Provision users from Entra ID using SCIM

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management solution used by organizations to control access to their protected resources.

With the SCIM provisioning, you can automatically import user accounts based on the group memberships from the source system, Entra ID, to your target ​Akamai MFA​ SCIM application. For existing user profiles, SCIM provisioning ensures the automatic synchronization between both systems when a change to the user data is detected in the source system.

You can also use the attribute mapping capability to customize and match user attributes exchanged during the provisioning process between Entra ID and the SCIM application.

​Akamai MFA​ SCIM support for Entra ID is only available with the SCIM 2.0 compliant mode of Entra ID.

📘

The automatic provisioning described in this section was implemented using a minimally viable subset of SCIM specifications. In particular, ​Akamai MFA​ doesn't support the full capabilities of the SCIM filtering parameter.

Prerequisites

  • Sign up for a Microsoft Entra ID account with an active subscription.

  • If you want to send the enrollment email to users provisioned from your Entra ID, make sure each user has a valid email address. Users who don't have the email attribute field populated in their Entra ID user profile won't receive the enrollment email.

This integration:

  • Supports endpoints compatible with the SCIM 2.0 specification.

  • Requires one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Add SCIM provisioning

Follow this procedure to set up your SCIM service in ​Akamai MFA​ and obtain your authentication token and base URL. Your authentication credentials let you enable the import of user data from Entra ID to ​Akamai MFA​ in the following steps of the provisioning process.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Identity & Users > User Provisioning.

  2. Click Add Provisioning (+).

  3. In the User Provisioning page, select the SCIM 2.0 provisioning type and enter its unique name.

  4. Click Save and Deploy.

    You've just generated your API Token and Base URL that you will use in the following configuration steps.

On the SCIM provisioning configuration page, you can also enable these settings:

  1. Send enrollment emails. Toggle on to send the enrollment emails to the new users whose accounts were synced up with ​Akamai MFA​. With this setting, new users receive an email with the enrollment link that lets them register their authentication device in the ​Akamai MFA​ service once their accounts have been imported from Entra ID.

  2. Include Manually Provisioned Users. Toggle on to update the source of provisioning for users already existing in ​​Akamai MFA​. With this setting enabled, writes to users and groups not associated with any provisioning method (manually provisioned) by the SCIM client will cause them to have their provisioning method point to that SCIM integration. This allows the SCIM integration to claim ownership of existing users without forcing users to re-enroll if they already have accounts.

📘

Please note that with Read All Users enabled, the sync operation doesn’t claim users unless it detects a change in their records (such as a different email address).

  1. Read All Users. Toggle on to let the SCIM integration read every user record in the system, including those created by other SCIM instances or by EAA.

📘

If you have existing users on ​Akamai MFA​ that you want your provisioning solution to take control of, we recommend that you first enable Include Manually Provisioned Users, verify that the users and groups were claimed, and only then enable Read All Users. Otherwise users present in both systems may not sync.
If you manage users via SailPoint, and want to allow it to read every user regardless of how they were provisioned, enable Read All Users.

  1. Click Save and Deploy.

    You’ve created a new SCIM service that you will connect with the Entra ID enterprise application in the following steps.

Create and configure an enterprise application in Entra ID

📘

For the latest instructions on how to create an application in Entra ID, refer to the Microsoft Entra ID help page.

Follow these steps to create a new enterprise application in your Microsoft Entra ID tenant.

  1. Log in as administrator to your account in the Microsoft Entra admin center.

  2. In the navigation menu, select Identity > Applications > Enterprise Applications.

    The All applications page displays enterprise applications configured in your Entra ID tenant.

  3. In All applications, click New application (+).

    You're redirected to the Microsoft Entra Gallery that displays the available application templates.

  4. In Browse Microsoft Entra Gallery, click Create your own application (+).

  5. Select Integrate any other application you don't find in the gallery, enter a unique name for your SCIM application, and click Create.

    You're redirected to your newly created enterprise application. The navigation menu lets you display and, if needed, configure the application properties.

