# Microsoft Entra ID Depending on your use case, [Verkada Command](https://help.verkada.com/command/getting-started/get-started-with-verkada-command) has the ability to integrate with Microsoft Entra ID, amongst other Identity Providers \[IdPs], in the following capacities: * Security Assertion Markup Language (SAML) * System for Cross-Domain Identity Management (SCIM) **SAML** handles the authentication side of things, allowing Microsoft Entra ID to be used to manage access to Command, the same way it is used to manage access to other Software as a Service (SaaS) applications already integrated into your Microsoft Entra ID tenant. This means you can incorporate Command into your existing identity framework and authorize users according to your current policies. **SCIM** allows you to leverage your existing users and groups in Microsoft Entra ID and synchronize them with Command. This allows you to retain the current central IdP and configure permissions in Command using your existing users and groups. {% hint style="info" %} Verkada recommends OIDC over SAML for enhanced security and easier configuration. OIDC also enables [Enterprise Controlled Encryption](https://help.verkada.com/command/security/enterprise-controlled-encryption). {% endhint %} *** {% tabs %} {% tab title="OIDC (Recommended)" %} #### OIDC Based SSO for Microsoft Entra ID Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Microsoft Entra ID. This integration allows our users to seamlessly and securely authenticate using their existing Microsoft Entra ID credentials, streamlining access to Command and enhancing overall security. {% hint style="danger" %} OIDC is not supported on Desk Station apps. {% endhint %} {% hint style="info" %} Enable [Enterprise Controlled Encryption (ECE)](https://help.verkada.com/command/security/enterprise-controlled-encryption) for enhanced security. {% endhint %} *** **Microsoft Entra ID configuration** {% stepper %} {% step %} **Log in to your** [**Microsoft Entra ID portal**](https://portal.azure.com)**.** {% endstep %} {% step %} **Search for and select App registrations.** {% endstep %} {% step %} **Click New Registration.** a. Name the application **Verkada SSO OIDC.**\ b. Under **Supported account types,** select **Accounts in this organizational directory only ( only - Single tenant).**\ c. Under **Redirect URI**, select **Single-page application** (SPA) as the platform and add the following callback URLs: 1. 2. [https://org-short-name.command.verkada.com/oidc/aad/callback](http://org-short-name.command.verkada.com/oidc/aad/callback) (replace org-short-name in the URI with your Command organization's short-name.) {% hint style="warning" %} Verify there is no trailing slash in the callback URI. {% endhint %} {% endstep %} {% step %} **Click Register.** {% endstep %} {% step %} **Copy and store your Application (Client) ID and Directory (Tenant) ID in a safe place. You will need them to complete the setup in Verkada Command.** {% endstep %} {% step %} **On the left, click Manage > Expose an API.** a. Click **Add a scope.**\ b. Click **Save and continue**.\ c. Enter *verkada\_ece* for the following fields: * Scope name * Admin consent display name * Admin consent description * User consent display name * User consent description d. Set **Who can consent?** to **Admins and users.**\ e. Click **Add scope.**

{% endstep %} {% endstepper %} *** **Verkada Command configuration** {% stepper %} {% step %} **In Verkada Command, go to All Products > Admin.** {% endstep %} {% step %} **In the left navigation, select Login & Access.** {% endstep %} {% step %} **Select Single Sign-On Configuration.** {% endstep %} {% step %} **Under OIDC Configuration, click Add New.** a. Toggle on **Enable.**\ b. (Optional) Toggle on **Require OIDC SSO.**\ c. Under **Select Provider,** select **Microsoft Entra ID.**\ d. Under **Add Client and Tenant,** click :plus:. 1. In the **Client ID** field, paste the Client ID you copied from Microsoft Entra ID. 2. In the **Tenant ID** field, paste the Tenant ID you copied from Microsoft Entra ID. 3. Click **Done**. e. Under **Email Domains,** click :plus:**.** 1. Enter your domain name present (e.g., @verkada.com). 2. Click **Done**.

