{"pageModel":{"attributes":{"id":"","name":"119465.dita","viewName":"DitaDetail"},"elements":{"ditaContent":{"name":"DITAContent","value":"<article id=\"provision-users-and-groups-from-microsoft-entra-id\" class=\"topic\">\r\n<h1 class=\"title topictitle1\">Provision Users and Groups from Microsoft Entra ID</h1>\r\n<div class=\"body taskbody\">\r\n<p class=\"p\">Secure Access supports the provisioning of users and groups from Microsoft Entra ID (formerly Azure Active Directory).</p>\r\n<p class=\"p\">With your Secure Access System for Cross-domain Identity Management (SCIM) token, configure the <strong class=\"ph b\">Cisco User Management for Secure Access</strong> app on the Microsoft Enter ID portal. When you configure and provision users and groups through the app, Microsoft Entra ID exchanges user and group information with Secure Access.</p>\r\n<p class=\"p\">\r\n<table class=\"olh_note\" border=\"0\" role=\"note\">\r\n<tbody>\r\n<tr>\r\n<td width=\"5%\" class=\"olh_note\" role=\"heading\" border=\"0\" valign=\"top\">\r\n<img src=\"https://www.cisco.com/c/dam/en/us/td/i/esp/icons/icon-notes.svg\">\r\n<br> </td>\r\n<td border=\"0\" class=\"olh_note\">\r\n<div class=\"note__content\">You do not need to deploy an on-premises Cisco Active Directory (AD) Connector.</div>\r\n</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n</p>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">Limitations</h2>\r\n<ul class=\"ul\">\r\n<li class=\"li\">You can provision a maximum of 1000 groups from Microsoft Entra ID to Secure Access. Secure Access supports the provisioning of an unlimited number of users from Microsoft Entra ID. For more information, see  <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/118830.dita\" title=\"\">Limitations and Range Limits</a>.</li>\r\n<li class=\"li\">Concurrent synchronization of the same users and groups from the Cisco AD Connector and the Cisco User Management for Secure Access app is not supported and leads to inconsistent access rule enforcement.</li>\r\n<li class=\"li\">To ensure that all users are provisioned, create a dynamic <strong class=\"ph b\">All Users</strong> group and assign this group to the Cisco User Management for Secure Access app. For more information, see  <a data-scope=\"external\" target=\"_blank\" href=\"https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#create-an-all-users-rule\" title=\"\">Dynamic Membership Rules for Groups in Azure Active Directory</a>. You can assign additional groups as required for group-based access rule enforcement.</li>\r\n<li class=\"li\">Guest users invited to your Microsoft Entra ID tenant are provisioned to the same Secure Access user group as all other users provisioned by Microsoft Entra ID. Since members of the same user group inherit the same access rules in Secure Access, this may result in your Entra ID guest users gaining access to resources intended only for your Entra ID member users.</li>\r\n<li class=\"li\">Provisioning large numbers of users and groups to Secure Access may take several hours.</li>\r\n<li class=\"li\">Microsoft Entra ID does not support nested group memberships for group-based assignment to any SaaS application.</li>\r\n<li class=\"li\">After the initial provisioning of users and groups, Microsoft Entra ID synchronizes changes to Secure Access once every 40 minutes. Synchronization of updates to identities from Microsoft Entra ID to Secure Access may take up to one hour.</li>\r\n</ul>\r\n</section>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">Refresh SCIM Token</h2>\r\n<p class=\"p\">We recommend that you refresh the SCIM token at least once every 90 days. Secure Access requires a valid SCIM token to provision the users and groups from Microsoft Entra ID to Secure Access.</p>\r\n<p class=\"p\">After you generate a new SCIM token, immediately copy the token to the <strong class=\"ph b\">Cisco User Management for Secure Access</strong> app in Microsoft Entra ID.</p>\r\n<p class=\"p\">For information about refreshing the SCIM token, see  <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/129932.dita\" title=\"\">Add a Cloud Identity Provider.</a>\r\n</p>\r\n<table class=\"olh_note\" border=\"0\" role=\"note\">\r\n<tbody>\r\n<tr>\r\n<td width=\"5%\" class=\"olh_note\" role=\"heading\" border=\"0\" valign=\"top\">\r\n<img src=\"https://www.cisco.com/c/dam/en/us/td/i/esp/icons/icon-notes.svg\">\r\n<br> </td>\r\n<td border=\"0\" class=\"olh_note\">\r\n<div class=\"note__content\">The administrators in the Secure Access organization are responsible for refreshing the SCIM token. Secure Access does not perform this action.</div>\r\n</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n</section>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">Supported Attributes for Users</h2>\r\n<table width=\"100%\" border=\"1\">\r\n<thead class=\"thead\">\r\n<tr>\r\n<th id=\"\" font-weight=\"bold\" align=\"left\">Cisco Attributes for Users</th>\r\n<th id=\"\" font-weight=\"bold\" align=\"left\">Microsoft Entra ID Attributes</th>\r\n</tr>\r\n</thead>\r\n<tbody class=\"tbody\">\r\n<tr>\r\n<td headers=\"\" align=\"left\">userName</td>\r\n<td headers=\"\" align=\"left\">userPrincipalName</td>\r\n</tr>\r\n<tr>\r\n<td headers=\"\" align=\"left\">active</td>\r\n<td headers=\"\" align=\"left\">Not([IsSoftDeleted])</td>\r\n</tr>\r\n<tr>\r\n<td headers=\"\" align=\"left\">displayName</td>\r\n<td headers=\"\" align=\"left\">displayName</td>\r\n</tr>\r\n<tr>\r\n<td headers=\"\" align=\"left\">name.givenName</td>\r\n<td headers=\"\" align=\"left\">givenName</td>\r\n</tr>\r\n<tr>\r\n<td headers=\"\" align=\"left\">name.familyName</td>\r\n<td headers=\"\" align=\"left\">surname</td>\r\n</tr>\r\n<tr>\r\n<td headers=\"\" align=\"left\">name.formatted</td>\r\n<td headers=\"\" align=\"left\">Join(\" \", [givenName], [surname])</td>\r\n</tr>\r\n<tr>\r\n<td headers=\"\" align=\"left\">externalId</td>\r\n<td headers=\"\" align=\"left\">objectId</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n</section>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">Supported Attributes for Groups</h2>\r\n<table width=\"100%\" border=\"1\">\r\n<thead class=\"thead\">\r\n<tr>\r\n<th id=\"\" font-weight=\"bold\" align=\"left\">Cisco Attributes for Groups</th>\r\n<th id=\"\" font-weight=\"bold\" align=\"left\">Microsoft Entra ID Attributes</th>\r\n</tr>\r\n</thead>\r\n<tbody class=\"tbody\">\r\n<tr>\r\n<td headers=\"\" align=\"left\">displayName</td>\r\n<td headers=\"\" align=\"left\">displayName</td>\r\n</tr>\r\n<tr>\r\n<td headers=\"\" align=\"left\">externalId</td>\r\n<td headers=\"\" align=\"left\">objectId</td>\r\n</tr>\r\n<tr>\r\n<td headers=\"\" align=\"left\">members</td>\r\n<td headers=\"\" align=\"left\">members</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n</section>\r\n</div>\r\n</article>\r\n","ditaVal":"","format":"html"},"bookTitle":{"value":""},"shortDescription":{"value":""}}},"parameters":{"appId":"SecureAccess","topicAlias":"provision-users-and-groups-from-azure-ad"}}