The topic will walk you through how to use Microsoft Entra ID (Azure) with Ironclad. This includes how to create a SCIM scoped token, enable the integration in Azure, and Assign user and groups to Ironclad.
Prerequisites
- You must be able to create Ironclad API bearer tokens in your Ironclad company.
- You must have a SAML SSO connector configured in your Ironclad company before provisioning users with SCIM.
Supported Microsoft Entra ID Active Directory Features
- Create Users
- Update User Attributes
- Deactivate Users
- Create Groups
- Update Groups
- Delete Groups
Known Limitation
- The Manager attribute is not compatible with Ironclad's reference chains.
Step 1: Create a SCIM Scoped Token
Required Role: Admin
- In Ironclad, navigate to Company Settings > Integrations > SAML
- At the top, select the SCIM Configuration tab.
- Under Token Generation, enter a descriptive name for the token.
- Click + Generate New Token.
- Copy and paste the new token into your identity provider's setup.
- Save this token in a safe place. Once you close the window, you will not be able to access it again.
Step 2: Enable API Integration in Microsoft Entra ID
Note: You may need to change the default settings for Switch to the following if the default does not allow for you to remove users:
- Log in to your Microsoft Azure portal with your admin account. In the Manage panel on the left, click Applications > Enterprise Applications then find the Ironclad app you created to enable SSO (e.g. Ironclad).
- Select Create your own application.
- Name the application, and select Integrate any other application you don’t find in the gallery. We recommend naming the application Ironclad.
- From the application's configuration screen, click the Provisioning tab.
- Click Get Started.
- Change the provisioning mode from Manual to Automatic.
- In the Tenant URL field, enter https://ironcladapp.com/scim/v2.
NOTE
If you are in the European Union and/or your SSO SAML Callback URL begins with https://eu1.ironcladapp.com, you must enter https://eu1.ironcladapp.com/scim/v2instead. - In the Secret Token field, enter the user’s Ironclad API Token.
- Click Test API Credentials to verify the connection.
- Under Settings, verify that Provisioning Status is turned On, and the Scope is set to your desired scope.
- Under Mappings, select Provision Microsoft Entra ID Active Directory Users and unmap the following array type fields. You can remap these in the future.
- physicalDelivery
- OfficeName
- streetAddress
- city
- state
- postalCode
- country
- telephoneNumber
- mobile
- facsimileTelephoneNumber
- mailNickname
Step 3: Assign Users And Groups to the Ironclad Application
Pushing users into Ironclad with SCIM is only supported when a single SAML configuration is in place in your Ironclad company.
Any subsequent updates to users or groups within Microsoft Entra ID Active Directory are periodically updated in Ironclad.
1. In your Microsoft Entra ID Active Directory admin account, under the application, click the Users and Groups tab.
2. Click the Add User button and select the users and groups to assign the to application.
3. On the bottom left-hand side of the screen, click the Assign button. These users will be added or updated in the next provisioning cycle (typically around 45 minutes).
4. From the Users and Groups tab, you can also remove users and groups from the application.
Step 4: Configure Group Permissions in Ironclad
You must manage group permissions in Ironclad after pushing groups via SCIM. Refer to the Group Permissions Overview for more information.