{% endstep %} {% step %} **At the top of the page, select New Application and search for Verkada Command.** {% endstep %} {% step %} **Select Verkada Command and click Create. *****Be patient as it can take a few minutes to add the application to your***** Microsoft Entra ID *****tenant*****.**

Once the page refreshes, you should see a similar menu (as shown below). {% endstep %} {% step %} **On Set up single sign-on, click Get started.**

{% endstep %} {% step %} **Choose SAML as the single sign-on method.**

{% endstep %} {% step %} **If necessary, click Edit to further configure your SAML connection.** {% endstep %} {% step %} **Configure the following fields. You need to add your client ID to the end of each URL before adding them to Microsoft Entra ID. See example below the note.** a. For **Identifier**:\ For US orgs: \ For EU orgs: For AUS orgs: b. For **Reply URL**:\ For US orgs: \ For EU orgs: \ For AUS orgs: c. For **Sign on URL**:\ For US orgs: \ For EU orgs: [https://saml.prod2.verkada.com/saml/login](https://saml.prod2.verkada.com/saml/login/)\ For AUS orgs: {% hint style="warning" %} To confirm which region you're located, please refer to where [your organization was created for Verkada](https://help.verkada.com/command/getting-started/get-started-with-verkada-command). {% endhint %}

{% endstep %} {% step %} **Click Save.** {% endstep %} {% step %} **On Attributes & Claims, click Edit to be consistent with these attributes:**

{% hint style="warning" %} If you use a different source attribute for email, configure the attributes according to the source attribute you want to use. {% endhint %} {% endstep %} {% step %} **On SAML Signing Certificate, import this Federation Metadata XML into Command.** {% endstep %} {% step %} **Click Download to save for later.**

{% hint style="info" %} The next dialogs that appear will contain tools you can use after the integration is finalized. {% endhint %} {% endstep %} {% step %} **Continue to Verkada Command to** [**complete the configuration**](https://help.verkada.com/command/security/identity-providers/..#command-sso-configuration)**.** {% endstep %} {% endstepper %} *** #### Test the SAML connection in Microsoft Entra ID {% stepper %} {% step %} **Once the file is uploaded, in your Microsoft Entra ID, click Test to test the integration. A notification will be sent to all users who have a Command account (invitation to org).**

{% endstep %} {% step %} **Log in with Sign in as current user. If everything is set up correctly, you should be redirected to the Command platform.** {% endstep %} {% step %} **Log in with single sign-on to verify access to Command.** {% endstep %} {% endstepper %} {% hint style="warning" %} Microsoft Entra ID does not support nested groups for app access at this time. All users must be direct members of groups to be assigned. {% endhint %} *** #### Log in via the mobile application {% hint style="info" %} The Android and iOS Command apps support SAML-based login. {% endhint %} {% stepper %} {% step %} **Open your Command app.** {% endstep %} {% step %} **In the email address field, enter your email and click Next.** {% endstep %} {% step %} **You should be redirected to your IdP (Microsoft Entra ID) to complete the login process.** {% endstep %} {% endstepper %} {% endtab %} {% tab title="User Provisioning" %} #### Microsoft Entra ID SCIM Integration Verkada Command integrates with Microsoft Entra ID using System for Cross-Domain Identity Management (SCIM) for automated user and group provisioning. SCIM synchronizes users and groups from Microsoft Entra ID directly into Command. This lets you: * Retain Microsoft Entra ID as your central IdP. * Automatically update users and groups in Command as changes occur in Entra ID. * Assign and manage permissions in Command using your existing identity structure. {% hint style="info" %} If your organization uses SCIM, phone numbers can only be provisioned through SCIM. You will not be able to edit your phone number directly in Command. {% endhint %} *** **SCIM in Microsoft Entra ID configuration** Before you configure SCIM in Microsoft Entra ID, you need to generate your secret token in Command. {% stepper %} {% step %} **In Verkada Command, go to All Products > Admin.** {% endstep %} {% step %} **Under Org Settings, select Login & Access & Logs > SCIM Users Provisioning.** {% endstep %} {% step %} **Click Add Domain, and enter all relevant email domains you plan to use with SCIM.** This generates a SCIM token, **which is viewable only once.** a. Click **Copy** and store the token in a secure place to use later in the configuration.\ b. Click [**Refresh**](https://help.verkada.com/command/security/identity-providers/scim-token-management) to generate a new token if you did not copy your token or it is not visible. {% endstep %} {% step %} **From the Microsoft Entra ID homepage, select Enterprise applications > New application > Create your own application.** {% endstep %} {% step %} **In the Create your own application side panel, type the application's name, select the non-gallery application, and click Create.**

