In this article, you'll learn how to configure SCIM with Microsoft Entra ID (formerly Azure Active Directory). Configuring SCIM for Microsoft Entra ID will allow you to add and manage users and groups in your KSAT console using Microsoft Entra ID.
The instructions in this article are for third-party software. If you experience issues with user provisioning in Microsoft Entra ID, we recommend reaching out to Microsoft Entra for specific instructions. You can also contact our support team and we will be happy to assist you.
Configuring SCIM
In this section, you'll learn how to configure your SCIM settings with Microsoft Entra. Please note that you should configure these steps after you've configured your settings in your KSAT console. For more information about configuring SCIM in your KSAT console, see our SCIM Configuration Guide.
To configure your SCIM settings with Microsoft Entra, follow the steps below:
- Log in to your Microsoft Entra portal and navigate to Microsoft Entra ID.
- From the Applications drop-down menu, click Enterprise applications.
- Click + New application.
- In the search bar, enter "KnowBe4" to filter your results.
- Click the KnowBe4 Security Awareness Training tile.
- Then, click Create. After you click Create, you'll be redirected to the Overview page for the application that you created. If you are not directed to the Overview page, you'll need to open the application from the list of Enterprise applications.
- Select the Provisioning tab from the menu on the left side of the page.
- Click Get started.
- Click the Provisioning Mode drop-down menu, and then select Automatic.
- Next, you'll need to enter the information from your Account Settings page. For more information about where you can find this information, see our SCIM Configuration Guide. In the Tenant URL field, enter the Tenant URL, and in the Secret Token field, enter the SCIM Token.
Important:This feature does not currently work with on-demand provisioning.
- After you’ve entered your information, click the Test Connection button. Clicking this button will allow you to ensure that you entered the correct information. If the connection is successful, a success banner will display at the top-right corner of your screen.
- Click the Save button at the top of the screen.
Next, you'll need to define which users and groups you would like Microsoft Entra ID to sync with your KSAT console.
Defining Which Users and Groups to Sync from Microsoft Entra
After completing the steps in the Configuring SCIM section above, you can decide which users and groups you would like to sync. This configuration is required in order to sync users and groups from your identity provider (IdP).
To define which users and groups you would like to sync from Microsoft Entra ID, follow the steps below:
- From your Microsoft Entra ID, navigate to Enterprise applications.
- Select the application you created for your KnowBe4 connection.
- Click Users and groups from the menu on the left side of the page.
- Click Add user/group to select the users or groups that you would like to sync.
- Click Users and groups to search for users or groups that you would like to include in your sync. To add a user or group, click on the name of the user or group. They will now show in the Selected items category.
Note:We recommend that you only include a few users when you first configure your settings. Starting with a few users allows you to ensure that the connection works properly before you add all the users and groups that you want to include.
- After you’ve added the users and groups you want to include to the Selected items category, click Select.
- Click Assign.
The users and groups that you selected will now display in the table.
Starting Your Sync
After you have configured SCIM and have added the users and groups that you want to sync, you'll need to start the sync. Once you start the sync, the system will automatically check for changes to your users and groups in Microsoft Entra ID every 40 minutes and will initiate a sync if changes were made.
To start your sync, follow the steps below:
- From your Microsoft Entra ID, navigate to Enterprise applications.
- Select the application that you created for your KnowBe4 connection.
- From the menu on the left side of the page, select Provisioning.
- Click Start provisioning.
The sync will be initiated immediately. After your initial sync, the system will check for changes to your Microsoft Entra ID every 40 minutes and will initiate a sync if changes were made.
To see the status of these syncs as well as any errors and additional information about your syncs, navigate to Users > Provisioning in your KSAT console.
Advanced Configuration Options
By enabling SCIM, the fields in your identity provider are automatically connected to the corresponding fields in your KSAT console. If you want to change the default mapping or add custom fields, you have the option to update these fields in Microsoft Entra.
To learn more about advanced configuration options for Microsoft Entra, see the subsections below:
Default Mappings
The default field mappings are shown below:
Default Azure Active Directory Attribute | KSAT Attribute | KSAT Field |
---|---|---|
userPrincipalName |
userName |
|
givenName |
name.givenName |
First Name |
surname |
name.familyName |
Last Name |
employeeId |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber |
Employee Number |
jobTitle |
title |
Job Title |
companyName |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization |
Organization |
department |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department |
Department |
manager |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value
Note:For manager information to sync, the applicable managers must be included in the sync. To add these managers to the sync, see the Defining Which Users and Groups to Sync from Microsoft Entra section above.
|
Manager Email |
displayName from the manager's Entra ID profile |
displayName
Note:The displayName for a user comes from their manager's Entra ID profile. As a result, a user's displayName will not display on their user profile in KSAT since their name is synced using other attributes. But it will display on their direct reports' user profiles.
|
Manager Name |
physicalDeliveryOfficeName | addresses[type eq "work"].formatted | Location |
telephoneNumber | phoneNumbers[type eq "work"].value | Phone Number |
mobile | phoneNumbers[type eq "mobile"].value | Mobile Phone Number |
Default Azure Active Directory Attribute | KSAT Attribute | KSAT Field |
---|---|---|
N/A | N/A | Time Zone |
N/A | N/A | Extension |
N/A | N/A | Language |
N/A | N/A | Comment |
N/A | N/A | Employee Start Date |
Changing the Default Mappings
You can change the default mappings to customize the user information that syncs between Microsoft Entra and your KSAT console.
