Configuring Neowit with Microsoft Entra (Azure AD) User Provisioning

You can automatically provision your company’s users with Neowit from Microsoft Entra (Azure AD). The guide requires that you’ve already set up an Enterprise Application / Single Sign-On (SSO) using SAML in both the Neowit app and in Microsoft

Technically, this is done through a standardized protocol called SCIM (System for Cross-domain Identity Management). Neowit implements the latest (version 2) of this standard, described in RFC7643 and RFC7644.

Prerequisites

  • A Neowit administrator account.
  • A Microsoft Entra (Azure AD) subscription
  • Azure admin privileges.
  • Previously configured Enterprise Application for SSO in Entra and paired it with an Authentication configuration in the Neowit app.

 

How to add

  1. Navigate to https://portal.azure.com
  2. Click Enterprise Applications
  3. Click All Applications

 

  1. Click the Enterprise Application previously created for SAML / SSO with Neowit.
  2. Click Provisioning

  1. Click Manage Provisioning, and set Provisioning Mode to Automatic, before switching tabs to the Neowit app.

  1. Open the Authentication settings page in the Neowit App https://app.neowit.io/settings/idps
  2. Select the identity provider that represents this Enterprise Application, change the SCIM User provisioning type to Microsoft Entra. Click Save and re-open the form.

  1. Copy the Base URL from this form and paste it into the Tenant URL field in step 6.
  2. Click Replace bearer token and copy the Bearer token that was created to the Secret Token field in step 6.

  1. Continue from the form in step 6, and click Test Connection. If everything is correctly set up, it should show you a small success notification.
  2. Optionally, set an email address to notify you if the provisioning errors occur. This may be useful when errors happen on either the Entra side or the Neowit side. If the application fails to provision users for a longer period of time, the application may be quarantined and will need to be restarted.
  3. Save the form and continue to the Mappings section.

Mappings

Neowit currently only supports User provisioning with a limited number of attributes, so we need to configure this for the Enterprise Application -> Provisioning configuration. This appears in the same form as in step 6 after it has been successfully saved.

Supported user attributes

Neowit supports a limited number of user attributes for SCIM users. For Microsoft Entra, we recommend using the minimal required set of attributes:

    • userName: The login identity of the user, should be mapped the same as the SAML mapping. It is required to be unique and to be an email address. By default the userName attribute is mapped to the Entra userPrincipalName field. Change this if your tenant is set up differently.
  • displayName: The display name of the user. This is usually the full name of the user. By default this is mapped to the displayName attribute in Entra, but you may change it if the schema in your tenant is different.
  • active: Whether the user is active or not. Currently, the default expression ‘Switch([IsSoftDeleted], , "False", "True", "True", "False")’ mapped to the active field will ensure that users that are removed from the Enterprise Application will be deactivated in Neowit.

 

Deactivated users will no longer be able to log in. If the user is reactivated at a later stage, it will require that the userName is still unique and is not being used by another user.

Users that are deleted in the Entra tenant will first enter a deactivated state for 30 days, before the user is permanently deleted. This behavior can also be triggered manually by navigating to Entra -> Users -> Deleted users -> Delete.

Setup

  1. Click Provision Azure Active Directory Groups under the expanded Mappings header, change it to disabled and click Save.

  1. Click Provision Azure Active Directory Users and delete most attributes except the following three, and adjust them according to the schema

 

userPrincipalName

userName

displayName

displayName

Switch([IsSoftDeleted], , "False", "True", "True", "False")

active

 

  1. In the end, the User attribute mapping should look something like the snapshot below. Ensure you click save after configuring all the fields.

 

Start provisioning

The last step is to start the actual provisioning process. This is done in the Overview section, and will be available once you’ve completed all the steps above. By default Entra provisions users on a fixed interval of every 40 minutes, so users created in Entra may not show up immediately in Neowit. Click the Start provisioning button in the Provisioning Overview.

 

It may take a while before this process completes. If something fails, it may be useful to look at the Provisioning logs.