1. Docs
  2. Pulumi Cloud
  3. Access management
  4. SCIM
  5. Azure AD

SCIM: Configuring Azure Active Directory

    This document outlines the steps required to configure automatic provisioning/deprovisioning of your users in Pulumi using SCIM 2.0.

    Please note that some advanced SCIM features aren’t supported yet. For more information, see Known Limitations.

    Prerequisites

    • Your organization must already be configured to use SAML SSO with Pulumi.
    • You must be an admin of your Pulumi organization.
    • (Optional, but highly recommended) You should have more than one admin for your Pulumi organization.

    Enabling Automatic Provisioning

    1. Navigate to the Azure Active Directory where you have configured Single Sign On using SAML with Pulumi.
    2. Select Enterprise Applications and select the app in which you configured Single Sign On with Pulumi earlier.
    3. Select the Provisioning feature, and change the value of Provisioning Mode to Automatic.

    Admin Credentials

    Under the Admin Credentials section of the Provisioning feature, fill out the form as follows:

    • Tenant URL: https://api.pulumi.com/scim/v2/{orgName}, where {orgName} must be replaced with your organization’s login name (not display name). If you do not know this, navigate to your SAML settings and look at the SSO URL. It will have your organization’s login name in the URL.
    • Secret Token: You will use a token from the Pulumi Cloud as the authorization bearer token. To generate a token, navigate to your org in the Pulumi Cloud, select Settings, then Access Management, and then in the SCIM section, generate a new token if you have never generated one for your org or regenerate it if you have already done so in the past.
    Once you generate the token, save it securely. Neither the Pulumi Cloud nor Pulumi support can retrieve a token once it’s been initially generated. If you lose and need the SCIM token again, you’ll have to generate a new token, invalidating any previous tokens for your Pulumi organization.

    Select Test Connection. You should get a success notification once the connection is successful.

    Mappings

    Make sure the Provision Azure Active Directory Users mapping is enabled.

    If you are not yet ready to enable provisioning for Groups, disable that.

    mappings

    Adjust User Attribute Mappings

    Update the mapping for the userName attribute to be sourced from mailNickname instead of userPrincipalName. In the Mappings expansion panel, click Provision Azure Active Directory Users and then click on the corresponding attribute mapping as shown below.

    In the configuration window, change the value of the Source attribute drop-down to mailNickname.

    The mapping should now be updated as shown below:

    userName

    Remove Unused Attributes

    Delete all attributes except for the following using the Delete button:

    • userName
    • active
    • displayName
    • emails[type eq “work”].value
    • name.givenName
    • name.familyName

    Set The Emails Attribute To Required

    In the user attribute mappings editor, scroll-down and click the Show advanced options checkbox and then the Edit attribute list for customappsso link.

    advanced options

    Check the required checkbox for the emails attribute, and click Save.

    email required

    You are now done with the Mappings configuration. Click Save and close the child windows/blades until you get back to the main Provisioning window where you can see the Provisioning Status drop-down.

    Enable Group Provisioning

    To enable the provisioning of Azure AD groups to Pulumi Cloud, select Edit Provisioning and then select the Provision Azure Active Directory Groups setting under the Mappings expansion panel and switch the Enabled setting to Yes.

    Update Group Attribute Mappings

    Scroll-down to the Attribute Mappings section while you are editing the group provisioning setup and remove the mapping between objectId and externalId. Click Save once you are done.

    Enable Provisioning

    Under the Settings expansion panel, the Scope drop-down should be set to Sync only assigned users and groups. This ensures that only the users who are assigned to this application are synced with Pulumi, and not everyone in your Azure Active Directory.

    settings scope

    Set the Provisioning Status to On and then click Save.

    Assign Users and/or Groups

    You must assign users to the Azure AD enterprise application to have them provisioned with an account in Pulumi. Click on the Users and groups feature in the left nav, and assign users and/or groups to the application by searching for them.

    If you did not enable group provisioning while you were editing the provisioning setup, click on Edit Provisioning and enable the Provision Azure Active Directory Groups setting as well under the Mappings expansion panel.

    Review the Provisioning logs to ensure there were no errors while provisioning the users. It may take a few minutes for logs to appear. If there were validation errors, you can correct them and try again, or contact Pulumi for support.

    Known Limitations

    Some SCIM features are currently not supported:

    • Secondary emails
    • Password sync
    • Bulk importing
      Pulumi AI - What cloud infrastructure would you like to build? Generate Program