Learn how to set up an automatic user and hosts integration between your organization's Entra ID and AskCody
With AskCody, you can automate the user management and platform access by synchronizing changes in Microsoft Entra ID to the AskCody Platform. The user synchronization occurs through Azure App Provisioning directly in the Entra ID portal.
To execute this step, an employee with a Global Microsoft 365 Admin role is required. This is a very technical step, but it only needs to be granted access to and set up once.
As a start, we will mainly focus on setting up the integration to EntraID and your first primary group of users - your project group. The whole user management and setting up user groups, roles, memberships, and access will be explained later in Step 11 - User Management with EntraID.
After the Global Admin from our organization has approved access and set up the integration, a "normal" MS 365 Admin can make changes and start the synchronization when all user groups are ready.
Note: Please don't start the provisioning of users until later in the implementation process. This will overwrite and remove the manually invited users from the project team.
Content of this article:
- Requirements and Tips
- Create and set up an Enterprise Application for user provisioning within Entra ID
- Configure the Enterprise Application
Requirements and Tips
- Roles required in Entra ID
In order to be able to perform the following configuration steps within the Entra ID Portal, the user needs to have either Application Administrator, Cloud Application Administrator, or Global Administrator roles within Entra ID. - Roles required in AskCody
Make sure your AskCody user has either the "AskCody Owner" or the "Integration Administrator" roles in the AskCody Management Portal. - Only security-enabled groups in Entra ID can be integrated
Make sure that the AD groups you want to sync are security-enabled, otherwise, the groups will not be synced. Also, please be aware that nested groups are not supported.
(It is not necessary to create groups with AskCody roles, memberships, and access, yet). - Azure Permissions need to be granted
Make sure to have granted Azure Enterprise Application Permissions to AskCody in your tenant ID. - Entra ID groups name convention recommended for integration
For ease of management, we recommend that the Entra ID groups you plan to integrate fit with the AskCody user role hierarchy. Examples of recommended group names: AskCody Owners, Facility Management, Copenhagen Reception, IT Support, etc.
Create and set up the Enterprise Application
Log in to your Azure Portal account and navigate to the Entra ID section.
Continue to the Enterprise applications section to create a new non-gallery. To do this, you can follow these steps:
- Follow this URL, which will take you to the Enterprise Applications section of Microsoft Azure: https://portal.azure.com/#view/Microsoft_AAD_IAM/AppGalleryBladeV2
- On the toolbar at the top, click on New application
- On the same toolbar at the top, click on Create your own application
In here, give the Application a name. We recommend giving the application a name that makes it recognizable amongst your other Enterprise Applications. Examples: “AskCody User Provisioning” or “SCIM Provisioning”. This guide will use an application with the name “AskCody Provisioning”.
Here are the full steps described above in sequence:
(Optional) To make the application even more recognizable, we suggest you add the following logo to it:
To do so, save the image above in your computer, then navigate to the Properties section of the Enterprise Application and click “Select a file” under the “Logo” section:
In here, upload the logo provided above. It should become the application logo.
When done, click on “Save” at the top left of the current screen to save the changes.
Info
Although it is possible to use more than one application to provision users to AskCody, we strongly recommend using only one application for this purpose. Utilizing multiple applications can create additional work in maintaining or modifying the user synchronization service, potentially leading to misconfigurations and unsynchronized users.
If your organization needs to use more than one application to provision user data to AskCody, it is important to understand that a group can only be provisioned from one application. Consequently, synchronizing the same Entra ID group into AskCody from more than one Enterprise Application can result in unexpected synchronization outcomes.
Configure The Enterprise Application
The next step is to configure the Enterprise Application to enable the SCIM (System for Cross-Domain Identity Management) user provisioning.
- To do so, go to the "Provisioning" section of the newly created application to connect it to your AskCody account:
- Click on “New configuration”:
Make sure to set:
-
- Provisioning Mode: Set to Automatic
- Tenant URL:
- For EU Customers: https://scim.onaskcody.com/scim
- For US Customers: https://scim.goaskcody.com/scim
- Secret Token: Make sure to leave blank
-
- Click on Test Connection to confirm that the connection between your Entra ID and AskCody is functional. After confirming that the connection works, click Save. Once Save is clicked, additional options will appear below the Admin Credentials option.