{% endstep %} {% step %} **Under Provision User Accounts, click Get started.**

{% endstep %} {% step %} **Select Manage > Provisioning.** {% endstep %} {% step %} **On the provisioning page:** a. Set the Provisioning Mode to Automatic.\ b. Set the Tenant URL as: * For US orgs: * For EU orgs: * For AUS orgs: {% hint style="warning" %} To confirm which region you're located in, [refer to where your organization was created for Verkada](https://help.verkada.com/command/getting-started/get-started-with-verkada-command). {% endhint %} f. Fill in the SCIM *token* generated in Verkada Command (step 2) as the secret token.

{% endstep %} {% step %} **Click Test Connection. You should see a confirmation that the SCIM connection is successful.**

{% endstep %} {% step %} **Click Save.** {% endstep %} {% endstepper %} *** **Configure attributes for Microsoft Entra ID groups** {% stepper %} {% step %} **In the Entra ID portal, click to expand the Mappings dropdown, and select Provision Microsoft Entra ID Groups.**

{% endstep %} {% step %} **Configure your mappings to match this screenshot of the data table:**

{% hint style="warning" %} The **externalId** attribute is added by default. Remove this attribute to avoid issues with the configuration. {% endhint %} {% endstep %} {% step %} **(Optional) If you need to add a mapping:** a. Click **Add New Mapping** > select the **Source attribute** to match the Microsoft Entra ID attribute above.\ b. Set the **Target attribute** to match the **customappsso** attribute above.\ c. Click **OK**. {% endstep %} {% step %} **Click Save and confirm changes, if necessary.** {% endstep %} {% step %} **At the top of the page, select Provisioning to return to the Provisioning page.** {% endstep %} {% endstepper %} *** **Configure attributes for Microsoft Entra ID users** {% stepper %} {% step %} **In the Entra ID portal, click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Users to change the user mappings.** {% endstep %} {% step %} **Update your mappings to match the attribute table below.** {% hint style="warning" %} The **Switch** attribute under Microsoft Entra ID Attribute is added as an **Expression** mapping type. {% endhint %} Switch(\[IsSoftDeleted], "False", "True", "True", "False") | customappsso Attribute | Microsoft Entra ID Attribute | | ------------------------------------------------------------------------- | ------------------------------------------------------------ | | userName | userPrincipalName | | active | Switch(\[IsSoftDeleted], , "False", "True", "True", "False") | | title | jobTitle | | name.givenName | givenName | | name.familyName | surname | | phoneNumbers\[type eq "work"].value | telephoneNumber | | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber | employeeId | | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization | companyName | | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department | department | | urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:costCenter | costCenter | {% hint style="warning" %} Source Attribute is the Microsoft Entra ID Attribute, and Target Attribute is the customappsso Attribute. If any of the **customappsso** attributes are not available as Target Attributes, you may need to add them to your Microsoft Entra ID platform as options. To do so, check the **Show advanced options** box and click **Edit attribute list for customappsso**. {% endhint %} {% hint style="warning" %} SCIM-managed users no longer have the option to edit their phone number in Command; instead, they can only be provisioned via SCIM. On the IDP side, you can set up your attribute mapping such that any field in your IDP instance maps to the **phone number** field in Command. You can also set it up such that the **no** field in the IDP maps to the **phone number** field in Command. However, even in this case, phone numbers remain locked in Command and can only be edited via SCIM. {% endhint %} {% endstep %} {% step %} **Click Save to confirm the changes.** {% endstep %} {% step %} **At the top, select Provisioning and toggle on Provisioning Status.**

