Add Entra ID SCIM (#468)

2026-04-16 07:26:35 +00:00 · 2025-11-25 11:35:48 +03:00
parent 0080ae97df
commit 969fd8afaf
27 changed files with 188 additions and 3 deletions
--- a/src/pages/manage/team/idp-sync/index.mdx
+++ b/src/pages/manage/team/idp-sync/index.mdx
@@ -35,7 +35,8 @@ offboarding scenarios:
 NetBird provides native support for syncing with the most popular identify providers.
 For detailed setup and configuration steps, select an IdP from the section below:

-* [Entra ID (Azure AD)](/manage/team/idp-sync/microsoft-entra-id-sync)
+* [Entra ID (API)](/manage/team/idp-sync/microsoft-entra-id-sync)
+* [Entra ID (SCIM)](/manage/team/idp-sync/microsoft-entra-id-scim-sync)
 * [Okta](/manage/team/idp-sync/okta-sync)
 * [Google Workspace](/manage/team/idp-sync/google-workspace-sync)
 * [JumpCloud](/manage/team/idp-sync/jumpcloud-sync)
--- a/src/pages/manage/team/idp-sync/microsoft-entra-id-scim-sync.mdx
+++ b/src/pages/manage/team/idp-sync/microsoft-entra-id-scim-sync.mdx
@@ -0,0 +1,183 @@
+# Provision Users and Groups From Microsoft Entra ID via SCIM
+
+[Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id),
+formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management service that provides
+organizations with secure authentication, single sign-on, and user management capabilities. In the context of network security,
+it can be effectively used to control network access based on organizational structure, such as groups and individual user accounts.
+
+NetBird's Microsoft Entra ID SCIM integration allows you to synchronize users and groups from Entra ID to NetBird.
+You can then use these synchronized groups to configure your network, create network access policies, and automate
+onboarding and offboarding processes.
+
+## Prerequisites
+
+Before you begin the integration process, ensure you have the necessary admin permissions in Microsoft Entra ID. You need an Azure user account with at least one of these roles:
+
+* Application Administrator
+* Cloud Application Administrator
+* Global Administrator
+
+## Enabling Microsoft Entra ID SCIM in NetBird
+
+To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard.
+
+![Microsoft Entra ID SCIM Integration Connection](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connect.png)
+
+<Note>
+    Before starting the Entra ID SCIM integration you will need to be logged in via Microsoft Login. <br/>
+    Simply sign in with the **Continue with Entra ID** button on the login page.
+</Note>
+
+Click the `Connect Microsoft Entra ID` button to begin the configuration process.
+This action will trigger a pop-up window that will present you with a user-friendly wizard, guiding you through the synchronization process between NetBird and Entra ID.
+
+![Microsoft Entra ID SCIM Getting Started Wizard](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-scim-getting-started.png)
+
+
+## Configure SCIM Provisioning in Microsoft Entra ID
+
+Click on the `Get Started` button to initiate the integration process.
+A new wizard screen will appear, offering step-by-step instructions for creating and configuring your Microsoft Entra ID application. To simplify the process, the wizard also provides quick-copy buttons for essential information:
+
+![Microsoft Entra ID SCIM Configuration Setup](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configure-scim.png)
+
+
+In the [Azure portal](https://portal.azure.com), navigate to `Azure Active Directory` → `Enterprise applications`.
+
+![Microsoft Entra ID Enterprise Applications](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-enterprise-applications.png)
+
+Click `New application` to create a new enterprise application.
+
+![Microsoft Entra ID New Application Creation](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-new-application.png)
+
+Click `Create your own application`.
+
+Fill out the application form with the following details:
+
+* **What's the name of your app?**: `NetBird SCIM`
+* **What are you looking to do with your application?**: Select `Integrate any other application you don't find in the gallery (Non-gallery)`
+
+![Microsoft Entra ID Application Form](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-application-form.png)
+
+Click `Create`.
+
+![Microsoft Entra ID Application Created Successfully](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-application-created.png)
+
+### Enable Provisioning
+
+On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for enabling provisioning.
+![Microsoft Entra ID Enable Provisioning Setup](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-enable-provisioning.png)
+
+Once the application is created, you'll be redirected to a getting started page. Click `Get started` in the `Provision User Accounts` section.
+
+![Microsoft Entra ID Provisioning Get Started](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-provisioning-get-started.png)
+
+Under the `Create configuration` section, click `connect your application`.
+
+Fill out the `New provisioning configuration` form with the following details:
+
+* **Select authentication method**: `Bearer authentication`
+* **Tenant URL**: `https://api.netbird.io/api/scim/v2` (paste the Base URL you copied from NetBird)
+* **Secret token**: Paste the Token Key you copied from the Entra ID SCIM Setup process in the NetBird integration
+
+![Microsoft Entra ID Connect Application Configuration](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connect-application.png)
+
