MS Entra ID (Azure Active Directory) user provisioning integration

Ruth Nossek
Ruth Nossek
  • Updated

This is a technical integration. You will need to involve your Entra ID / technical team to complete this task.

The Entra ID user provisioning integration is designed to complement SSO via Entra ID.  However, user provisioning can be used standalone.

Steps for setting up an Entra ID user provisioning integration

Please find the steps below for setting up a Passle integration with MS Entra ID (using automatic user provisioning) to manage user identities and access across your company.

The Full documentation (in PDF format) can be found at the bottom of this article.

(A) Set up an Enterprise Application for Passle in your Entra ID directory

You will need to set up an Enterprise Application for Passle within your Entra ID directory. If you already use Entra ID for SSO, you do not need to set up a new one.

Follow the standard steps in your Entra ID directory to add a new Enterprise Application for Passle.

    1. View your Entra ID directory. Navigate to Manage > Enterprise applications.
    2. Select Create your own application.
    3. Add a name for the Enterprise Application. This name is for your reference only.
    4. Select Integrate any other application you don't find in the gallery (Non-gallery). Select Create.

    Entra ID Enterprise Application.png

(B) Set up user provisioning to Passle within your Entra ID Enterprise Application

To set up user provisioning to Passle in your Enterprise Application, you will need to do the following:

In Passle

  • Generate your secret token
  • Set your company-level user configuration

The Passle Entra ID module will need to be enabled. You will need to be an administrator to complete this configuration. Please speak with your Client Success contact or support@passle.net if you need help with either of these.

In Entra ID

  • Configure admin credentials
  • Configure user mapping
  • Assign users
    1. From the admin dashboard, navigate to COMPANY > Manage Entra ID.
    2. When setting up Entra ID for the first time, you will need to generate your unique secret token.
      Select the Generate secret token button.

      Entra ID configuration 1.png

      You will only need to complete this step once.

    3. You will be presented with the URL, secret token and user configuration settings page.

      Entra ID configuration 2.png

      You can choose from three different options:

      • This is the default option.
        Users will be set up with a Passle account, but will not be assigned to a user role or Passle.

        Please note: these users will not become active until assigned to a Passle and a user role.

      • Users will be set up with a Passle account. They will be assigned to a Content Creator user role, and will be assigned to ALL Passles for your company.

        Select this option if your company has only one Passle set up.

      • Users will be set up with a Passle account. They will be assigned to a Content Creator user role, and will be assigned to one or more Passles for your company, as per the user configuration settings.

    1. Navigate to the Enterprise Application set up for Passle.
    2. Select Manage > Provisioning or select the Provision User Accounts box from the Overview page.Configure Entra ID - Provisioning user accounts.png
    3. On the Manage Provisioning page select Automatic from the 'Provisioning Mode' dropdown.Configure Entra ID - Automatic provisioning.png
    4. You should now see the 'Admin Credentials' and 'Settings' sections. Proceed to configuring admin credentials.Configure Entra ID - Admin credentials and settings sections.png

    Configure admin credentials

    You will need the URL and secret token values from your Passle Manage Entra ID page.

    Your details should look something like this for a client with a shortcode of 'a01':

    • Tenant URL: https://www.passle.net/scim/a01s
    • Secret Token: a01-SDFGU3D-683NDOG-73FD2MGs
    1. View the Admin credentials section. Enter the URL into the Tenant URL field, and the secret token into the Secret token field.Configure Entra ID - Admin credentials section.png
    2. Check the integration by selecting Test Connection. Once tested, select Save.

    Configure attribute mapping

    The Mapping section will only appear after the admin credentials have been configured. This section includes access to Provision Microsoft Entra ID Groups and Provision Microsoft Entra ID Users.

