Search

User Guide

Configuring the Mapping for Provisioning

Configuring attribute mappings for users

1Click [Mappings].

2Click [Provision Azure Active Directory Users].

3Select "Yes" for "Enabled".

4In [Attribute Mappings], delete all attribute mappings other than "userPrincipalName" and "Switch([IsSoftDeleted], , "False", "True", "True", "False")".

Application screen illustration

Note

  • If a required setting is not configured correctly, synchronization or login may fail.

5Configure the required items. Click [userPrincipalName], and on the "Edit Attribute" screen displayed, configure the following settings:

  • Source attribute: objectId

  • Target attribute: externalId

Application screen illustration

6Click [OK].

7Click [Save].

8Click [Yes].

9Check that the "customappsso" attribute of "Switch([IsSoftDeleted], , "False", "True", "True", "False")" is set to "active".

If the attribute is not set to "active", click "Switch([IsSoftDeleted], , "False", "True", "True", "False")" and change the "Target attribute" to "Active".

Application screen illustration

10Click [Save].

11Click [Add New Mapping], and on the "Edit Attribute" screen displayed, change the following settings:

  • Source attribute: mail

  • Target attribute: emails[type eq "work"].value

Application screen illustration

12Click [Ok].

13Click [Add New Mapping], and on the "Edit Attribute" screen displayed, change the following settings:

  • Source attribute: originalUserPrincipalName

  • Target attribute: userName

14Click [Ok].

15Check the values ​​are set as below.

Microsoft Entra ID Attribute

Customappsso Attribute

Matching precedence

objectId
externalId

1

Switch([IsSoftDeleted], , "False", "True", "True", "False")
active

(blank)

mail
emails[type eq "work"].value

(blank)

originalUserPrincipalName
userName

(blank)

Note

  • If a required setting is not configured correctly, synchronization or login may fail.

16Click [Save].

17Click [Ok].

These are all the items that you need to configure.

To synchronize arbitrary items, proceed to "Synchronizing Arbitrary Items".

To synchronize other items, proceed to "Synchronizing Other items".

If you want to skip these steps after configuring the attribute mapping settings, proceed to “Configuring attribute mappings for groups”.

Synchronizing Arbitrary Items

Depending on the synchronized items with Microsoft Entra ID, add the new mapping arbitrarily.

  1. Click [Add New Mapping], and on the "Edit Attributes " screen displayed, change the value referring to the following table depending on the items:

    Synchronized item on this site

    Microsoft Entra ID Attribute

    Customappsso Attribute

    Matching precedence

    Given name of users

    givenName
    name.givenName

    (blank)

    Surname of users

    surname
    name.familyName

    (blank)

    Department of users

    department
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

    (blank)

    Office address of users

    physicalDeliveryOfficeName
    addresses[type eq "work"].formatted

    (blank)

  2. Click [Save] when finished adding new mappings.

  3. Click [Yes].

  4. Click [Setting].

Synchronizing Other Items

When synchronizing the other Microsoft Entra ID Attribute, the map to User Optional Information 1 to 15 as follows:

  1. Click [Add New Mapping], and on the "Edit Attributes " screen displayed, change the value referring to the following table depending on the items:

    Synchronized item on this site

    Microsoft Entra ID Attribute

    Customappsso Attribute

    Matching precedence

    User Optional Information 1 to 15

    Item name included in user information of Microsoft Entra ID that can be added as the synchronization target.

    Example: employeeId

    urn:ietf:params:scim:schemas:extension:2.0:
    ExtensionAttributes:extensionAttribute{number} *1

    Example: urn:ietf:params:scim:schemas:extension:2.0:
    ExtensionAttributes:extensionAttribute3

    (blank)

    *1 {number} is displayed the number from 1 to 15 corresponding to user information numbers 1 to 15.

  2. Click [Save] when finished adding new mappings.

  3. Click [Yes].

  4. Click [Setting].

Note

  • If the "customappsso Attribute" setting is not available, check that the setting has already been configured in another attribute. If the setting is not configured in another attribute, configure "customappsso" as an additional attribute. See "Supplementary procedures: When setting customappsso as an additional attribute" below for instructions.

  • To map other Microsoft Entra ID Attributes, see "Supplementary procedures: Mapping an additional Microsoft Entra ID Attribute" below.

Supplementary procedures: When setting customappsso as an additional attribute

  1. On the "Attribute Mapping" screen, check "Show advanced options", and then click [Edit attribute list for customappsso].

