How to Upgrade from Legacy SCIM
KnowBe4 currently has two versions of SCIM: a supported version and a legacy version that is no longer supported. This guide will show you how to update your KnowBe4 account from the legacy version of SCIM to the new version of SCIM.
Note: If you're currently using Legacy SCIM with Azure and would like to upgrade to SCIM, you will need to either edit your existing KnowBe4 Security Awareness Training application in Azure or add the new SCIM application from the Azure Gallery. You aren't able to modify your existing, custom Azure application that is used for Legacy SCIM. To learn how to set up a new Azure application, see our How to Configure SCIM for Azure article.
You can keep the Azure application that you used for Legacy SCIM while testing SCIM as long as you pause the Legacy SCIM application from syncing by clicking Stop Provisioning in your Azure admin console. Once the new SCIM connection is established and verified, you can remove the legacy application.
Updating to the Newest Version
Updating your account to the newest version of SCIM will provide your organization with important security and feature updates. See the steps below to update your account to the new version of SCIM.
- Log in to your KnowBe4 account.
- Click on your email address in the top-right corner of the page and click Account Settings.
- Navigate to User Management > User Provisioning and click SCIM.
- Note: You can toggle between the two SCIM options in your Account Settings. Your KnowBe4 account will only process SCIM syncs from the selected SCIM option in your Account Settings. If you have SCIM selected, any Legacy SCIM syncs received from your Okta identity provider to your KnowBe4 account will display as Skipped in your Sync Reports page.
- Expand your SCIM settings by clicking + SCIM Settings.
- Generate SCIM Token. This button will open a new window with your token ID. Copy this ID and save it to a place that you can easily access later. It is important that you save this token because once you close this window, you cannot view the token again. Once you’ve saved the token, click OK to close the window.
Note: Once your SCIM token is generated, the Generate SCIM Token button will change to the Regenerate SCIM Token button. See our SCIM Configuration Guide for more information about the button.
- Copy the Tenant URL and save it to a place that you can easily access later.
- Make sure that the Test Mode option is enabled.
Note: We recommend keeping Test Mode enabled until you’ve configured the connection between KnowBe4 and your identity provider and have run a successful sync. Test Mode is used to generate a report of what will happen when SCIM is enabled. This means that no changes are made to your console, so you can configure your setup without worrying about changes to your console. When you're ready, you can disable Test Mode from your Account Settings to enable syncing.
If you're switching from ADI to SCIM or from Legacy SCIM to SCIM, Test Mode will be enabled automatically after you click Save Changes.
- Scroll down to the bottom of the Account Settings page and click Save Changes.
Now that you've enabled the newest SCIM version in your KnowBe4 account, you're ready to finalize the connection with your identity provider. To learn how to configure SCIM for the identity provider that you're using, see the articles listed below:
For further assistance with this feature, please contact our support team and they will be happy to help.
Syncing Location, Phone Number, and Cell Phone Fields
For the Azure version of SCIM, the Mobile Phone, Telephone, and Location fields won't sync automatically once you update to the latest version. To sync these fields, you'll need to map them to the KMSAT application in Azure.
To map the fields to your KMSAT application, follow the steps below:
- Log in to your Microsoft 365 admin portal and select Azure Active Directory.
- Navigate to Applications > Enterprise applications.
- Select the KnowBe4 Security Awareness Training application.
- Select the Provisioning tab.
- Click Edit Provisioning.
- Click the Mappings drop-down menu.
- Click Provision Azure Active Directory Users.
- At the bottom of this page, click the Show advanced options check box.
- Click Edit attribute list for KnowBe4.
- Add the attributes you would like to sync. For more information, see the table below:
Default Azure Active Directory Attribute KMSAT Attribute KMSAT Field
addresses[type eq "work"].formatted Location telephoneNumber phoneNumbers[type eq "work"].value Phone Number mobile phoneNumbers[type eq "mobile"].value Mobile Phone Number
- Once you’ve added the attributes, you'll need to map them to an Azure field. For more information, see the Adding Attribute Mapping for Custom User Fields section of our How to Configure SCIM for Azure article.
Note: Make sure to select the KnowBe4 Security Awareness application instead of the application you used for SCIM Legacy.