The Azure Active Directory integration allows for real-time employee provisioning through Azure Active Directory utilizing SCIM API.
How does this integration work?
With the Envoy + Azure Active Directory integration, Envoy will allow employee provisioning and Single Sign On by utilizing the Envoy Enterprise app within Azure’s Active Directory portal.
Enabling the Envoy + Azure Active Directory integration
Note: You’ll need to be an admin on your Azure account to complete this integration. Either become an admin or ask your admin for help before completing these steps:
Configuring employee provisioning
Under Directory, find Microsoft Azure SCIM. Click “Install.”
Select “Sync all users” or “Sync specific users per location” and click “Save”.
Copy the OAuth Bearer Token from Envoy and note to be entered into Azure later.
Open the Azure portal and select Azure Active Directory -> Enterprise applications -> New application -> Add from the gallery -> search for Envoy and select add.
Open Provisioning tab and select “Provisioning Mode” as “Automatic”
Copy Envoy’s SCIM endpoint into “Tenant URL” =
https://app.envoy.com/scim/v2and paste the Oauth Bearer Token from the Envoy Dashboard.
• Note: Tenant URL above is for new instances, if existing, do not update.
Click on “Test Connection”, once successful, “Save”.
If applicable, go to the Mappings section on the Provisioning tab.
• Click on “Synchronize Azure Active Directory Groups to Envoy”.
• In the attribute Mappings section, delete the following group mapping attributes and “Save”:
Click on “Synchronize Azure Active Directory Users to Envoy”.
• In the attribute Mappings section, delete the following user mapping attributes and “Save”:
Click on “Users and groups” on the left hand side and then assign users or groups to the application. Note that Azure does not support nested groups for SCIM provisioning.
Once users are assigned, click on “Provisioning” on the left hand side and scroll down to the bottom and turn “Provisioning Status” On.
• Envoy is in the process of updating our official documentation Envoy app within the Microsoft Azure store.
• If you want Mobile phone instead of Office phones please change the following within Azure.
Find and delete
telephoneNumberfrom the mapping list.
mobileand click onto it so it brings up the editing pane.
Change the mapping to
phoneNumbers[type eq "work"].value
Configuring Single Sign On
In the Envoy dashboard go to Integrations and click Install on the SAML integration.
In the Azure portal, on the Envoy application page, select Single sign-on.
On the Select a Single sign-on method dialog, select SAML to enable single sign-on.
On the Set up Single Sign-On with SAML page, click the edit icon to open the Basic SAML Configuration dialog.
On the Basic SAML Configuration section, enter the following URLs:
• Identifier (Entity ID)-
• Reply URL (Assertion Consumer Service URL) -
• Sign on URL -
https://app.envoy.com/a/saml/auth/xxxx, your specific sign on URL will be found in Integrations > Enabled integrations > Configure SAML.
• Relay State -
Once all URL’s are entered correctly, hit “Save”.
7. In the SAML Signing Certificate section, click the edit icon to open SAML Signing Certificate dialog.
8. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.
9. On the Set up Envoy section, copy the Login URL This URL is what you will enter into the Envoy integrations page for SAML as your “IDENTITY PROVIDER HTTP SAML URL”.
10. Login to your Envoy dashboard and go to your Integrations page and “Install” SAML.
11. Take the Thumbprint from step 3 in Azure of the setup and enter that value into the Fingerprint field provided in Envoy.
12. Paste the Login URL value, which you have copied from the Azure portal into the IDENTITY PROVIDER HTTP SAML URL textbox.
Choose whether you want SAML “Required” and toggle ON if needed, then “Save”.