The purpose of this article is to provide instructions on how to import Attributes into Immuta from Entra ID
Last updated
The first step in Importing attributes into Immuta is to create a SCIM Schema to associate with the attributes in Azure. To create the SCIM Schema: navigate to your Enterprise Application in Azure for Immuta > Click on the Provisioning tab on the left > Click on Edit attribute mappings > Expand the Mappings drop down and click on Provision Microsoft Entra ID Users > Scroll to the bottom and check the Show advanced options box > Click on Edit attribute list for customappsso. You should see a page similar to the one below:
The SCIM schema has to be created following a URN format, Microsoft has previously recommended that the format below be used for custom schemas where the CustomExtensionName and CustomAttribute fields are editable:
To create the SCIM schema, you’ll need to scroll to the bottom of the page and add the schema to the empty text box. Take note of the SCIM schema as that is one of the values we’ll have to enter into Immuta later. Next click on Save and move back to the previous screen.
In order to map a value to the new SCIM schema you’ll want to be on this page:
Next, click on the Add New Mapping field directly below the present attributes. Here you’ll see a screen where you will map a value from an Azure profile field into the SCIM schema we just created.
The field Source attribute refers to the profile field that you’ll want to be used in an attribute.
The field Target attribute is where we’ll select the newly created SCIM schema.
The Mapping type field allows you select Direct, Constant, and Expression.
Direct will allow you to do a direct mapping from a profile field to the SCIM schema.
Constant field will allow you to select a constant value to be associated with the SCIM schema.
Expression field will allow you to create an expression, for example you can create an expression that casts the email field in a profile to upper or lower case. More info on expressions can be found in Azure’s expression builder which can be found at the bottom of the Attribute Mapping page
Once the above options are selected, you’ll need to click on Save. Next we’ll configure the attribute in Immuta in order for Immuta to receive and accept it from Azure.
In the left field SCIM Schema, you’ll need to enter the name of the SCIM schema that you created in Azure on the first step:
When you enter this value into Immuta, you’ll need to omit the final field, CustomAttribute.
Example: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User
In the right field IAM Immuta Attribute Prefix, you’ll need to enter a prefix value that Immuta will prefix onto the attribute name.
Once complete, click on Test Connection, Test User Login, and Save.
Once the above steps are completed Azure will update Immuta with the attribute values during the next incremental SCIM sync (by default every 40 minutes). You can also use Provision on Demand from Azure in order to test and view the value on an Immuta user immediately. To view the attribute, navigate to the People/Admin tab, select your IAM from the drop down on the right side of the screen, and click on a user. The attribute should be displayed on the users profile page, example:
Navigate to the App Settings page > expand your IAM by clicking on the carrot to the left of it’s name > Scroll down to the Attribute Schema section:
