Overview

This guide will help you integrate and configure AzureAD/EntraID with Cyolo using SCIM (Auto Provisioning) via the SAML protocol.

Pre-requisites

• Have already created groups and users in Microsoft 365 Admin/EntraID/AzureAd.
• Have already integrated EntraID/AzureAd to Cyolo with SSO via the SAML protocol Configuring AzureAD/EntraID - SAML - SSO

Supported Features

Cyolo supports the following provisioning features:

• User creation: When users are assigned to the Cyolo application in AzureAD/EntraID, they are automatically added to Cyolo.
• User attribute updates: Changes made to user attributes in AzureAD/EntraID are automatically updated in Cyolo.
• User deactivation: Removing or deactivating users in AzureAD/EntraID will deactivate the users in Cyolo.
• Group creation: When users are assigned to the Cyolo application in AzureAD/EntraID, they are automatically created in Cyolo under the type External Groups.
• Group assignment: Users assigned to groups in AzureAD/EntraID are automatically assigned to the corresponding groups in Cyolo.
• Delete groups: When groups are deleted in AzureAD/EntraID, they are automatically deleted in Cyolo.

Please note that any changes made to group or user accounts in AzureAD/EntraID will affect the corresponding accounts in Cyolo. However, changes made to group or user accounts in Cyolo will not affect the corresponding accounts in AzureAD/EntraID.

Configuration

Cyolo

Edit the existing SSO SAML integration

1. Open the Cyolo Console: https://console.YOURTENANTNAME.cyolo.io/
2. Navigate to Integrations → Identity providers.
3. Click on the Name of the integration and then click on the Edit button.
4. In the Identity Provider Details section, select Enable automatic user provisioning.
   • It will add new mapping values under the SCIM attribute, leave them all by default, and continue.
5. You can find the SCIM attributes by navigating to AzureAD/EntraID → Enterprise Application →<The Cyolo Application> → Provisioning → Attribute mapping (Preview) → Provision Microsoft Entra ID Users under the Attribute Mappings section.
6. Click the Save button to save the changes.
7. Save on the side the SCIM endpoint & Token (bearer) that Cyolo provide.

If you forget your auto-provisioning credentials, simply do the following:

1. Disable the Enable automatic user provisioning option.
2. Click the Save button to save the changes.
3. Navigate to Identities → API Keys.
4. Search and delete the Auto-provisioning API key associated with the SAML integration.
5. Restart with Step 1 of this Edit the existing SSO SAML integration section.

---

EntraID

Configure the Auto-Provisioning (SCIM) with Cyolo

1. Open the following URL and sign in with your Microsoft account: Microsoft Entra admin center.
2. Navigate to Applications → Enterprise Applications → All Applications.
3. Open the Enterprise Application associated with Cyolo.
4. Click on the Provisioning tab.
5. In the Overview (Preview) tab, click the New configuration button.
6. Fill the Admin credentials fields as follows:
   • Tenant URL ← SCIM endpoint from Cyolo
   • Secret token ← Token (bearer) from Cyolo
7. Click the Test Connection button to test the connection with Cyolo.
   • If everything went correctly, you should see the following result: Connection test for<Your Tenant> was successful.
8. Click the Create button.

---

Assign Users and Groups to the Application

1. Navigate to the Users and groups tab.
2. Click the Add user/group button.
3. In the Users and groups field, click the None Selected button.
4. Add all users and groups that will be in need of synchronisation and authentication to your Cyolo tenant with this IDP configuration.

---

Start the Auto-Provisioning process

1. Navigate to the Overview (Preview) tab.
2. Click the Start provisioning button.
   • Now your AzureAD/EntraID integration with Cyolo is ready! 🎉

📘

Warning

Do not Pause or Restart the Auto-Provisioning process until you are thoroughly familiar with its operation. The consequences, if not done properly, may be irreversible.

**

AzureAD/EntraID will send user and group updates to Cyolo every 40 minutes. This frequency cannot be changed.
If you can't wait 40 minutes and need to send updates to Cyolo for some users immediately, you can navigate to the Provision on Demand tab and manually provision individual users and groups.
Please note that manual provisioning of a user will not always automatically assign the user to the group in Cyolo, only a provisioning to the group will do so.

---

Testing

Microsoft 365

1. Open the following URL and sign in with your Microsoft account: Active users - Microsoft 365 admin center.
2. Search for a user that is directly or via a group assigned to the Cyolo Enterprise Application in AzureAD/EntraID.
3. Disable this user.
4. Either wait 40 minutes for the synchronisation process to complete, or do an on-demand provisioning for that specific user in EntraID.

---

Cyolo

1. Open the Cyolo Console: https://console.YOURTENANTNAME.cyolo.io/
2. Navigate to Identities → Users.
3. Search for the disabled user from the previous steps.
   • If everything went well, the user should be disabled 🎉

---

Microsoft 365

1. Reactivate the previously disabled user in Microsoft 365.
2. Either wait 40 minutes for the synchronisation process to complete, or do an on-demand provisioning for that specific user in EntraID.

---

Logs

EntraID

1. Open the following URL and sign in with your Microsoft account: Microsoft Entra admin center.
2. Navigate to Applications → Enterprise Applications → All Applications.
3. Open the Enterprise Application associated with Cyolo.
4. Click on the Provisioning tab.
5. In the Provisioning logs tab, you will see the Auto-Provisioning logs.
6. In the Audit Logs tab, you will see the management logs of the SCIM section of the Enterprise Application.

---

Cyolo

Tenant Console

1. Open the Cyolo Console: https://console.YOURTENANTNAME.cyolo.io/
2. Navigate to Monitoring → Audit.

---

Troubleshooting

I forgot the SCIM credentials provided by Cyolo

Don't worry, we will fix that by regenerating them.

Cyolo

1. Open the Cyolo Console: https://console.YOURTENANTNAME.cyolo.io/
2. Navigate to Identities → API keys.
3. Search for the following API Key: SCIM token for IdP<Your integration name> .
4. Delete the API Key by clicking on the Delete button and confirming.
5. Navigate to Integrations → Identity providers.
6. Click on the Name of the integration and then click on the Edit button.
7. In the Identity Provider Details section, select Enable automatic user provisioning.
8. Click the Save button to save the changes.
9. Save on the side the new Token (bearer) that Cyolo provide.

EntraID

1. Open the following URL and sign in with your Microsoft account: Microsoft Entra admin center.
2. Navigate to Applications → Enterprise Applications → All Applications.
3. Open the Enterprise Application associated with Cyolo.
4. Click on the Provisioning tab and then on the Connectivity (Preview) tab.
5. Change the Secret token field with the new Token (bearer) from Cyolo.
6. Click the Test Connection button to test the connection with Cyolo.
7. Click on the Save button to save the modifications.