SCIM integration for Microsoft Entra ID

Intro

This document describes how to set-up integration between LessorWorkforce and identity management systems supporting SCIM (System for Cross-domain Identity Management) to auto-provision users into Workforce.

The guide focuses on provisioning users to LessorWorkforce through Microsoft® Entra ID.

Prerequisites

You must have Microsoft® Entra ID (formerly Azure Active Directory) and use it for managing your users. Your organization must authenticate users through Single Sign-On (SSO).

Integrating Microsoft Entra ID with LessorWorkforce requires two steps: 

1. LessorWorkforce is added to your Microsoft Entra ID
2. Configuring Microsoft Entra ID for your authentication method 

Creating LessorWorkforce as an Application in Microsoft Entra ID

1. Log in to your Microsoft Entra admin center (https://entra.microsoft.com) with global admin credentials to create or add LessorWorkforce as an enterprise application in Microsoft Entra ID.
2. Go to Applications and select Enterprise Applications.
3. Click New Application 

1. Choose Create your own application and give your application a relevant name. 
    
    
2. Copy the application-ID and object-ID which you will need for the setup in LessorWorkforce:

Add groups and members to your application

When the application has been created you can add groups and users to the application.

1. For groups to be synchronized to LessorWorkforce groups should be created with following:
   • Group type must be Security (This is necessary to support groups in groups)
   • Group name and Group description
   • Membership type must be Assigned

1. When information is filled out - create the group.

Both LessorWorkforce departments and groups must be created as groups in Entra ID. 

Groups and users should be created in a hierarchy like this:

LessorWorkforce	Microsoft Entra ID
Department	Group
Group	Group
User	User

Groups representing departments in LessorWorkforce must only contain groups as members, no users. Groups representing groups in LessorWorkforce must only contain users as members, no groups.

Although Microsoft Entra ID allows groups in many levels and users in groups at any level, this is not supported in LessorWorkforce. Adding groups in multiple levels or adding users to departments will be rejected by LessorWorkforce with an error message.

1. Add the groups to a department by marking the relevant groups using the checkbox and click “Select” 
   
2. Add members to the groups.  
   

Assign roles to users

If you want to add a rights profile to users, you need to add the corresponding roles in Entra ID. 

1. To create new roles, the version of Microsoft Entra ID must be premium P1 or P2, and the role name must be identical to the profile name in LessorWorkforce.  
    
2. Create role by clicking on Roles and Administrators and then choose “New Custom Role”. 

1. In the tab “Basics” give the role the same name as in LessorWorkforce and a description.
2. Click “Save”

You do not need to grant permissions to the role, it only needs to be there to be synchronized with LessorWorkforce.

When the role has been created users can be assigned this role. 

1. Click on Roles and Administrators and click on the role you want to assign to user(s).   
   

1. Click on “Add assignments” and then select the users who should be assigned the selected role.  
    
2. Add attribute to the provisioning mapping

Only when the provisioning has been set up you should do the synchronization.

1. Go to “Provisioning” and select the synchronization you have created.  
    
2. Go to “Attribute mapping” and click on “Provision Microsoft Entra ID Users” 
    
    
3. Click on “Add new mapping”: 
   

1. Choose “Expression” in mapping type and type in 
    
      SingleAppRoleAssignment([appRoleAssignments])  
    
   in the expression field and select 
    
     roles[primary eq "True"].value 
    
   in the target attribute field.  
    
   Click “Ok”. 
    
   

Set up provisioning

To synchronize the users and connected data to LessorWorkforce you must set up provisioning

1. Select “Provisioning” in the left menu under “Manage”. 
    
    
    
2. Click “New configuration”.

You must now test the connection with:

• The Tenant URL: https://workforce.lessor.dk/api/v1/scim/v2  
   
• Secret Token  
  This is specific for each LessorWorkforce customer and will be provided by Paychex Europe.

1. Insert Tenant URL and Secret Token in the fields under Admin credentials and click “Test connection” 
    
   

When the connection is successful you need to add the groups (LessorWorkforce departments and groups) that you want to synchronize. 

Be aware that it is not possible to select single members in a group to be synchronised, it will be all direct members/users of that group that are synchronized. 

It is possible for users to belong to several groups. 

1. Go to your application and choose “Provisioning” and then “Users and groups”

1. Click “Add user/group”

1. Select the users and groups from the list and click Select.

1. Set up provisioning by clicking “Start provisioning”. 
    
    

From SCIM app Overview section you can monitor the provisioning status. To see logs click View Audit Logs where all account related events show and click Provisioning Logs to view account provisioning status.