Skip to main content
All CollectionsCommandSCIM
Microsoft Entra ID SCIM Integration
Microsoft Entra ID SCIM Integration

Learn how to integrate Verkada Command with Microsoft Entra ID for SCIM

Updated over a month ago

Depending on your use case, Verkada Command has the ability to integrate with Microsoft Entra ID, amongst other Identify Providers [IdPs], in the following capacities:

  • Security Assertion Markup Language (SAML)

  • System for Cross-Domain Identity Management (SCIM)

SAML handles the authentication side of things allowing Microsoft Entra ID to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrates into your Microsoft Entra ID tenant. This means that you can incorporate Command into your existing identity framework and authorize users based on your current policies.

SCIM allows you to leverage your existing users and groups already present in Microsoft Entra ID and synchronize these with Command. This allows you to retain the current central IdP, and configure permissions in Command using your existing users and groups.

Jump to Microsoft Entra ID SAML integration

Set up SCIM in Microsoft Entra ID

Before you configure SCIM in Microsoft Entra ID, you need to generate your secret token from Command:

  1. Go to All Products > Admin > Privacy & Security > SCIM Configuration.

  2. Add the email domain. This generates the token, which is only viewable once. To generate a new token, you need to refresh it.

  3. Click Add Domain, type all relevant email domains you plan to use with SCIM, and then click Copy for later use. If you did not copy your token and it is not visible, click Refresh to generate a new token.

  4. From the Microsoft Entra ID homepage, select Enterprise applications > New application > Create your own application.

  5. Select the non-gallery application, name the application, and click Create.

  6. Under Provision User Accounts, click Get started (twice).

  7. On the provisioning page:

    a. Set the Provisioning Mode to Automatic.

    b. Set the Tenant URL as:

  8. Fill in your previously-generated secret token.

  9. Click Test Connection. You should see a confirmation that the SCIM connection is successful.

  10. Click Save to continue. (The attribute mappings do not appear if you do not click Save.)

Configure attributes for Microsoft Entra ID groups

  1. Click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Groups.

  2. To adhere to Microsoft Entra ID default mapping suggestions, you need to add custom mappings for the customappsso column:

  3. (Optional) If you need to add a mapping:

    1. Click Add New Mapping > select the Source attribute to match the Microsoft Entra IDattribute above.

    2. Set the Target attribute to match the customappsso attribute above.

    3. Click OK.

  4. Click Save and confirm changes, if necessary.

  5. At the top of the page, select Provisioning to return to the Provisioning page.

Configure attributes for Microsoft Entra ID users

  1. Select Provision Microsoft Entra ID Users to make changes to the user mappings.

  2. Configure your mappings to match the screenshot or the data table (as shown below). The Switch attribute is added as an Expression mapping type.

    Note: If any of the customappsso attributes are not available as a Target Attribute, you may need to add them to your Microsoft Entra ID platform as an option. To do so, check the Show advanced options box and click Edit attribute list for customappsso.

    Note: ​SCIM-managed users no longer have the option to edit their phone number in Command; instead, only provision via SCIM. On the IDP side, you can set up your attribute mapping such that any field in your IDP instance maps to the phone number field in Command. You can also set it up such that the no field in the IDP maps to the phone number field in Command. However, even in that case, phone numbers continue to be a locked field in Command and can only be edited through SCIM. If you have questions or need further assistance, contact Verkada Support.

  3. Add employeeNumber, department, and organization > click Save. Do not edit existing attributes.

  4. Click Save, confirm your changes, and at the top of the page, select Provisioning to return to the Provisioning page.

  5. Once finished with the mappings, toggle on the Provisioning Status.

  6. Depending on the requirements, adjust the scope to one of the required options:

    • Sync all users and groups

    • Sync only assigned users and groups. Ensure users and groups are assigned to the enterprise application under Users and Groups. Those that are assigned are the ones provisioned and become present in Command.

  7. Verify that the provisioning is set to On, and that users are assigned to the application.

    Once the initial provisioning cycle has elapsed:

    • You should see the total number of users and groups that have been provisioned successfully.

    • In Command, you should be able to see these users and groups populated with the SCIM Managed tag associated. These synchronized users and groups can now be used in Command and assigned to permissions to control access to the Command platform.

(Optional) Add access credentials to SCIM users

Configure Attributes on your Entra SCIM Application

  1. Log in to your Azure portal.

  2. In the search bar, type and select Enterprise Applications.

  3. Select your Verkada SCIM application.

  4. On the left panel, click Manage > Provisioning.

  5. Under Manage Provisioning, click Edit Attribute Mappings.

  6. Expand the Mappings submenu and select Provision Microsoft Entra ID Users.

  7. At the bottom, click Show advanced options > Edit attribute list for customappsso.

    1. Add the attributes from the table below to the bottom

    2. Click Save.

  8. Go back to Provision Microsoft Entra ID Users and select Add New Mapping.

    1. Use extensionAttributes 1-5 as Source Attributes and map them to the new attributes we created using Card Format, Card Number, Card Number Hex, Credential Status, and Facility Code as the target attributes.

    2. Click Save.

Attribute table

Name

Type

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardFormat

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumber

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumberHex

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:credentialStatus

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:facilityCode

String

Edit the App Registration

Every SCIM enabled Enterprise Application created on Entra AD typically requires its own App Registration.

  1. In the search bar, type and select App registrations.

  2. Switch to the All Applications tab and search for the name of your Verkada SCIM application.

  3. On Overview, note your App Registration’s Application (client) ID and Directory (tenant) ID. You will need these later to configure credentials for your Command application from your app registration.

  4. On the left navigation, click Manage.

    1. Under Certificates & secrets:

      1. Click New client secret.

      2. Set the Description to "Verkada SCIM Credentials" and set your preferred certificate expiration date.

      3. Copy and store the value displayed in the Value of the new Client Secret created. This will only be displayed once.

    2. Under API Permissions:

      1. Click Add Permissions > Microsoft Graph.

      2. Select Application Permissions and search for "User.ReadWrite.All”.

        1. Check the box to assign the permissions.

        2. Click Add Permissions.

      3. To avoid having to manually review and approve all stage changes communicated between Azure Entra and your Command application, select Grant admin consent for Default Director.

Refer to this list of credentials for the list of acceptable card formats.

Access and update your credentials

To set the extension attributes and the credential information for a particular user, use the Graph API instructions at: https://learn.microsoft.com/en-us/graph/extensibility-overview.

Note that setting the credentialStatus attribute to active when setting up a credential for a user is necessary to successfully sync credentials with Command.

Example:

curl --request PATCH \
--url 'https://graph.microsoft.com/v1.0/users/yourusersid' \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/json" \
--data 
'{"onPremisesExtensionAttributes": 
{"extensionAttribute1": "Standard 26-bit Wiegand",
 "extensionAttribute2": "1111", 
 "extensionAttribute3": "1", 
 "extensionAttribute4": "active",
 "extensionAttribute5": "111"
	}
 }'

Where credential status (credentialStatus) is extensionAttribute4.

Need more help? Contact Verkada Support.

Related Articles
Microsoft Entra ID SAML Integration
Create or Refresh an Org's SCIM Token
Use SCIM for Access Groups
Okta SCIM Integration
Quick Reference Guide for Verkada Command
Did this answer your question?