All Collections
Apps
Directory
Microsoft Azure Active Directory Integration
Microsoft Azure Active Directory Integration

Use Microsoft Azure AD to automatically sync employees into your Envoy directory.

Updated over a week ago

How does Azure work with Envoy?

The Azure Active Directory integration allows for real-time employee provisioning through Azure Active Directory utilizing SCIM API.

With the Envoy + Azure Active Directory integration, Envoy will allow employee provisioning and Single Sign-On (SSO) by utilizing the Envoy Enterprise app within Azure’s Active Directory portal.

Important Note: Azure is available on Microsoft GCC High (Government Community Cloud) accounts and GCC High is compatible with our Azure directory integration.

Note: From August 2023, Azure AD is undergoing a name change to Microsoft Entra ID. Only the name is changing, all features and services remain the same. Microsoft expect the name change from Azure AD to Microsoft Entra ID to be complete across most product experiences by the end of 2023.

Employee Provisioning

Step One: Azure AD account and employees setup

Make sure you have you Azure account created and you have added your employees to your account. Create groups as needed in Azure and assign users to those groups.

You’ll need to have admin privileges to complete this installation. Either become an admin or ask your admin for help before completing these steps.

Step Two: Enable Envoy + Azure AD

  1. On the Envoy dashboard, go to your Apps page.

  2. Under Directory and SSO click on Directory Settings.

  3. Click Install under Microsoft Azure AD.

  4. Choose from one of the following options for syncing employees to your directory and click Save:

    1. Sync all users: This is good for companies with one location, or if you prefer to have the same master Envoy employee directory at all locations within your company.

    2. Sync specific users per location: Choose this option if you’d like to sync certain users to certain locations (i.e., creating different Envoy employee directories per location).

  5. Copy the OAuth Bearer Token from Envoy and note to be entered into Azure later.

Step Three: Configure Azure AD settings

  1. Open the Azure portal and select Azure Active Directory > Enterprise applications > New application > Add from the gallery > search for Envoy and select Add.

  2. Open the Provisioning tab and set Provisioning Mode as Automatic.

  3. Copy Envoy’s SCIM endpoint https://app.envoy.com/scim/v2 into the Tenant URL field.

  4. Paste the OAuth Bearer Token copied from the Envoy Dashboard.

    1. Note: Tenant URL above is for new instances, if existing, do not update.

  5. Click on Test Connection, once successful, click Save.

  6. Click on Users and groups on the left hand side and then assign users or groups to the application. **Azure does not support nested groups for SCIM provisioning.

  7. Once users are assigned, click on Provisioning on the left hand side and scroll down to the bottom and turn Provisioning Status On.

  8. (Optional) To test provisioning on a single user, utilize the Provision on demand feature in Azure.

Important Notes:

Phone Number:

Envoy is in the process of updating our official documentation Envoy app within the Microsoft Azure store. If you want Mobile phone instead of Office phones please change the following within Azure.

  1. Navigate to the Envoy Enterprise App > Provisioning > Mapping and click on Provision Azure Active Directory Users.

  2. Find and delete telephoneNumber from the mapping list.

  3. Find mobile and click onto it so it brings up the editing pane.

  4. Change the mapping to phoneNumbers[type eq "work"].value.

Configuring Single Sign On

  1. In the Envoy dashboard go to Apps > Directory and SSO and click Directory settings and then click Install on the SAML integration.

  2. In the Azure portal, on the Envoy application page, select Single sign-on.

  3. On the Select a Single sign-on method dialog, select SAML to enable single sign-on.

  4. On the Set up Single Sign-On with SAML page, click the edit icon to open the Basic SAML Configuration dialog.

  5. On the Basic SAML Configuration section, enter the following URLs:

    1. Identifier (Entity ID)- https://app.envoy.com/a/saml/metadata

    2. Reply URL (Assertion Consumer Service URL) - https://app.envoy.com/a/saml/consume

    3. Sign on URL - https://app.envoy.com/a/saml/auth/xxxx, your specific sign on URL will be found in Apps > Directory and SSO > Configure SAML.

    4. Relay State - https://dashboard.envoy.com/

  6. Once all URL’s are entered correctly, hit “Save”.

  7. In the SAML Signing Certificate section, click the edit icon to open SAML Signing Certificate dialog.

  8. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.

  9. On the Set up Envoy section, copy the Login URL. This URL is what you will enter into the Envoy integrations page for SAML as your “IDENTITY PROVIDER HTTP SAML URL”.

  10. Login to your Envoy dashboard and go to your Apps page and “Install” SAML.

  11. Take the Thumbprint from step 3 in Azure of the setup and enter that value into the Fingerprint field provided in Envoy.

  12. Paste the Login URL value, which you have copied from the Azure portal into the IDENTITY PROVIDER HTTP SAML URL text box.

  13. Choose whether you want SAML Required and toggle ON if needed, then Save.

Configuring assistants

Please be aware that Azure does not support the assistant feature of Envoy. If you would like to use assistants in Envoy manually, please alert Support to whitelist your account.

Admin Provisioning

Envoy makes it easy for our customers on Visitors Enterprise and Workplace Premium Plus to automatically provision their admin users from Okta using Azure.

Sync admins

  1. Create groups as needed in Azure and assign users to those groups.

    1. Assign the group to the Envoy app

      1. Navigate to Home → Enterprise applications → select Envoy app

      2. Click `Add user/group`

      3. Click the `None Selected` link under Users and groups

      4. Search for your group and select it

      5. Click `Assign`

    2. Now provision the group to Envoy (Optional, do this if you want to have immediate access to the groups in Envoy. Otherwise the groups will get provisioned on the pre-defined schedule)

      1. Navigate to Home → Enterprise applications → select Envoy app

      2. Click provisioning

      3. Click provision on demand

      4. Search for and select your group, select the members you’d like to be included, then click the Provision button

    3. Here’s additional information on how to create groups in Azure AD.

  2. Sync your directory with Envoy. You can follow these instructions, if you have not already set up your integration with Envoy.

  3. After you've configured Azure with Envoy, navigate to Employee directory > Admin roles.

  4. Click on Sync Settings at the top of the page.

  5. Under Sync admins, select the group you want to assign roles to.

  6. Select an Envoy role and one or more location from the dropdown menu for each group. (The list of group names is pulled from Azure.)

  7. Click Add > Done.

Admin Provisioning FAQ

  • Admins can only have one location role and one company role using SCIM.

    • Location roles:

      • Location admin

      • Front desk admin

      • Deliveries

      • Security admin

    • Company roles:

      • Global admin

      • Billing admin

  • Envoy will give admins the higher role assigned. For example, If a user is in multiple groups in Azure and each group is mapped to two different location roles (Front Desk Admin and Location Admin), then the admin will be assigned the Location Admin role.

  • If you already have manual entries in the directory and sync with a SCIM, this will take over and delete the manual entries.

  • Synced roles will take priority over manual only if the synced role has higher priority permissions. If you have a front desk admin role (manual) and you are SCIM mapped to the security admin role, you will still have a manual front desk admin role for that location.

  • If you disconnect Azure, your roles will turn into manual roles and will stop syncing. Your mappings won't be saved and you will start from scratch the next time you sync with a SCIM.

  • You cannot manually delete synced roles. You must remove that person from the Azure group first.

  • If you are not seeing the roles you are looking for, be sure to check the filters at the top of the page.

Related Articles
Centrify App
Okta
OneLogin Application
LDAP directory sync
SSO for Envoy via Microsoft Active Directory
Did this answer your question?