{% endstep %} {% step %} **Depending on the requirements, adjust the scope to one of the required options:** * Sync all users and groups. * Sync only assigned users and groups. {% hint style="warning" %} Ensure users and groups are assigned to the enterprise application under Users and Groups. Those assigned are the ones provisioned and present in Command. {% endhint %} {% endstep %} {% step %} **Verify that users are assigned to the application. Once the initial provisioning cycle has elapsed:** a. You should see the total number of users and groups that have been provisioned successfully under **Overview**.\ b. In Command, you should see these users and groups populated with the associated **SCIM Managed** tag. These synchronized users and groups can now be used in Command and assigned permissions to control access to the Command platform.

{% endstep %} {% endstepper %} **Delete SCIM-managed users from Command** When a SCIM-managed user is deactivated in your identity provider, you can remove the user from Command in two ways: * **Delete the user** – The account moves to the Deleted Users page but keeps historical records, roles, and permissions. * **Permanently remove the user** – All roles, credentials, access logs, and associated data are erased. If the user is re-provisioned via SCIM, Command creates a new user record. {% hint style="warning" %} You must deactivate the user in your identity provider (IdP) before either deletion option is available in Command. {% endhint %} *** **(Optional) Add access credentials to SCIM users** {% stepper %} {% step %} **Log in to your** [**Azure portal**](https://portal.azure.com)**.** {% endstep %} {% step %} **In the search bar, type and select Enterprise Applications.** {% endstep %} {% step %} **Select your Verkada SCIM application.** {% endstep %} {% step %} **On the left panel, click Manage > Provisioning.** {% endstep %} {% step %} **Expand the Mappings submenu and select Provision Microsoft Entra ID Users.** {% endstep %} {% step %} **At the bottom, click Show advanced options > Edit attribute list for customappsso.** a. Add the attributes from the table below.\ b. Click **Save**. {% endstep %} {% step %} **Go back to Provision Microsoft Entra ID Users and select Add New Mapping.** a. Use extensionAttributes 1-5 as **Source Attributes** and map them to the new attributes created for **Card Format, Card Number, Card Number Hex, Credential Status,** and **Facility Code** as the target attributes. 1. Reference [Acceptable Card Formats](https://app.gitbook.com/s/aaHs5RfKqv9Z49mi02cC/installation/badge-reader-support/supported-card-formats) for accepted card formats and their associated facility code, card number, and/or card number hex lengths. 2. **Credential Status** can be "active", "deactivated", or "deleted" 3. Click **Save**. b. To sync a department identifier, add a new mapping with your desired source attribute (e.g., department or a custom extension attribute) and set the target attribute to costCenter (urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:costCenter). This syncs a department ID value to Command. {% endstep %} {% endstepper %} **Attribute table** | | | | ------------------------------------------------------------------------------- | -------- | | **Name** | **Type** | | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardFormat | String | | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumber | String | | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumberHex | String | | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:credentialStatus | String | | urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:facilityCode | String | | urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:costCenter | String | **Edit the App Registration** Every SCIM enabled Enterprise Application created on Entra AD typically requires its own App Registration. {% stepper %} {% step %} **In the search bar, type and select App registrations.** {% endstep %} {% step %} **Switch to the All Applications tab and search for the name of your Verkada SCIM application.** {% endstep %} {% step %} **On Overview, note your App Registration's Application (client) ID and Directory (tenant) ID. You will need these later to configure credentials for your Command application from your app registration.** {% endstep %} {% step %} **On the left navigation, click Manage.** a. Under **Certificates & secrets:** 1. Click **New client secret**. 2. Set the **Description** to "*Verkada SCIM Credentials"* and set your preferred certificate expiration date. 3. Copy and store the value displayed in the **Value** of the new Client Secret created. **This will only be displayed once.** e. Under **API Permissions**: 1. Click **Add Permissions > Microsoft Graph.** 2. Select **Application Permissions** and search for "*User.ReadWrite.All*". 1. Check the box to assign the permissions. 2. Click **Add Permissions**.