+Click `Test Connection` to verify the SCIM connection. If the connection is successful, click `Create` to save the configuration.
+
+![Microsoft Entra ID Connection Success](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connection-success.png)
+
+### Configure Attribute Mapping
+
+On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for configuring attribute mapping.
+
+![Microsoft Entra ID Configure Attribute Mapping](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configure-attribute-mapping.png)
+
+After creating the provisioning configuration, you need to configure the attribute mapping to ensure the `externalId` is mapped to the user's `objectId`.
+
+Navigate to the `Attribute mapping` section and click `Provision Microsoft Entra ID Users`.
+
+![Microsoft Entra ID Default Attribute Mapping](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-default-attribute-mapping.png)
+
+In the attribute mappings list, locate the `externalId` row and click `Edit`.
+
+Change the **Source attribute** from `mailNickname` to `objectId`.
+
+![Microsoft Entra ID Edit External ID Attribute](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-edit-externalid.png)
+
+Click `Ok` to save the change, then click `Save` to apply the new attribute mapping configuration.
+
+![Microsoft Entra ID Updated Attribute Mapping](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-updated-attribute-mapping.png)
+
+## Assign Users and Groups
+
+On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for assigning users and groups.
+
+![Microsoft Entra ID Assign Users and Groups](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-assign-users-and-groups.png)
+
+
+To enable SCIM synchronization of users and groups to NetBird, you need to assign them to the NetBird enterprise application.
+
+In the Azure portal, navigate to your NetBird enterprise application:
+
+* Click on `Users and groups` in the left menu
+* Click `+ Add user/group`
+* Select the users and groups you want to synchronize to NetBird
+* Click `Assign` to save the assignments
+
+![Microsoft Entra ID Assign Users and Groups Interface](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-assign-users-groups.png)
+
+## Start Provisioning
+
+On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for starting the provisioning.
+
+![Microsoft Entra ID Run Provisioning](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-run-provisioning.png)
+
+
+After assigning users and groups, navigate back to the provisioning configuration and click the `Start provisioning` button to enable automatic synchronization. The first sync will begin shortly after provisioning is started.
+
+![Microsoft Entra ID Provisioning Started](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-provisioning-started.png)
+
+Once started, Microsoft Entra ID will automatically synchronize the assigned users and groups to NetBird.
+
+Click `Finish Setup` in the NetBird Dashboard to finalize the integration process.
+
+## Verify Synchronization
+
+After starting provisioning, the synchronization will begin automatically. You can verify that users and groups
+have been successfully synchronized by navigating to `Team > Users` in your NetBird dashboard.
+
+<Note>
+    SCIM provisioning will manage only resources that are created through Microsoft Entra ID. Any resources created directly in NetBird will not be managed by SCIM.
+</Note>
+
+<Note>
+    Synced groups will only be available for membership and will not change the role of user in NetBird
+</Note>
+
+## Configuration Settings
+
+You can access some configuration settings inside the NetBird Dashboard. E.g. if you want to regenerate the authentication token or want to filter users and groups based on a specific prefix.
+Simply go to the Integrations page and click the settings icon of your integration.
+
+![Microsoft Entra ID SCIM Configuration Options](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configuration-options.png)
+
+### Regenerate Auth Token
+
+If your authentication token has expired or you need to update it, click **Regenerate Auth Token** in the configuration window to generate a new token.
+
+![Microsoft Entra ID Regenerate Authentication Token](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-regenerate-auth-token.png)
+
+
+### Groups to be synchronized
+
+By default, all groups assigned to the NetBird application in Entra will be synchronized. If you want to synchronize only assigned groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
+
+![Microsoft Entra ID Group Prefix Filter](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-group-prefix.png)
+
+Click `Continue` to proceed to the next step.
+
+### Users to be synchronized
+
+By default, all users from the groups assigned to the NetBird application in Entra will be synchronized. If you want to further filter and synchronize only users from specific assigned groups, you can specify those group names in the filter. The group name matching is case-sensitive.
+
+![Microsoft Entra ID User Prefix Filter](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-prefix.png)
--- a/src/pages/manage/team/idp-sync/microsoft-entra-id-sync.mdx
+++ b/src/pages/manage/team/idp-sync/microsoft-entra-id-sync.mdx
@@ -1,4 +1,4 @@
-# Provision Users and Groups From Microsoft Entra ID
+# Provision Users and Groups From Microsoft Entra ID via API

 [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id),
 formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management service that provides