Disclaimer: This integration with Azure is currently under development and is not available to customers yet. Contact us at support@fulcrumapp.com to learn more.
Features
Push Users - Users in Azure can be assigned to the Fulcrum application in Azure and will automatically be created and added as members to your Fulcrum organization.
Deactivate Users - Users in Azure that are unassigned from the Fulcrum application in Azure will be removed as members from your Fulcrum organization.
Push Membership Updates - Users in Azure can update their email, given name, and/or family name and have those changes updated in their Fulcrum organization membership.
Push Groups - Groups in Azure can be assigned to the Fulcrum application in Azure. The users in those groups will automatically be created and added as members to your Fulcrum organization. The groups themselves will also be created in Fulcrum as Fulcrum groups.
Map Roles - When app roles are set up and assigned to users in Azure, Fulcrum members will automatically be assigned the corresponding Fulcrum role.
Requirements
SCIM provisioning is only supported on Fulcrum Enterprise plans with SSO and Developer Pack enabled.
Configuration Steps
In Fulcrum
Sign in as an Owner to the organization you want SCIM provisioning enabled
Create an API token to be used with the SCIM integration
Go to the API page
Click the NEW API TOKEN button
Provide a useful description such as SCIM Azure
Click CREATE TOKEN to create a new API token
Note/copy the token which will be used to configure the Azure Fulcrum application.
Note: The API token is tied to the Fulcrum user who generated it. If that user is removed/deactivated a new one will need to be created and reconfigured in Azure.
In Azure
Configure Provisioning settings
Open your Enterprise Application for Fulcrum
Click on the Provisioning menu item or the Provision User Accounts tile
Click Get Started
Choose Automatic from the dropdown menu
Enter https://web.fulcrumapp.com/scim as the Tenant URL
Enter the API Token created previously in Fulcrum as the Secret Token
Click the Test Connection button to validate the credentials
Click Save to save the Provisioning configuration
Assign users to the Azure Fulcrum app to have them added to your organization in Fulcrum
Click on the Users and groups menu or the Assign users and groups tile
Click Add user/group to add users or groups
Click None Selected
Search for or choose a user or group to add. When all users and groups have been selected click the Select button
Click the Assign button
Add app roles to automatically assign the corresponding Fulcrum role (optional)
When app roles are set up and assigned to users in Azure, Fulcrum members will automatically be assigned the corresponding Fulcrum role.The first step is to add roles to the app mapping:
Go to the Microsoft Entra ID portal, then to the Enterprise applications tab, and select the Fulcrum app
Inside the app go to the Provisioning tab, then click on Provisioning again
Under Mappings, select Provision Azure Active Directory Users
At the bottom of the page, select Show advanced options
Select Edit attribute list for (Fulcrum/customsso)
Remove unnecessary attributes, until the list looks like this:
Go back to the previous screen, select Add Mapping and configure it like this:
The Mappings list should look like this, remove any attributes that are not needed:
The next step is to set up the app roles:
Go to the Microsoft Entra ID portal
Select the App Registrations tab
Select the Enterprise App related to your Fulcrum instance
Select the App Roles tab. This will show a list of the currently available roles
Click on Create app role to create a new role
Create custom roles for the Enterprise Application to match the roles in Fulcrum
Fill out the form and submit. Ensure that the `Display name' field matches a role name in Fulcrum.
When adding users to the app or editing already provisioned users, you can now assign an app role. The users will then be provisioned with the Fulcrum role that matches the 'Display name' of the app role you have designated. If a role does not exist in Fulcrum that matches the 'Display name' of the app role you have selected, the user will be provisioned with the default Fulcrum role.
Only one role can be used per user. If you add a user to 2+ groups and the groups have different roles assigned to them, there will be an error.
Troubleshooting
Managed and unmanaged users and groups
Fulcrum separates the ecosystems for managed and unmanaged users and groups.
Unmanaged users are users that are created directly in Fulcrum and are not managed by Azure. Azure is in fact unaware of these unmanaged users.
Managed users are created in Azure and are created in Fulcrum via SCIM provisioning. In Fulcrum, these users will be marked as managed.
Similarly, Fulcrum also has managed and unmanaged groups. Unmanaged groups are completely internal to Fulcrum and are not visible to Azure. Managed groups are created and managed in Azure. Group memberships cannot be managed in Fulcrum and must be managed in Azure. Information on managing groups in Fulcrum.
One of the consequences of this split ecosystem is that managed and unmanaged users and groups may have the same name even though they represent different entities. Refreshing the App Groups in Azure will not fetch unmanaged groups from Fulcrum. Pushing a group in Azure that has the same name as an unmanaged group in Fulcrum will result in multiple groups with the same name in Fulcrum. This is expected behavior.
Nested groups
Azure does not support assigning nested groups to an application through SCIM.
Provisioning time
Azure does not execute provisioning requests immediately. Instead, it can take up to 15 minutes to sync changes from Azure to Fulcrum.
Other Issues
Please reach out to our support team at support@fulcrumapp.com if you have any difficulties.