Microsoft Entra ID SCIM configuration

Enabling SCIM in 1Password SaaS Manager

A pre-requisite for configuring SCIM in Entra ID is enabling SCIM in 1Password SaaS Manager.

Go to Settings > Users and find the Single Sign-On (SSO) > SCIM section. You will need the Base URL and Bearer token when configuring in Entra ID, and you must click Enable SCIM for the token to become valid.

Configuring an Enterprise application

1. In Entra, go to Enterprise applications and click New application.
2. Click Create your own application.
3. Enter 1Password SaaS Manager as the name.

4. Choose Integrate any other application you don't find in the gallery (Non-gallery).

   If a gallery application is proposed, you shouldn't select it. Microsoft are not currently updating gallery apps and the existing SaaS Manager app does not allow SCIM configuration. If you have the older app configured you may need to remove it and reconfigure SAML2 SSO on this app.
5. Click Create.

Once you have done this, or if you already have a SaaS Manager application in Entra ID go to the application overview page and choose Provisioning:

1. Entra ID now has a wizard based approach to configuration. Choose Connect your application.
2. Paste in the Base URL from SaaS Manager into Tenant URL, and the Bearer token from SaaS Manager into Secret token.
3. Click Test connection. A confirmation message should be shown.
4. Now click Create at the bottom of the page.
5. Under Manage > Provisioning, expand the Mappings section and click Provision Microsoft Entra ID Groups.
6. Set Enabled to No and click Save.

Testing

Go to Overview and choose Provision on demand, then Select a user and click Provision.

Entra will show you the steps it has carried out and whether they have been successful.

Enabling provisioning

Make sure you have assigned the right users and groups to the SaaS Manager application.

When you are ready, you can enable provisioning.

What SaaS Manager role will be assigned to users?

Without specific configuration, users will be created with the default SaaS Manager role. This is visible under Settings > Users, in the Default role section.

If you wish to nominate a specific role, you can configure an Attribute mapping in Entra. First of all you need create App roles. To do this, you need to find the Application registration.

When you created the Enterprise app, Entra created a Service Principal object. Associated with that Service Principal is an Application registration. Provisioning is configured on the Service Principal object, but app roles are configured on the Application registration.

1. Go to App registration. You can get to this by clicking on Users and groups and then clicking the application registration link.
2. Go to Manage > App roles.
3. Add the app roles you want - the Value must match the name of the SaaS Manager role.
4. Now go back to your Enterprise application (Service Principal).
5. Choose Attribute mapping (Preview), click Add New Mapping.
6. Set Mapping type to Expression.
7. Copy and paste in SingleAppRoleAssignment([appRoleAssignments]) as the Expression text.
8. Set the Target attribute to roles[primary eq "True"].value
9. Click OK, then click Save back on the Attribute Mapping page.