Disclaimer: This integration with Azure is currently under development and is not available to customers yet. Contact us at support@fulcrumapp.com to learn more.
Features
Push Users - Users in Azure can be assigned to the Fulcrum application in Azure and will automatically be created and added as members to your Fulcrum organization.
Deactivate Users - Users in Azure that are unassigned from the Fulcrum application in Azure will be removed as members from your Fulcrum organization.
Push Membership Updates - Users in Azure can update their email, given name, and/or family name and have those changes updated in their Fulcrum organization membership.
Push Groups - Groups in Azure can be assigned to the Fulcrum application in Azure. The users in those groups will automatically be created and added as members to your Fulcrum organization. The groups themselves will also be created in Fulcrum as Fulcrum groups.
Requirements
SCIM provisioning is only supported on Fulcrum Enterprise plans with SSO and Developer Pack enabled.
Configuration Steps
In Fulcrum
Sign in as an Owner to the organization you want SCIM provisioning enabled
Create an API token to be used with the SCIM integration
Note: The API token is tied to the Fulcrum user who generated it. If that user is removed/deactivated a new one will need to be created and reconfigured in Azure.
In Azure
Configure Provisioning settings
Open your Enterprise Application for Fulcrum
Click on the Provisioning menu item or the Provision User Accounts tile
Click Get Started
Choose Automatic from the dropdown menu
Enter https://web.fulcrumapp.com/scim as the Tenant URL
Enter the API Token created previously in Fulcrum as the Secret Token
Click the Test Connection button to validate the credentials
Click Save to save the Provisioning configuration
Assign users to the Azure Fulcrum app to have them added to your organization in Fulcrum
Troubleshooting
Managed and unmanaged users and groups
Fulcrum separates the ecosystems for managed and unmanaged users and groups.
Unmanaged users are users that are created directly in Fulcrum and are not managed by Azure. Azure is in fact unaware of these unmanaged users.
Managed users are created in Azure and are created in Fulcrum via SCIM provisioning. In Fulcrum, these users will be marked as managed.
Similarly, Fulcrum also has managed and unmanaged groups. Unmanaged groups are completely internal to Fulcrum and are not visible to Azure. Managed groups are created and managed in Azure. Group memberships cannot be managed in Fulcrum and must be managed in Azure. Information on managing groups in Fulcrum.
One of the consequences of this split ecosystem is that managed and unmanaged users and groups may have the same name even though they represent different entities. Refreshing the App Groups in Azure will not fetch unmanaged groups from Fulcrum. Pushing a group in Azure that has the same name as an unmanaged group in Fulcrum will result in multiple groups with the same name in Fulcrum. This is expected behavior.
Nested groups
Azure does not support assigning nested groups to an application through SCIM.
Provisioning time
Azure does not execute provisioning requests immediately. Instead, it can take up to 15 minutes to sync changes from Azure to Fulcrum.
Other Issues
Please reach out to our support team at support@fulcrumapp.com if you have any difficulties.