After testing the connection, click on “Create at the bottom”:
You should be taken to the Overview page of the Enterprise Application:
In here, click on "Provisioning" on the left sidebar:
Then click on the "Mappings" section to start setting up the Attribute mapping, which will ensure that data between Entra ID and AskCody is always aligned.:
Configure Attribute Mapping
In order to ensure that the user and group information is created and updated correctly in AskCody, it is necessary to map the attributes that contain the relevant data in Entra ID to user attributes in AskCody.
Let us start by setting up mapping for groups.
- Click on Provision Microsoft Entra ID Groups:
- Then, on the Attribute Mappings section, click on Edit on the line with ‘externalId’ on the customappsso Attribute and ‘objectId’ in the Microsoft Entra ID Attribute:
- Then, proceed to change the “Match objects using this attribute” settings from “No” to “Yes”:
Make sure that the "Matching precedence" is set to 2.
- Click OK at the bottom to save the changes.
You should now be taken back to the Group mapping settings. This time, click on edit on the “displayName” row:
In here, make sure to set the “Match objects using this attribute” setting from “Yes” to “No”:
- Click on “Ok” at the bottom to save the changes.
You should now be taken back to the Group mapping settings. To finalize the Group mapping settings, click on Edit on the “objectId” line again:
This time, make sure to set the Matching precedence to “1” and click “Ok” at the bottom to save changes:
You should now be taken to the Group attribute mapping page. Make sure to click on “Save” at the top left corner of the screen:
- After saving the changes, click on “Provisioning” at the top of the window on the Navigation trail:
Then, choose the “Provision Microsoft Entra ID Users” to start configuring the attribute mapping for Users.
By default, Azure has several attributes mapped in this area:
-
Please click on “Delete” on all of them, except for:
- userPrincipalName
- givenName
- surname
Your Attribute Mappings should look like this in this step (the sorting order in the list may look different, but it does not have an impact as long as all attributes are listed):
- Next, please click on “Add New Mapping” at the bottom:
In here, we will be adding an additional attribute, which is necessary to identify users in AskCody.
-
- Click on “Source attribute” and find “objectId” in the dropdown list and click on it.
- On “Target attribute”, find “externalId” in the dropdown list and click on it.
- Under “Match objects using this attribute, ” Set the value to “Yes”.
- Under “Matching precedence”, make sure there’s a value set. If empty, type the number ‘2’.
- Click on “Ok” at the bottom to save the changes
The current page with the attribute mapping for “objectId” should look like this:
Next, click on the Edit button on the line with the “userName” attribute:
Make sure to set the “Match objects using this attribute” field to “No”:
-
-
Click on "Ok" at the bottom to save the changes.
-
You should be taken to the User Attribute Mapping again. Next, please click on Edit on the line with the “externalId” attribute:
In here, set the “Matching precedence” field to “1”:
Then click on “Ok” at the bottom to save changes.
Your User Attribute Mappings should look like the following. The list sorting does not have relevance in here, so if your list has a different sorting, it is still configured correctly, as long as the number of rows and the settings on each row are the same as the image below:
-
- To make sure and update any manually created users in AskCody before enabling the sync via App Provisioning, we need to make sure to add the “mail” attribute to the Matching precedence options. For that, please click on Edit on the line with the “mail” attribute:
In here, please click on the “Match objects using this attribute” field, and set it to “Yes”, and then verify that the Matching precedence is set to “2” (should happen automatically after setting "Yes" in the “Match objects using this attribute” field). If it is not set to “2”, please do so manually:
Then click on “Ok” at the bottom. Your User Attribute Mappings should look like the following. As in previous steps, the list sorting may be different in your case, but as long as all the rows and settings are the same, the application is configured correctly:
- To finalize, we need to map an additional attribute to be able to determine whether a user account is enabled/disabled in Entra ID and reflect those changes into AskCody. For this, we will map the “accountEnabled” attribute. To do so, please follow these steps:
Click on Add New Mapping:
On the presented fields, click on the “Source attribute” one and select “accountEnabled”:
On “Target attribute”, please select “active”:
Leave the rest of the settings as they are by default. They should look like the following:
When done, click on “Ok” at the bottom, and then on “Save” at the top to save the changes:
With this, the attribute mapping configuration should be done. For reference, your attribute list for Users should look like the following at this point:
The next step is to add user groups, but we will wait a little bit with that, because we are not yet ready with the groups and need to identify which user groups should have which AskCody roles, memberships, and accesses.
If you already have your groups ready at this point, and wish to finish setting up the integration to EntraID, and want to start the provisioning, please continue to Step 11 - User Management in EntraID.