To change the default mappings, follow the steps below:
- From your Microsoft Entra ID, navigate to Enterprise applications.
- Select the application you created for your KnowBe4 connection.
- From the menu on the left side of the page, select Provisioning.
- From the Provisioning window, click Edit attribute mappings under Manage provisioning.
- Click the Mappings drop-down arrow to expand the Mappings tab.
- Click Provision Azure Active Directory Users.
- Scroll down to the Attribute Mappings section. From this section, you'll see a list of all the attributes that have been mapped. The Azure Active Directory Attribute column displays the name of the attribute in Microsoft Entra. The KnowBe4 Attribute column displays the SCIM standard name for this attribute.
- Select the attribute you would like to edit.
-
In the Edit Attribute side pane, customize the attribute. For details about the customization options, see the list below:
- Mapping type: Select Direct from the drop-down menu.
-
Source attribute: Select the Azure field that you want to map to this custom field.
Note:If you're using SSO for Microsoft Entra ID, this attribute should be the same as the SSO Source attribute. By default, the SSO Source attribute is user.userprincipalname. For more information, see Add the KnowBe4 Application to Azure AD section of our How Do I Configure SSO/SAML with Azure Active Directory (AD)? article.
- Default value if null: This field is optional, and we recommend that you leave it blank.
- Target attribute: Select the custom field that you want to map to the Azure field you selected.
- Match objects using this attribute: We recommend you select No.
-
Apply this mapping: We recommend you select Always.
Note:If there is an attribute you don’t want to sync, you can click the Delete button next to that attribute to disable syncing. This action will only remove the connection between this attribute and the corresponding field in your KSAT console. No data will be deleted from Azure.
- Once you have made the changes you would like to make, click Ok.
Note:We recommend that you only change the Source attribute field. Changing the other settings on the attribute may break the connection between Microsoft Entra and your KSAT console.
Adding Attribute Mapping for Custom User Fields
You also have the option to add six custom fields. These fields are not mapped by default, but you can add them to Microsoft Entra by following the steps below:
- From your Microsoft Entra ID, navigate to Enterprise applications.
- Select the application you created for your KnowBe4 connection.
- From the menu on the left side of the page, select Provisioning.
- From the Provisioning window, select Edit attribute mappings under Manage provisioning.
- Click the Mappings drop-down arrow to expand the Mappings tab.
- Click Provision Azure Active Directory Users.
- Click Add New Mapping at the bottom of the table.
- From the Edit Attribute window, select the Source attribute you would like to use.
- Then, select the Target Attribute that you would like to use. We offer the following custom fields:
KSAT Field Target Attribute Custom Field 1 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField1
Custom Field 2 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField2
Custom Field 3 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField3
Custom Field 4 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField4
Custom Date 1 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customDate1
Custom Date 2 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customDate2
Division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division
Organization urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization
- We recommend leaving the rest of the settings at their default settings.
- Repeat step 9 for all of the custom fields you added in step 8.
- Click Save at the top of the screen to save your changes.
These custom fields will now sync to your KSAT console.
Frequently Asked Questions (FAQs)
Below is a list of frequently asked questions about using SCIM with Microsoft Entra ID.
How often do syncs occur?
The system will check for updates to the users and groups in your Microsoft Entra ID every 40 minutes. If changes are found, a sync will begin automatically. However, you can force a sync at any time by clicking the Force Sync Now button in the SCIM Settings section of your KSAT Account Settings.
How do you restore the default mappings?
You can restore the default mapping at any time by following the steps below:
- Navigate to Enterprise applications.
- Select the application you created for your KnowBe4 connection.
- From the menu on the left side of the page, select Provisioning.
- Click Edit attribute mapping under Manage provisioning.
- Click the Mappings drop-down arrow to expand the Mappings drop-down menu.
- Select Restore default mappings.
- Click Save at the top of the screen.
How do I sync all my users and groups?
If you would like to sync all users and groups from your Microsoft Entra ID, follow the steps below:
- Navigate to the application you set up for your SCIM connection.
- Navigate to Provisioning.
- Select Edit provisioning at the top of the screen or select Add scoping filters under Manage provisioning.
- Click the Settings drop-down menu.
- From the Scope drop-down menu, select Sync all users and groups.
- Click Save at the top of the page.
I don’t have the ability to assign users to an application by group. How can I limit the users being synced to my KSAT console?
Answer: To limit the users being synced to your KSAT console, you can set up a scoping filter. For more information about making a scoping filter, see Microsofts Attribute-based application provisioning with scoping filters article.