How to configure SCIM 2.0 on Azure AD
Blink's SCIM integration allows users to automatically be provisioned and disabled, meaning your joiners and leavers process will be automated.
When you configure SCIM, we will populate in a user's profile:
- First Name
- Last Name
- Primary email
- Job title
- Primary phone
- Mobile phone
Request a token
Configure Azure AD
Please follow the Microsoft guide for enabling SCIM in your Azure AD organisation.
Here is a summary of the steps required.
Create your SCIM app in Azure
- Sign in to the Azure portal
- SCIM is an 'application' that your must enable. Browse to Azure Active Directory > Enterprise Applications, and select New application > All > Non-gallery application
- Enter a name for your application, and click Add icon to create an app object
- In the resulting screen, select the Provisioning tab in the left column
Connect your SCIM app to Blink
- In the Provisioning Mode menu, select Automatic
- In the Tenant URL field, enter the URL of the Blink SCIM endpoint. This is https://api.joinblink.com/scim
- Copy the Secret Token you've been sent by Blink into the field
- Recommended: Add an email address to be notified when a failure occurs
NB: You might want to ensure SCIM doesn't sync everyone initially. To do this select 'Sync assigned users and groups' (as per the steps in the section below).
Test your connection
- Click the Test Connection button to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempts fail, error information is displayed
- If the attempts to connect to the application succeed, then click Save to save the admin credentials
How to fully test SCIM provisioning
Now you have a working connection between your AD and Blink, we can test automatic provisioning of users. To do this we'll create a small test group of user account to import. Optionally, you can also test deleting/disabling an account.
- Ensure your SCIM settings are as per above
- Save your settings
- Goto the 'Users and groups' tab
- Add 3-5 users. These user accounts will be created on Blink once your press Save.
- Wait approx 5 minutes. These users will then appear in your Blink admin panel
- Optional: Delete a user in your O365 Admin area. That user will be Disabled in blink.
Enable SCIM for everyone
Once you're happy, you can change your Scope to 'Sync all users and groups'. This will sync all of your users with Blink. Alternatively, you can create a AD group for Blink users, if you don't want everyone to have a Blink account.
A few additional tips:
- If a user has an existing account (email or phone) in another Blink organisation, their account will not be created by SCIM
- SCIM syncs around once every 40 minutes
- SCIM can be slow - it makes one API call per user account, synchronously