    1. View the Mapping section, and select Provision Microsoft Entra ID Groups.Configure Entra ID - Mappings section - groups.png
    2. Under the Attribute Mapping page, toggle Enabled to 'No'. (Passle only requires users to be provisioned.) Then return to the Manage Provisioning page.Configure Entra ID - Attribute Mapping page.png
    3. Under Mappings, select Provision Microsoft Entra ID Users. This takes you to the Attribute Mapping page for users. Configure Entra ID - Mappings section - users.png
    4. View the Attribute Mappings table. Configure Entra ID - Attribute Mapping table.png

      Edit the settings in the table to match the attributes given below. Remove any other attributes.
      Attribute Entra ID Attribute
      userName userPrincipalName
      active Switch([IsSoftDeleted], , "False", "True", "True", "False")
      title jobTitle
      name.givenName givenName
      name.familyName surname
      externalId objectId

      User first name and surname values
      The integration mapping must include Entra ID attributes for Passle user 'first name' and 'surname' profile fields (Entra ID attributes: 'givenName' and 'surname').

      Entra ID only enforces that the 'displayName' is mandatory.

      Sync job title is optional
      If this is not ticked as an option under the Passle module, then the job title will be editable in Passle and will not be synced from Entra ID data. If job title sync is enabled, the 'title' field must be set up in Entra ID user attribute mappings.

      Please speak with your Client Success contact or support@passle.net if you need the job title sync option enabling in Passle.

    5. Once configured, select Save. Refresh the page to ensure that your settings have been updated before moving on to assigning users.

    Assigning users

    There are three options for user assignment:

    Option 1: Assign all users
    Option 2: Assign users individually
    Option 3: Assign users by group

    • 1. View the Manage Provisioning page > Settings section.

      2. Select Sync all users and groups from the 'Scope' dropdown.Configure Entra ID - Provisioning - settings section.png

    • 1. Navigate to the Manage > Users and groups page.Configure Entra ID - Users and groups.png

      2. To assign a user to be provisioned, select Add user/group.

      3. You should now be able to view the Add Assignment page. Select the blue text under Users to view the interface which will allow you to select which users to assign.Configure Entra ID - Users and groups - Add Assignment - add users.png

    • 1. Navigate to the Manage > Users and groups page.Configure Entra ID - Users and groups.png

      2. To assign a user to be provisioned, select Add user/group.

      3. You should now be able to view the Add Assignment page. Select the blue text under Groups to view the interface which will allow you to select which groups to assign.

(C) Turning on automatic user provisioning in Entra ID

Any existing Passle users must have a matching email address to their Entra ID user record otherwise they will be duplicated in Passle.

To turn on automatic provisioning, view the Provisioning > Overview page, and select the Start provisioning button.Configure Entra ID - Start provisioning.png

  • Entra ID will manage the actions required to keep your users synced with Passle through automatic provisioning cycles.

    • When provisioning is enabled, an initial cycle is run to discover your Passle users and create any user that doesn’t already exist. This usually happens within a few minutes once provisioning has been turned on.
    • Following the initial cycle, incremental sync cycles are run at fixed 40 minute intervals. When a user has been created, updated, or deleted in your Entra ID directory, Entra ID will take the appropriate action to keep that user synced to Passle at the next incremental provisioning cycle.
  • For any changes that require an immediate sync, there is the option to Provision on demand.

    • This is on a per-user basis and will perform any actions required for that user that would have otherwise been performed during the next incremental cycle.

    Configure Entra ID - Provisioning on demand.png

FAQs

  • For companies who already have users set up in Passle, each Entra ID user is matched up and 'linked' to the corresponding Passle user via email address.
  • No, Entra ID will be configured in exactly the same way whether you already have users set up in Passle or not.

    However, it is very important that whoever enables the Entra ID integration makes sure that the user email addresses in Passle match those in Entra ID, and update them in Passle if necessary. Otherwise duplicate users will be created.
  • Existing Passle settings for existing users' role & assignments will not be overwritten by connecting to Entra ID. Only new users created via Entra ID will have the Entra user configuration applied to them (as set on the Manage Entra ID settings page).

The following document provides the full technical information to help with a Passle MS Entra ID user provisioning integration with Passle.

> Passle Entra ID Integration v1.1 (PDF)

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request