contain filters and will need to be removed. 
• Learn more about known issues for application provisioning in Azure Active Directory

Create a Custom Enterprise Application in AD

1. In Azure portal, go to Azure Active Directory.
2. On the left panel, go to Enterprise applications > All applications > click New application. 
3. Click + Create your own application.
4. Enter the name of your app (i.e. HiThrive SCIM).
5. Under What are you looking to do with your application, select Integrate any other application you don't find in the gallery (Non-gallery).
6. Select Create. 
7. Under Getting Started, follow step 1. Assign users and groups

Enable provisioning for the custom HiThrive SCIM application

Once user and group records have been assigned to the custom HiThrive SCIM application, you can proceed to provision user accounts. 

1. While still on your custom HiThrive application page, navigate to Provisioning > click Get started.
2. Click on the Provisioning Mode dropdown and select the desired option. 
   
   • Automatic (recommended): User and group entities are pushed to HiThrive every 45 minutes
3. Enter the following HiThrive SCIM API details:
   • Navigate to HiThrive Admin Portal – SSO
   • Copy SCIM Provisioning Endpoint URL
   • Copy Secret SCIM Token
4. Select Test Connection to ensure the credentials are authorized to enable provisioning.
5. After receiving a successful test, select Save.
6. Configure additional Mappings and provisioning Settings. 

Azure SCIM: Mapping user attributes

Note: HiThrive's Azure SCIM integration does not currently support group mapping

1. Navigate back into your custom HiThrive App > go to Provisioning. 
2. Under Manage Provisioning, click Edit attribute mappings.
3. Expand Mappings, depending on how you set up your users in the custom HiThrive app, click Provision Azure Active Directory Users to bring you to the Attribute Mapping page:
4. Complete the following options: 
   • Enable/Disable the source object mapping
   • Under Source Object Scope, set the scoping filters for the object record queries that will be initiated for each provisioning cycle.
   • Under Target Object Actions, select the target object actions in scope for each provisioning cycle (Create/Update/Delete). 
   • Under Attribute Mappings, define how attributes are synchronized between Azure AD and the HiThrive SCIM app.
5. To ensure the Attribute Mappings are aligned to HiThrive attributes, the following fields need to be from the mapped: 

   customappsso Attribute	Microsoft Entra ID Attribute	Matching precedence
   externalId	objectId	1
   active	Switch([IsSoftDeleted], , "False", "True", "True", "False")
   emails[type eq “work”].value	mail
   name.givenName	givenName
   name.familyName	surname
   urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager	manager
   urn:ietf:params:scim:schemas:extension:hithrive:1.0:User:hire_date	employeeHireDate (MUST BE IN YYYY-MM-DD FORMAT)
   urn:ietf:params:scim:schemas:extension:hithrive:1.0:User:birth_date	Must be in YYYY-MM-DD format
   urn:ietf:params:scim:schemas:extension:hithrive:1.0:User:employee_id	employeeId

6. Your attribute mapping should look like the below:
7. Once all custom target attributes for HiThrive attributes have been created and mapped to Azure AD attributes, click Save.

Enable Provisioning

To start the provisioning of identities from Azure into the custom HiThrive App, follow the steps below.

1. Navigate back into your custom HiThrive App > go to Provisioning. 
2. Click Start Provisioning.