3. To avoid having to manually review and approve all stage changes communicated between Microsoft Entra ID and your Command application, select **Grant admin consent for Default Directory**.

{% endstep %} {% endstepper %} {% hint style="warning" %} Refer to this list of credentials for [acceptable card formats](https://app.gitbook.com/s/aaHs5RfKqv9Z49mi02cC/installation/badge-reader-support/supported-card-formats). {% endhint %} **Access and update your credentials** To set the extension attributes and the credential information for a particular user, use the Graph API instructions at: . {% hint style="warning" %} Setting the **credentialStatus** attribute to **active** when setting up a credential for a user is necessary to successfully sync credentials with Command. Where credential status (credentialStatus) is extensionAttribute4. {% endhint %} Example: ``` curl --location --request PATCH 'https://graph.microsoft.com/v1.0/users/' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{ "onPremisesExtensionAttributes": { "extensionAttribute1": "Standard 26-bit Wiegand", "extensionAttribute2": "7777", "extensionAttribute3": "7", "extensionAttribute4": "active", "extensionAttribute5": "111" } }' ``` *** **Sync External ID to Verkada** The externalId field allows you to assign a persistent, globally unique identifier to your users through Microsoft Entra that Verkada can reference across integrations. This is especially useful for large enterprise environments where users may need to be disambiguated across systems, or where syncing credentials (e.g., access cards) must be tied to a unique identity key. Verkada supports receiving and storing this value as part of its SCIM user schema. The field is case-sensitive and is typically configured to accept a string value from a designated attribute in your Microsoft Entra instance. This feature supports advanced workflows such as custom credential management, employee lifecycle automation, and consistent user mapping across orgs. **Map externalId from Azure to Verkada** To sync a custom externalId value from Microsoft Entra ID (Azure) to Verkada, follow these steps: {% stepper %} {% step %} **Log in to your Azure portal.** {% endstep %} {% step %} **In the search bar, type and select Enterprise Applications.** {% endstep %} {% step %} **Select your Verkada SCIM application.** {% endstep %} {% step %} **On the left panel, click Manage > Provisioning.** {% endstep %} {% step %} **Expand the Mappings submenu and select Provision Microsoft Entra ID Users.** {% endstep %} {% step %} **Scroll to the bottom and click Show advanced options > Edit attribute list for customappsso.** {% endstep %} {% step %} **Add the following new attribute:** `urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:externalId` * Type: String * Case-sensitive: Yes {% endstep %} {% step %} **Click Save.** {% endstep %} {% step %} **Go back to Provision Microsoft Entra ID Users and click Add New Mapping.** {% endstep %} {% step %} **For Source Attribute, select the field from Azure AD where your external ID is stored (e.g., extensionAttribute1, employeeId, etc.).** {% endstep %} {% step %} **For Target Attribute, use: urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:externalId** {% endstep %} {% step %} **Click OK and then Save.** {% endstep %} {% endstepper %} Once provisioned, the external\_id value will be stored in the user's SCIM record within Verkada. This provides users with a flexible, API-queryable ID that remains unique to their org and fully under their control, without being tied to Verkada's internal identifiers or exposed in the user interface. ![](https://705858581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNRq5qDDjsYNxwNzF1bcB%2Fuploads%2Fgit-blob-ad87e0166a1792938d4c35d10f1172332fbfa36e%2Fa1cab99d0a59e02d8322c174969b568cb1519438.png?alt=media) {% hint style="info" %} **Prefer to see it in action?** Check out the [video tutorial](https://www.youtube.com/watch?v=YSMzqFwWlW4). {% endhint %} {% endtab %} {% endtabs %} {% tabs %} {% tab title="OIDC (Recommended)" %} #### OIDC Based SSO for Azure Entra Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Azure Entra. This integration allows our users to seamlessly and securely authenticate using their existing Azure Entra credentials, streamlining access to Command and enhancing overall security. {% hint style="danger" %} OIDC is not supported on Desk Station apps. {% endhint %} {% hint style="info" %} Enable [Enterprise Controlled Encryption (ECE)](https://help.verkada.com/command/security/enterprise-controlled-encryption) for enhanced security. {% endhint %} *** **Azure Entra configuration** {% stepper %} {% step %} **Log in to your** [**Azure Entra portal**](https://portal.azure.com)**.** {% endstep %} {% step %} **Search for and select App registrations.** {% endstep %} {% step %} **Click New Registration.** a. Name the application **Verkada SSO OIDC.**\ b. Under **Supported account types,** select **Accounts in this organizational directory only ( only - Single tenant).**\ c. Under **Redirect URI**, select **Single-page application** (SPA) as the platform and add the following callback URLs: 1. 2. [https://org-short-name.command.verkada.com/oidc/aad/callback](http://org-short-name.command.verkada.com/oidc/aad/callback) (replace org-short-name in the URI with your Command organization's short-name.) {% hint style="warning" %} Verify there is no trailing slash in the callback URI. {% endhint %} {% endstep %} {% step %} **Click Register.** {% endstep %} {% step %} **Copy and store your Application (Client) ID and Directory (Tenant) ID in a safe place. You will need them to complete the setup in Verkada Command.** {% endstep %} {% step %} **On the left, click Manage > Expose an API.** a. Click **Add a scope.**\ b. Click **Save and continue**.\ c. Enter *verkada\_ece* for the following fields: * Scope name * Admin consent display name * Admin consent description * User consent display name * User consent description d. Set **Who can consent?** to **Admins and users.**\ e. Click **Add scope.**

