Configure SCIM Connector for the Cloud Identity Engine

Add a new application in the Azure Portal then obtain the necessary information to configure SCIM for Directory Sync.
Azure AD SCIM provisioning requires that the group attribute
displayName
is unique. If more than one group uses the
displayName
attribute, the initial sync is not successful and the data for the duplicate group names may only be partially retrievable. If the duplicate groups are not used in security policy, then you can proceed. If you use the duplicate group names in security policy, you must resolve the issue by modifying the
displayName
attribute in your Azure AD to ensure that it is unique.
Log in to the Azure Portal.
Select
Overview
(if it is not already selected), copy the
Tenant ID
, and save it in a secure location.

Copy the
Primary domain
and save it in a secure location.

Select
Enterprise applications
All applications
New application
.
To
Search application
(s), enter
Palo Alto Networks SCIM Connector
.

Select
Palo Alto Networks SCIM Connector
and
Create
the application.

If you encounter an error when creating the application, refer to Troubleshoot Cloud Identity Engine Issues.
Set up SCIM in the Cloud Identity Engine app and obtain the necessary information to configure your Azure AD to use SCIM with Directory Sync.
In the Cloud Identity Engine app, select
Directory Sync
Directories
Cloud Directories
Set Up
Azure SCIM
.

Enter the following information from the previous step in the Cloud Identity Engine app fields as indicated in the following table:
Copy From Azure Portal	Enter In Cloud Identity Engine
Tenant ID	Directory ID
Primary domain	Directory Name

Copy the
Base URL
and save it in a secure location.

Click
Generate Token
, then copy the token that the Cloud Identity Engine generates for your
Authorization Method
and save it in a secure location.
Before continuing to the next step and submitting the changes, make sure to save the token in location where you can easily retrieve it to enter it in the Azure Portal. If you submit the changes in the Cloud Identity Engine app before you generate and save the token, you must generate a new token in the Cloud Identity Engine app and enter the new token in Azure Portal.

Click
Submit
to commit your changes.
You must complete the setup in the Cloud Identity Engine before you can successfully
Test Connection
in the Azure Portal.
Configure your Azure AD to use SCIM Connector to connect to the Cloud Identity Engine.
Log in to the Azure AD Portal.

Select

Enterprise Applications

then select the

Palo Alto Networks SCIM Connector

application.

Select

Provisioning

and click

Get Started

.



Select

Automatic

as the

Provisioning Mode

.



Paste the following information from the previous step in the fields as indicated in the following table:

Copy From Cloud Identity Engine	Enter In Azure Portal
Base URL	Tenant URL
Authorization Method token	Secret Token



Save

your changes.



(Optional but recommended) Click

Test Connection

to confirm that the Azure AD can successfully communicate with the Cloud Identity Engine app.


Manage the users, groups, and attributes that the Azure AD provisions to the Cloud Identity Engine app.
In the Azure Portal, select
Provisioning
Edit Provisioning
.

Select
Mappings
then select whether you want to edit the attributes when you
Provision Active Directory Groups
or
Provision Active Directory Users
.

Delete
any attributes that you don’t want to provide to the Cloud Identity Engine app.

(Optional) Click
Add new mapping
to add a new mapping that you want the Azure AD to use to identify users for the Cloud Identity Engine.

(Optional) By default, the Cloud Identity Engine only synchronizes users and groups you assign to this app in the Azure Portal. You can optionally synchronize all users and groups (
Settings
Sync all users and groups
).

Save
your changes when they are complete.
Allow Azure AD to provide the information to the Cloud Identity Engine and verify that the Cloud Identity Engine uses SCIM to obtain the Azure AD information.
In the Azure Portal, verify you have completed all the provisioning steps in the documentation for the Azure AD SCIM Connector.
Select the name of the app that you configured in the first step then select
Manage
Provisioning
Start Provisioning
to begin providing attributes to the Cloud Identity Engine.

Wait until the sync is complete (
Initial cycle completed
) then
View provisioning details
.

Verify that the synchronization was successful by confirming the timestamps (
Completed
and
Steady state achieved
).

If the number of users and groups does not display, refer to Troubleshoot Cloud Identity Engine Issues.
In the Cloud Identity Engine app, verify that the
SCIM Change Timestamp
for your Azure SCIM directory populates on the
Directories
page.
Select
Actions
Full Sync
to complete a full synchronization of your Azure Active Directory with Directory Sync for the Cloud Identity Engine.
You must successfully complete a full sync in the Cloud Identity Engine app to complete the SCIM Connector setup.