Skip to main content

Microsoft Entra ID SCIM Integration

Learn how to integrate Verkada Command with Microsoft Entra ID for SCIM

Updated over a month ago

Depending on your use case, Verkada Command has the ability to integrate with Microsoft Entra ID, amongst other Identify Providers [IdPs], in the following capacities:

  • Security Assertion Markup Language (SAML)

  • System for Cross-Domain Identity Management (SCIM)

SAML handles the authentication side of things allowing Microsoft Entra ID to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrates into your Microsoft Entra ID tenant. This means that you can incorporate Command into your existing identity framework and authorize users based on your current policies.

SCIM allows you to leverage your existing users and groups already present in Microsoft Entra ID and synchronize these with Command. This allows you to retain the current central IdP, and configure permissions in Command using your existing users and groups.

Jump to Microsoft Entra ID SAML integration

Set up SCIM in Microsoft Entra ID

Before you configure SCIM in Microsoft Entra ID, you need to generate your secret token from Command:

  1. In Verkada Command, go to All Products > Admin .

  2. Under Org Settings, select Security & Access > SCIM Users Provisioning.

  3. Click Add Domain, and enter all relevant email domains you plan to use with SCIM.

    This generates a SCIM token, which is viewable only once.

    1. Click Copy and store the token in a secure place to use later in the configuration.

    2. Click Refresh to generate a new token if you did not copy your token or it is not visible.

  4. From the Microsoft Entra ID homepage, select Enterprise applications > New application > Create your own application.

  5. In the Create your own application side panel, type the application's name, select the non-gallery application, and click Create.

  6. Under Provision User Accounts, click Get started.

  7. On the provisioning page:

    1. Set the Provisioning Mode to Automatic.

    2. Set the Tenant URL as:

    3. Fill in the SCIM token generated in Verkada Command (step 2) as the secret token.

  8. Click Test Connection. You should see a confirmation that the SCIM connection is successful.

  9. Click Save.

Configure attributes for Microsoft Entra ID groups

  1. Click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Groups.

  2. Configure your mappings to match this screenshot of the data table:

    Note: The externalId attribute is added by default. Remove this attribute to avoid issues with the configuration.

  3. (Optional) If you need to add a mapping:

    1. Click Add New Mapping > select the Source attribute to match the Microsoft Entra IDattribute above.

    2. Set the Target attribute to match the customappsso attribute above.

    3. Click OK.

  4. Click Save and confirm changes, if necessary.

  5. At the top of the page, select Provisioning to return to the Provisioning page.

Configure attributes for Microsoft Entra ID users

  1. Click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Users to change the user mappings.

  2. Update your mappings to match the screenshot or the data table (as shown below).

    Note: The Switch attribute under Microsoft Entra ID Attribute is added as an Expression mapping type.

    Switch([IsSoftDeleted], , "False", "True", "True", "False")

    Note: Source Attribute is the Microsoft Entra ID Attribute and Target Attribute is the customerappsso Attribute.

    Note: If any of the customappsso attributes are not available as a Target Attribute, you may need to add them to your Microsoft Entra ID platform as an option. To do so, check the Show advanced options box and click Edit attribute list for customappsso.

    Note: ​SCIM-managed users no longer have the option to edit their phone number in Command; instead, only provision via SCIM. On the IDP side, you can set up your attribute mapping such that any field in your IDP instance maps to the phone number field in Command. You can also set it up such that the no field in the IDP maps to the phone number field in Command. However, even in that case, phone numbers continue to be a locked field in Command and can only be edited through SCIM. If you have questions or need further assistance, contact Verkada Support.

  3. Click Save, confirm your changes, and at the top of the page, select Provisioning to return to the Provisioning page.

  4. Once finished with the mappings, toggle on the Provisioning Status.

  5. Depending on the requirements, adjust the scope to one of the required options:

    • Sync all users and groups.

    • Sync only assigned users and groups. Ensure users and groups are assigned to the enterprise application under Users and Groups. Those that are assigned are the ones provisioned and become present in Command.

  6. Verify that users are assigned to the application. Once the initial provisioning cycle has elapsed:

    • You should see the total number of users and groups that have been provisioned successfully under Overview.

    • In Command, you should see these users and groups populated with the associated SCIM Managed tag. These synchronized users and groups can now be used in Command and assigned permissions to control access to the Command platform.

(Optional) Add access credentials to SCIM users

Configure Attributes on your Entra SCIM Application

  1. Log in to your Azure portal.

  2. In the search bar, type and select Enterprise Applications.

  3. Select your Verkada SCIM application.

  4. On the left panel, click Manage > Provisioning.

  5. Expand the Mappings submenu and select Provision Microsoft Entra ID Users.

  6. At the bottom, click Show advanced options > Edit attribute list for customappsso.

    1. Add the attributes from the table below.

    2. Click Save.

  7. Go back to Provision Microsoft Entra ID Users and select Add New Mapping.

    1. Use extensionAttributes 1-5 as Source Attributes and map them to the new attributes we created using Card Format, Card Number, Card Number Hex, Credential Status, and Facility Code as the target attributes.

      1. Reference Acceptable Card Formats for accepted card formats and their associated facility code, card number, and/or card number hex lengths.

      2. Credential Status can be "active" or "deactivated."

    2. Click Save.

Attribute table

Name

Type

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardFormat

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumber

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumberHex

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:credentialStatus

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:facilityCode

String

Edit the App Registration

Every SCIM enabled Enterprise Application created on Entra AD typically requires its own App Registration.

  1. In the search bar, type and select App registrations.

  2. Switch to the All Applications tab and search for the name of your Verkada SCIM application.

  3. On Overview, note your App Registration’s Application (client) ID and Directory (tenant) ID. You will need these later to configure credentials for your Command application from your app registration.

  4. On the left navigation, click Manage.

    1. Under Certificates & secrets:

      1. Click New client secret.

      2. Set the Description to "Verkada SCIM Credentials" and set your preferred certificate expiration date.

      3. Copy and store the value displayed in the Value of the new Client Secret created. This will only be displayed once.

    2. Under API Permissions:

      1. Click Add Permissions > Microsoft Graph.

      2. Select Application Permissions and search for "User.ReadWrite.All”.

        1. Check the box to assign the permissions.

        2. Click Add Permissions.

      3. To avoid having to manually review and approve all stage changes communicated between Azure Entra and your Command application, select Grant admin consent for Default Director.

Refer to this list of credentials for acceptable card formats.

Access and update your credentials

To set the extension attributes and the credential information for a particular user, use the Graph API instructions at: https://learn.microsoft.com/en-us/graph/extensibility-overview.

Note: Setting the credentialStatus attribute to active when setting up a credential for a user is necessary to successfully sync credentials with Command. Where credential status (credentialStatus) is extensionAttribute4.

Example:

curl --location --request PATCH 'https://graph.microsoft.com/v1.0/users/<UserID>' \
--header 'Authorization: Bearer <secure token>' \
--header 'Content-Type: application/json' \
--data '{
    "onPremisesExtensionAttributes": {
        "extensionAttribute1": "Standard 26-bit Wiegand",
        "extensionAttribute2": "7777",
        "extensionAttribute3": "7",
        "extensionAttribute4": "active",
        "extensionAttribute5": "111"
    }
}'

Prefer to see it in action? Check out the video tutorial.

Need more help? Contact Verkada Support.

Related Articles
Get Started with Verkada Command
Microsoft Entra ID SAML Integration
Create or Refresh an Organization's SCIM Token
Okta SCIM Integration
Quick Reference Guide for Verkada Command
Did this answer your question?