To add users from Microsoft Entra ID (formerly Azure Active Directory), Microsoft has developed the SCIM protocol. This allows you to add users (provisioning) to the online academy through matching and automatic synchronization.
In this article, you will find a guide that will take you through the important steps. Please note: for precise information, it's always best to consult the support page of the provider. The provider has developed the software and can provide further assistance.
Setting up the connection
First, log in to the Microsoft 365 Admin Center. Then follow the steps below:
Open Microsoft Entra ID.
Go to Enterprise Applications.
Create a new application.
Choose 'Create your own application'.
Choose a name and select 'Integrate any other application you don't find in the gallery (Non-gallery)'. Then click 'Create'.
Go to your enterprise applications and select the application you just created.
Go to 'Configure'.
Choose 'Get started'.
Select the provisioning mode 'Automatic'.
Enter the 'Tenant URL'. It should be structured as: BaseURL/api/v2/external/scim You can find the BaseURL in your browser's search bar when you're logged in to your online academy.
Enter the 'Secret Token'. This will be provided by us. Haven't received it yet? Contact support@rakoo.com or your Customer Success Manager.
After filling in the token and Tenant URL, the ‘assignments’ option will appear. Here, you can choose:
Provision Microsoft Entra ID Groups
Provision Microsoft Entra ID Users
By selecting both, you can indicate which fields should be synchronized for these options via the connection. These need to be checked before enabling synchronization. In the following steps we will explain how to check the fields.
Please note! Do not activate the connection yet. First, ensure that the fields are properly matched for Users and optionally Groups.
How does provisioning work?
The data is matched based on certain attributes (Attribute mappings). You can find the attributes in these settings:
Microsoft Entra ID attribute
customappsso attribute
The data flow order through these attributes is as follows: Microsoft Entra ID attribute --> customappsso attribute --> Rakoo fields. The Rakoo fields are not visible in Microsoft Entra ID, but we have added them to the schema below.
Provision Microsoft Entra ID Users
Use this option to send user data from Microsoft Entra ID to the online academy.
Please note: The 'Rakoo field' cannot and does not need to be filled in the SCIM provisioning. It serves as an indication of which of the other fields correspond to what you will see in Rakoo.
Please note: The other fields that appear (by default) in the SCIM provisioning, can be ignored. Do not remove them, as Rakoo will ignore these fields.
Microsoft Entra ID attribute | customappsso attribute | Rakoo field |
mailNickname* | externalId | User ID |
companyId** (This is fixed in the token and is required for the configuration) |
| Automatically filled in by Rakoo. |
company (String value. E.g., 'Company X') | urn:ietf:params:scim:schemas:extension:enterprise:2.0: User:organization | Company |
department* (String value. E.g., 'Department X') | urn:ietf:params:scim:schemas:extension:enterprise:2.0: User:department | Department |
teams (String value, multiple values. E.g., [“team1”,”team2”]) | urn:ietf:params:scim:schemas:extension:enterprise:2.0: User:teams | Team |
userPrincipalName* | userName | email (needs to correspond with 'mail' below) |
mail* | emails[type eq "work"].value | email (only one mail allowed in the list, must match 'userPrincipalName') |
givenName* | name.givenName | First name |
surname* | name.familyName | Last name |
Own attribute*** | name.middleName | Middle name |
preferredLanguage (This is a language code, e.g., en or nl-NL | preferredLanguage | Language |
jobTitle | title | Function (If the function does not exist in Rakoo, it will be created) |
cost center (String value. E.g., ‘administration’) | urn:ietf:params:scim:schemas:extension:enterprise:2.0: User:costCenter | Cost center |
manager
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value | You can assign one manager to a user. Existing managers who have one-on-one access to that user will be disconnected. |
* These fields are mandatory.
** If you want to assign users to multiple companies, you can use the 'company' field to assign different companies to users. If 'company' is not specified, the company included in the SCIM token will be used.
*** Rakoo supports name.middleName, but Microsoft does not create this field by default. You can configure a custom attribute for this purpose. If you don't configure it, the middle name will be appended to the 'Last Name' field in Rakoo.
Provision Microsoft Entra ID Groups
With 'Provision Microsoft Entra ID Groups', you can create departments and modify names. If a department with users is deleted, those users will be automatically placed in the 'DefaultScimDepartment' department in Rakoo.
Please note: The 'Groups' are not used for 'Groups' in Rakoo, but for 'Departments'. Departments are added to a user when matching user data.
Please note: The 'Rakoo field' cannot and does not need to be filled in the SCIM provisioning. It serves as an indication of which of the other fields correspond to what you will see in Rakoo.
Please note: The other fields that appear (by default) in the SCIM provisioning, can be ignored. Do not remove them, as Rakoo will ignore these fields.
Microsoft Entra ID attribute | customappsso attribute | Rakoo field |
displayName* | displayName | Department (this name will be displayed at the department) |
objectId** | externalId | External ID of the department |
* These fields are mandatory.
** The externalId of a department should not be modified while the connection is active. If you do so, the department will no longer be recognized in the connection.
Adding Users and Groups in SCIM provisioning
Now that the provisioning is set up, you need to specify which users are involved. This can be done with individual users or user groups (Group). You can determine what a group is and who falls under it. You can do this by following these steps:
Go to Enterprise Applications.
Go to your SCIM provisioning.
Go to 'Users and Groups'.
Add User or Group here.
Please note: This 'Group' is not the same as a 'Group' that you can assign as a department in Rakoo. It only refers to user groups that you want to add in the SCIM provisioning.
Enabling the Connection
Once everything is set up correctly, you can test and enable the connection. You can follow these steps to enable the connection:
Go to Enterprise Applications.
Go to your SCIM provisioning.
Go to Provisioning.
Choose 'Start Provisioning'.
Modifying the Connection
Follow the steps below to modify the connection:
Go to Enterprise Applications.
Go to your SCIM provisioning.
Go to Provisioning.
Choose 'Edit Provisioning'.