    Application screen illustration

  2. Select a customappsso attribute to add from the Edit attribute list for customappsso for the user.If no customappsso attribute is available, add an attribute, and then use the following table to configure it.

    Name

    Type

    Primary Key?

    Required?

    Id

    String

    externalId

    String

    Active

    String

    Emails[type eq "work"].value

    String

    userName

    String

    name.givenName

    String

    name.familyName

    String

    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

    String

    Addresses[type eq "work"].formatted

    String

    urn:ietf:params:scim:schemas:extension:2.0:
    ExtensionAttributes:extensionAttribute{number} *1

    String

    *1 {number} displays the number from 1 to 15 corresponding to user information numbers 1 to 15.

    Note

    • Do not configure the following fields:

      • Multi-Value?

      • Exact case?

      • API Expression

      • Reference Object Attribute

  3. Click [Save].

  4. Click [Yes].

    Application screen illustration

Configuring attribute mappings for groups

To disable synchronization for any group:

1Click [Mappings].

2Click [Provision Azure Active Directory Groups].

Application screen illustration

3Select "No" for "Enabled", and then click [Save].

To synchronize groups:

1Click [Mappings].

2Click [Provision Azure Active Directory Groups].

Application screen illustration

3Select "Yes" for "Enabled".

4In [Attribute Mappings], delete all attribute mappings other than "displayName".

Application screen illustration

Note

  • If a required setting is not configured correctly, synchronization or login may fail.

5Configure the required items. Click [userPrincipalName], and on the "Edit Attribute" screen displayed, configure the following settings:

  • Source attribute: objectId

  • Target attribute: externalId

Application screen illustration

6Click [OK].

7Click [Save].

8Click [Add New Mapping], and on the "Edit Attribute" screen displayed, change the following settings:

  • Source attribute: displayName

  • Target attribute: displayName

Application screen illustration

9Click [Ok].

10Click [Add New Mapping], and on the "Edit Attribute" screen displayed, change the following settings:

  • Source attribute: members

  • Target attribute: members

Application screen illustration

11Click [Ok].

12Check the values ​​are set as below.

Microsoft Entra ID Attribute

Customappsso Attribute

Matching precedence

objectId
externalId

1

displayName
displayName

(blank)

members
members

(blank)

Note

  • If a required item is not specified correctly, synchronization or login attempts might fail.

13Click [Save].

14Click [Ok].

These are all the items that you need to configure.

To synchronize arbitrary items, proceed to "Synchronizing Arbitrary Items".

If you want to skip these steps after configuring the attribute mapping settings, proceed to Configuring the Scope of Synchronization.

Synchronizing Arbitrary Items

Depending on the synchronized items with Microsoft Entra ID, add the new mapping arbitrarily.

  1. Click [Add New Mapping], and on the "Edit Attributes " screen displayed, change the value referring to the following table depending on the items:

    Synchronized item on this site

    Microsoft Entra ID Attribute

    Customappsso Attribute

    Matching precedence

    Descriptions of gloups

    descriptions
    urn:ietf:params:scim:schemas:extension:2.0:Group:description

    (blank)

  2. Click [Save] when finished adding new mappings.

  3. Click [Yes].

To synchronize some specific groups only:

  1. On "Source Object Scope", click [All records].

  2. Click [Add scoping filter].

  3. Configure the filter as shown in the table below, and then click [OK].

    • To synchronize security groups only:

      Target attribute

      Operator

      Value

      mailEnabled

      IS FALSE

      None

      securityEnabeld

      IS TRUE

      None

      Title for the scope filter

      security

    • To synchronize Microsoft 365 groups only:

      Target attribute

      Operator

      Value

      groupTypes

      INCLUDES

      Unified

      mailEnabled

      IS TRUE

      None

      Title for the scope filter

      microsoft365

    • Other filtering examples

      You can use an Microsoft Entra ID group property for a scope filter to include specific groups to be synchronized.

      Examples:

      • Use an object ID to exclude specific groups from synchronization:

      Target attribute

      Operator

      Value

      objectId

      NOT EQUALS

      (Object ID to be excluded from synchronization)

      • To exclude groups created on-premise from synchronization:

      Target attribute

      Operator

      Value

      onPremiseSecurityIdentifier

      IS NULL

      None

      Note

      • If two or more filterers are specified, the groups that match one of the filter criteria are included (ORed). To synchronize only the groups that match all criteria, you need to include them in a single filter (ANDed).