{% endstep %} {% endstepper %} *** **Verkada Command configuration** {% stepper %} {% step %} **In Verkada Command, go to All Products > Admin.** {% endstep %} {% step %} **In the left navigation, select Login & Access.** {% endstep %} {% step %} **Select Single Sign-On Configuration.** {% endstep %} {% step %} **Under OIDC Configuration, click Add New.** a. Toggle on **Enable.**\ b. (Optional) Toggle on **Require OIDC SSO.**\ c. Under **Select Provider,** select **Azure Entra.**\ d. Under **Add Client and Tenant,** click :plus:. 1. In the **Client ID** field, paste the Client ID you copied from Azure Entra. 2. In the **Tenant ID** field, paste the Tenant ID you copied from Azure Entra. 3. Click **Done**. e. Under **Email Domains,** click :plus:**.** 1. Enter your domain name present (e.g., @verkada.com). 2. Click **Done**.

{% endstep %} {% step %} **Click Run Login Test.** {% endstep %} {% step %} **A successful login test should redirect to the OIDC configuration page. Once you're logged in, add the domain that you need to whitelist.** {% endstep %} {% step %} **Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.** {% endstep %} {% step %} **Once your domain is verified, you should see it successfully validated.** {% endstep %} {% endstepper %} {% endtab %} {% tab title="SAML" %} ### Microsoft Entra ID SAML Integration Depending on your use case, [Verkada Command](https://help.verkada.com/command/getting-started/get-started-with-verkada-command) has the ability to integrate with Microsoft Entra ID, amongst other Identify Providers \[IdPs], in the following capacities: * Security Assertion Markup Language (SAML) * System for Cross-Domain Identity Management (SCIM) **SAML** handles the authentication side of things allowing Microsoft Entra ID to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrates into your Microsoft Entra ID tenant. This means that you can incorporate Command into your existing identity framework and authorize users based on your current policies. **SCIM** allows you to leverage your existing users and groups already present in Microsoft Entra ID and synchronize these with Command. This allows you to retain the current central IdP, and configure permissions in Command using your existing users and groups. *** #### Set up SAML in Microsoft Entra ID Verkada Command is registered as a gallery application and can be found within the Microsoft Entra ID marketplace; in other words, you can leverage it with Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 licenses. {% hint style="danger" %} To get started, you need your `client-ID`. Learn how to [generate it and configure your email domains](https://help.verkada.com/command/security/identity-providers/..#generate-client-id), then return to this article to complete the remainder of this process. {% endhint %} {% stepper %} {% step %} **Add Verkada Command as an enterprise application in your Microsoft Entra ID directory: Go to your Microsoft Entra ID overview page and select Enterprise applications.**

Once the page refreshes, you should see a similar menu (as shown below). {% endstep %} {% step %} **On Set up single sign-on, click Get started.**

{% endstep %} {% step %} **Choose SAML as the single sign-on method.**

{% endstep %} {% step %} **If necessary, click Edit to further configure your SAML connection.** {% endstep %} {% step %} **Configure the following fields. You need to add your client ID to the end of each URL before adding them to Microsoft Entra ID. See example below the note.** a. For **Identifier**:\ For US orgs: \ For EU orgs: \ For AUS orgs: b. For **Reply URL**:\ For US orgs: \ For EU orgs: \ For AUS orgs: c. For **Sign on URL**:\ For US orgs: \ For EU orgs: [https://saml.prod2.verkada.com/saml/login](https://saml.prod2.verkada.com/saml/login/)\ For AUS orgs: {% hint style="warning" %} To confirm which region you're located, please refer to where [your organization was created for Verkada](https://help.verkada.com/command/getting-started/get-started-with-verkada-command). {% endhint %}

{% endstep %} {% step %} **Click Save.** {% endstep %} {% step %} **On Attributes & Claims, click Edit to be consistent with these attributes:**

{% endstep %} {% step %} **Under Provision User Accounts, click Get started.**

{% endstep %} {% step %} **Click Test Connection. You should see a confirmation that the SCIM connection is successful.**

{% endstep %} {% step %} **Configure your mappings to match this screenshot of the data table:**

{% hint style="warning" %} The **externalId** attribute is added by default. Remove this attribute to avoid issues with the configuration. {% endhint %} {% endstep %} {% step %} **(Optional) If you need to add a mapping:** a. Click **Add New Mapping** > select the **Source attribute** to match the Microsoft Entra IDattribute above.\ b. Set the **Target attribute** to match the **customappsso** attribute above.\ c. Click **OK**. {% endstep %} {% step %} **Click Save and confirm changes, if necessary.** {% endstep %} {% step %} **At the top of the page, select Provisioning to return to the Provisioning page.** {% endstep %} {% endstepper %} *** **Configure attributes for Microsoft Entra ID users** {% stepper %} {% step %} **In the Entra ID portal, click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Users to change the user mappings.** {% endstep %} {% step %} **Update your mappings to match the attribute table below.** {% hint style="warning" %} The **Switch** attribute under Microsoft Entra ID Attribute is added as an **Expression** mapping type. {% endhint %} Switch(\[IsSoftDeleted], , "False", "True", "True", "False") | customappsso Attribute | Microsoft Entra ID Attribute | | ------------------------------------------------------------------------- | ------------------------------------------------------------ | | userName | userPrincipalName | | active | Switch(\[IsSoftDeleted], , "False", "True", "True", "False") | | title | jobTitle | | name.givenName | givenName | | name.familyName | surname | | phoneNumbers\[type eq "work"].value | telephoneNumber | | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber | employeeId | | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization | companyName | | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department | department | | urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:costCenter | costCenter | {% hint style="warning" %} Source Attribute is the Microsoft Entra ID Attribute and Target Attribute is the customerappsso Attribute. If any of the **customappsso** attributes are not available as a **Target Attribute**, you may need to add them to your Microsoft Entra ID platform as an option. To do so, check the **Show advanced options** box and click **Edit attribute list for customappsso**. {% endhint %} {% hint style="warning" %} SCIM-managed users no longer have the option to edit their phone number in Command; instead, they can only be provisioned via SCIM. On the IDP side, you can set up your attribute mapping such that any field in your IDP instance maps to the **phone number** field in Command. You can also set it up such that the **no** field in the IDP maps to the **phone number** field in Command. However, even in this case, phone numbers remain a **locked** field in Command and can only be edited through SCIM. {% endhint %} {% endstep %} {% step %} **Click Save to confirm the changes.** {% endstep %} {% step %} **At the top, select Provisioning and toggle on Provisioning Status.**

3. To avoid having to manually review and approve all stage changes communicated between Azure Entra and your Command application, select **Grant admin consent for Default Directory**.