How to set up a Microsoft Azure integration for Provisioning

This article will explain how you can integrate Azure Identity Management Solution and add or remove users automatically.

How do I enable Azure for provisioning?

To enable SCIM API, log into Reward Manager and navigate to the Integration Dashboard, search for “SCIM” under the “Explore” tab.

If you don’t have access please speak with your Client Success Manager or a Client Support team member who will assign your permissions.

Setup

Reward Gateway is listed as an application on the Azure Marketplace. To install the application please go here. 

You can follow the setup guide from Azure: Tutorial: Configure Reward Gateway for automatic user provisioning

For more technical information, please read the article: SCIM API.

Or you can watch the following video which demonstrates the setup process step-by-step:

OAuth Bearer Token

An OAuth Bearer Token is required to access the SCIM API and you can generate it here. 

SCIM URL

Reward Gateway currently supports SCIM version 1.1 and SCIM version 2.0.
Please note that extended attributes are only supported on SCIM version 2.0.

Go to Azure> Enterprise Applications>Reward Gateway>Provision User Accounts>Update credentials and add the SCIM URL to Tenant URL and the token to Secret Token

Set as Provision Master?

If Provision Master is selected this integration will act as the master source of data.

New users to receive welcome emails?

If you select this option, we will send welcome emails to the new users.

Schema Extensions

If you would like to extend the core schema to use Reward Gateway's extended schema, please configure it below.

The core schema includes the most common attributes. Attributes are the information associated with a user's account. This is information that someone would typically set in their profile.

Extension Attributes allow you to ‘extend’ the core schema to fit your organization’s needs to transfer specific details for each employee.

The following table shows Reward Gateway’s core schema and how each SCIM attribute maps to a profile field on the member’s RG profile. Most of these profile fields are exposed directly in Reward Manager to be amended or in the My Account section of the programme where the member can edit it.

Please, note that sometimes Azure passes the Object ID of the manager and not their employeeID to us. Reward Gateway cannot read the Object ID and because of this, we are not linking the manager to the employee at all.

You can use a PowerShell script that reads the manager field from the staff member’s AD account, finds the manager in AD, reads the employeeID of the manager, then writes this back to an Extension Attribute in the staff members AD account. Then just read the Extension Attribute as per the Azure app mappings so it can be transferred correctly.

Extension Attributes allow you to pass additional information, outside of the fields above.

For example, if you have a global workforce and wish to provide data for Country for each employee, you can use an extension attribute, so that Country can be passed via SCIM and populated on the members’ accounts.

You can watch the following video demonstration or follow the steps below:

Setup

• The first step is to add a Registration Question (extra field) on Reward Manager. You can contact your CSM or Client Support to do this for you.
  

• Next, you need to add the extension attribute on Azure AD. 

• Go to Default Directory > Enterprise Applications > Reward Gateway > Provisioning > Mappings > Provision Azure Active Directory Users > Show Advanced Options (at the very bottom) > Edit attribute list for RewardGateway.

• Add the following template in the first (‘Name’) column:
  urn:ietf:params:scim:schemas:rewardgateway:2.0:User:ExtensionAttribute1
  Depending on how many extension attributes you wish to add, you simply change the number at the end, e.g. ExtensionAttribute2, ExtensionAttribute3, etc. It needs to be typed exactly like that because this field in Azure is case-sensitive.
  

• Ensure that Country is already present on the user’s account in Azure AD.

• Go to Default Directory > Enterprise Applications > Reward Gateway > Provisioning > Mappings > Provision Azure Active Directory Users > scroll down to ‘Attribute Mappings’ > Add New Mapping
  

• Under ‘Target attribute’, select urn:ietf:params:scim:schemas:rewardgateway:2.0:User:ExtensionAttribute1
  

• Under ‘Source attribute’, select the piece of information this attribute will refer to - in our case, ‘country’
  

• click ‘Ok’ 

Map the Extension Attributes between Azure and RG.

Go to the SCIM API integration setup in Reward Manager and select ‘Country’ from the drop-down under ‘Extension Attribute 1’ and you’re done.

As soon as you provision a new account, the ‘Country’ field on the member’s account will be populated with the relevant information coming from Azure AD.

Choose a date format for the incoming data. If not specified, Y-m-d will be used.

Click on Save and that’s it - your integration is enabled.

How to enable the Debug Mode and capture logs?

You can find the Debug Mode by going to the integration, selecting Tools and then Debug.

Please, note that while the Debug Mode is enabled, you won't be able to edit your integration.

Click on Enable Debug Mode

You would need to make some sample SCIM requests. We will capture them in real-time and show you the logs if there are any errors.

Membership Update History (Logs)

Please, note that Azure updates will not appear under Members > Membership Update History in Reward Manager.
Automatic provisioning of an account via Azure happens in real-time and updating of account details happens in real-time as well. 
Since for a single account in a given day, there can be multiple sync attempts, we are not able to store a log for every single attempt. 

You can check the provisioning history and any errors in the 'View provisioning logs' section in your Reward Gateway app on Azure: