The Azure Active Directory integration allows for real-time employee provisioning through Azure Active Directory utilizing SCIM API.
- How does this integration work?
- Enabling the Envoy + Azure Active Directory integration
- Important notes
How does this integration work?
With the Envoy + Azure Active Directory integration, Envoy will allow employee provisioning and Single Sign On by utilizing the Envoy Enterprise app within Azure’s Active Directory portal.
Enabling the Envoy + Azure Active Directory integration
Note: You’ll need to be an admin on your Azure account to complete this integration. Either become an admin or ask your admin for help before completing these steps:
Configuring employee provisioning
- Go to Integrations > All integrations.
- Under Directory, find Microsoft Azure SCIM. Click “Install.”
- Select “Sync all users” or “Sync specific users per location” and click “Save”.
- Copy the OAuth Bearer Token from Envoy and note to be entered into Azure later.
- Open the Azure portal and select Azure Active Directory -> Enterprise applications -> New application -> Add from the gallery -> search for Envoy and select add.
- Open Provisioning tab and select “Provisioning Mode” as “Automatic”
- Copy Envoy’s SCIM endpoint into “Tenant URL” = https://app.envoy.com/scim/v2 and paste the Oauth Bearer Token from the Envoy Dashboard.
- Note: Tenant URL above is for new instances, if existing, do not update.
8. Click on “Test Connection”, once successful, “Save”
9. Go to the Mappings section on the Provisioning tabClick on “Synchronize Azure Active Directory Groups to Envoy”.
In the attribute Mappings section, delete the following group mapping attributes and “Save”:
Click on “Synchronize Azure Active Directory Users to Envoy”.
In the attribute Mappings section, delete the following user mapping attributes and “Save”:
10. Click on “Users and groups” on the left hand side and then assign users or groups to the application. Note that Azure does not support nested groups for SCIM provisioning.
11. Once users are assigned, click on “Provisioning” on the left hand side and scroll down to the bottom and turn “Provisioning Status” On.
Note: Envoy is in the process of updating our official documentation Envoy app within the Microsoft Azure store.
Configuring Single Sign On
- In the Azure portal, on the Envoy application page, select Single sign-on.
- On the Select a Single sign-on method dialog, select SAML to enable single sign-on.
- On the Set up Single Sign-On with SAML page, click the edit icon to open the Basic SAML Configuration dialog.
- On the Basic SAML Configuration section, enter the following URLs:
- Identifier (Entity ID)- https://app.envoy.com/a/saml/metadata/
- Reply URL (Assertion Consumer Service URL)- https://app.envoy.com/a/saml/consume/
- Sign on URL- https://app.envoy.com/a/saml/auth/xxxx
Note you will find the company specific sign on URL within the SAML integration in the Envoy dashboard
- Relay State- https://dashboard.envoy.com/
5. Once all URL’s are entered correctly, hit “Save”.
6. In the SAML Signing Certificate section, click the edit icon to open SAML Signing Certificate dialog.
7. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.
8. On the Set up Envoy section, copy the Login URL This URL is what you will enter into the Envoy integrations page for SAML as your “IDENTITY PROVIDER HTTP SAML URL”.
9. Login to your Envoy dashboard and go to your Integrations page and “Install” SAML.
10. Take the Thumbprint you copied previously and enter that value into the Fingerprint field provided.
11. Paste the Login URL value, which you have copied form the Azure portal into the IDENTITY PROVIDER HTTP SAML URL textbox.
12. Choose whether you want SAML “Required” and toggle ON if needed, then “Save”.
- If you plan to assign assistants manually within the web dashboard, please reach out to Envoy Support prior to setting up SCIM syncing to configure this on your account.