Microsoft Entra ID Provisioning (formerly known as Azure AD)

With Provisioning you can automate common administrative tasks. By enabling the System for Cross-domain Identity Management (SCIM) you can connect Visma with Entra, so you can:

• Create users and groups

• Grant and revoke access to groups

• Edit attributes of users and groups

• Suspend deprovisioned users
  Note: you will need to redo your Azure setup, in case you have SAML already enabled and you want to configure

  provisioning.

Prerequisites

• Microsoft Azure account with Entra Premium activated

• Global Admin or Co-admin account in Entra

• All of your users under your account in Visma will need a pre-existing account in Entra with exactly the same email address

• Entra SSO Saml configured in Authentication Settings

Configure Visma Single Sign-On app in Entra

1. On the "Single Sign-On" page go to  1. Upload the Visma file into Entra section. Click on  Download to get the Visma SAML metadata file. You'll need this Visma Single Sign-On metadata information for configuring Visma as a service provider in your Entra.

   

2. Log into your Microsoft Entraministrative portal.

3. Click on the hamburger menu icon in the upper left-hand side of the page. Click  All services.

4. Click on  Azure Active Directory.

   

5. Click on  Enterprise applications.

6. Click  + New application at the top of the screen.

   

7. Click  + Create your own application at the top of the screen.

   

8. Input a name for your application and select  Integrate any other application you don't find in the gallery (Non-gallery).

9. Click  Create.

10. On the left navigation click  Single sign-on.

11. Select  SAML on the "Select a single sign-on method" page.

    

12. On the  Basic SAML Configuration heading select  Upload metadata file. Upload the XML file that you have downloaded from Authentication Settings Entra setup page, at step 1.

    

13. After you have successfully uploaded the XML file, all the fields within the  Basic SAML Configuration section will be populated. Click  Save and close the "Basic SAML Configuration" editor.

    

14. Go to the  User Attributes & Claims heading and select the  Edit icon. Ensure that the values are exactly as below.

    

15. Click the  X icon at the top right-hand side to close the view.

Configure Visma Single Sign-On and Provisioning to use Entra

1. In the  SAML Signing Certificate section, ensure that the certificate status is Active (it is valid for 3 years after it was added), if not, add a new certificate by clicking on the edit (pencil) button. Enter a notification email for the certificate expiry reminders and click  Save.

2. Click the  App Federation Metadata Url copy button.
   Your Metadata XML link address should look like: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxxxxxxxxxxxxxxxxxxx

   

3. Paste this Metadata XML link address into the  Single Sign-On page within  Authentication Settings. It contains all your Entra endpoints and public certificate that Visma needs in order to complete the setup.

   

4. Click  Save.

5. After you've successfully saved your Entra integration, you will see your setup details on the  Single Sign-On page, below MyDomain.

   

6. Depending on your provider, the certificate can expire. In that case, we show an error message on the Entra setup.

   

7. Go to Entra and create or upload a new and valid certificate.

   

8. Come back to  Authentication Settings and click the  Edit icon or the Entra link.

9. Click the  Refresh certificate button and then  Save.

   

10. Go to  Entra and from the Provisioning tab click  Get started.

    

11. Select  Automatic for  Provisioning Mode.

    

12. Go to the  Authentication Settings Provisioning tab and turn on SCIM 2.0 Provisioning.

    

13. Copy the  SCIM Endpoint.

14. Choose the desired Visma actions and triggers.

15. Go to  Azure Provisioning and paste the SCIM Endpoint in the Tenant URL field.

16. Go back to  Authentication Settings Provisioning and click on  Generate SCIM token.

17. Copy the  SCIM token.

18. Click  Close.

    

19. In  Entra Provisioning paste the SCIM token you copied into the  Secret Token field.

20. Click  Save on the top left corner and close the tab.

21. In the  Mappings field check each mapping for groups/users to have your desired configuration.

    

• Groups Attribute Mapping for provisioning:

  

• Users Attribute Mapping for provisioning:

  

22. Once all needed actions are selected  SAVE and close the tab.
    Note: You can test the provisioning by using Provision on demand for a single user or group (with a member) to check the setup.
    22. 1 Click Provisioning on demand.

    

    
    22.2 Use the search bar to  select user or group.

    

    
    22.3 Click  Provision.

    

23. Click on  Start Provisioning.

24. Click on  Users and groups.

25. Click  +Add user/group.

    

26. Click  None Selected.

    

27. Search and select any user/group that you want to add to your application.

28. Click  Assign.

29. Users/Groups should be provisioned in Connect.
    Note: Every provisioning interval is fixed to 40 minutes.

Renew expired SCIM token

Upon receiving the email with the subject “Your organization SCIM token is about to expire” you should:

• sign in into Authentication Settings on the organization mentioned in the email body

• go to the Provisioning menu

• click on "Generate SCIM token"

  

• copy the new secret key