  6. In the application menu, go to Manage, and select Properties.

  7. The Properties page allows you to view all configurable parameters of your enterprise application. Leave the default settings. To learn more about the properties configuration, see Entra user guide.

    You've just created and configured an enterprise application in Microsoft Entra ID. Go to the following step to configure the automatic user provisioning for the SCIM application.

Configure provisioning in Entra ID

📘

For the latest instructions on how to configure user provisioning in Entra ID, refer to the Microsoft Entra ID help page.

Follow these steps to configure automatic provisioning of users and groups in Microsoft Entra ID. With this configuration, you can import and synchronize all identity and access data via SCIM.

  1. Log in as administrator to your account in the Microsoft Entra admin center.

  2. In the navigation menu, select Identity > Applications > Enterprise Applications and navigate to the enterprise application that you created in the previous step.

  3. In the navigation menu, select Provisioning and click Get Started.

    The Provisioning page opens.

  4. In Provisioning Mode, select Automatic.

  5. In Admin Credentials, do the following:

    1. In Tenant URL, enter the Base URL that you copied from the ​Akamai MFA​ provisioning page and append the following feature flag to your URL to ensure SCIM compliance: ?aadOptscim062020.

    2. In Secret Token, enter the API Token that you copied from the ​Akamai MFA​ provisioning page.

    3. Click Test Connection to verify the communication between Entra ID and the SCIM endpoint.

    4. Click Save if you receive a notification that the entered authentication credentials are correct.

  6. Expand Mappings and click Provision API:Users to map Entra ID attributes.

  7. In Attribute Mapping, map the API Attribute (same as SCIM attributes) to these Entra ID attributes. Remove other attributes by clicking Delete.

These default attribute mappings are supported by ​Akamai MFA​.

Microsoft Entra ID AttributeAPI Attribute
userPrincipalNameuserName
Switch([IsSoftDeleted], , "False", "True", "True", "False")active
mailemails[type eq "work"].value
surnamename.familyName
Join(“ “, [givenName], [surname])name.formatted
  1. Click Save and Yes.

Go to the following step to assign users to your SCIM application.

📘

To learn more about feature flags and SCIM 2.0 protocol compliance, see the Microsoft Entra ID documentation.

Assign users and groups in Entra ID

📘

For the latest instructions on how to assign users and groups in Entra ID, refer to the Microsoft Entra ID help page.

Follow this procedure to assign groups to your SCIM application.

  1. Log in as administrator to your account in the Microsoft Entra admin center.

  2. In the navigation menu, select Identity > Applications > Enterprise Applications and navigate to your enterprise application.

  3. In the directory navigation menu, select Users and groups.

  4. Click Add user/group.

    The Add Assignment dialog opens.

  5. In the Add Assignment dialog, click Users and groups to unfold a dialog with a list of available users.

  6. In the Users and groups dialog, select a user or group you want to assign and click Select.

  7. Click Assign.

    You've just enabled the immediate transfer of the selected memberships from Entra ID. Users and their privileges are now overwritten in ​Akamai MFA​.

Limitations

Removing users from a group that is synced, or removing a user that is directly assigned to the ​Akamai MFA​ Enterprise Application in the Users and Groups section may not cause the user to be marked as disabled. This is contrary to the behavior described by Entra ID's documentation, allowing them to continue to use ​Akamai MFA​. This may prevent modification of the user until they are added back to the Enterprise Application. There are two ways to work around this issue.

  • One way is to mark the user as disabled, then navigate to Provisioning from your Enterprise Application, and click Restart provisioning. Next, verify that the change went through by clicking the View provisioning logs link and observing an Update request for the affected user(s) - this may take up to 40 minutes. Then, remove them from the synced group or application, and finally re-enable the user. The user should remain marked as disabled in ​Akamai MFA​, as originally intended.
  • An alternative workaround is to create a policy that doesn't permit use of ​Akamai MFA​, and assign it to the affected users.