Provision Identities from Microsoft Entra ID
Umbrella supports the provisioning of user and group identities from Microsoft Entra ID (formerly named Azure Active Directory (Azure AD)). You can provision users and groups from Microsoft Entra ID through the Cisco User Management Connector app in the Microsoft Entra ID portal. Then, after provisioning your identities, view and manage the user and group identities in Umbrella.
Note: You do not need to deploy an on-premises Cisco Active Directory (AD) Connector.
User and group identities from Microsoft Entra ID integrate with Umbrella roaming computers deployments:
- Umbrella roaming client
- Cisco Secure Client (AnyConnect Umbrella roaming security module)
Note: Microsoft Entra ID does not store the private IP to AD user mappings. You must use an on-premises Cisco AD connector for Umbrella virtual appliance (VA) or IP-to-user mapping deployments.
Table of Contents
- Prerequisites
- Limitations
- Procedure
- Configure Cisco User Management Connector App in Microsoft Entra ID
- Configure Guest Users
- View Users and Groups in Umbrella
Prerequisites
- A valid Microsoft Entra ID subscription with a premium Microsoft Entra ID license.
- No concurrent provisioning of the same user or group identities from on-premises AD and Microsoft Entra ID. If you are using the on-premises Cisco AD Connector to import user and group identities to Umbrella, and choose to import the same identities from Microsoft Entra ID, ensure that the on-premises Cisco AD connector is switched off or that the Cisco Connector service on the connector machine is stopped.
Note: Concurrent synchronization of the same user and group identities from the Cisco AD Connector and the Cisco User Management Connector app is not supported and leads to inconsistent policy enforcement. - Import of the ObjectGUID attribute from Microsoft Entra ID to Umbrella. The on-premises Cisco AD Connector and Cisco AnyConnect and Umbrella roaming clients rely on the ObjectGUID attribute for user identification. If all of your endpoints are running the Cisco Secure Client/AnyConnect version 4.10 MR6 or above, you do not have to import the ObjectGUID attribute from Microsoft Entra ID.
- Before you set up the import of the ObjectGUID attribute, ensure that the on-premises Cisco AD Connector that is synchronizing these identities is switched off or that the Cisco Connector service on the connector machine is stopped.
- To ensure that the ObjectGUID attribute for users is synchronized from Microsoft Entra ID to Umbrella, your endpoints must authenticate against on-premises AD and run the Cisco AnyConnect agent or Umbrella roaming client. For more information about how to import the ObjectGUID attribute for users, see Tutorial: Configure Cisco Umbrella User Management for automatic user provisioning.
- Full admin access to the Umbrella dashboard. For more information, see Manage User Roles.
Note: If you previously configured a policy against groups imported from on-premises AD, and then choose to import the same groups from Microsoft Entra ID, you must reconfigure the policy to map it to the Microsoft Entra ID groups instead of the on-premises AD groups. In a policy, on-premises AD group names are displayed with the domain name preceding the group name, for example: Domain1\ADGroup1. For Microsoft Entra ID, only group names are displayed on the policy page, for example: ADGroup1.
Limitations
- You can provision no more than 200 groups from Microsoft Entra ID to Umbrella. Umbrella supports the provisioning of an unlimited number of users from Microsoft Entra ID to Umbrella.
- To ensure that all users are provisioned, create a dynamic All Users group and assign this group to the Cisco User Management Connector app. For more information, see Dynamic Membership Rules for Groups in Azure Active Directory. You can assign additional groups as required for group-based Umbrella policy enforcement.
- The number of users and groups that you import may effect when the identities become available in Umbrella.
Note: Microsoft Entra ID does not support nested group memberships for group-based assignment to any SaaS application.
Procedure
- Navigate to Admin > API Keys.
- Click Static Keys and expand Azure Active Directory Provisioning.
- Click Generate Token.
- Copy and save your generated token.
- Copy and save the Azure Active Directory Provisioning URL,
https://api.umbrella.com/identity/v2/scim.
Note: We recommend that you refresh your token at least once every 180 days. To ensure that provisioning of users and groups is not impacted, immediately copy your new token to the Cisco User Management Connector app in the Azure AD portal.
Configure Cisco User Management Connector App in Microsoft Entra ID
With your Umbrella token and Azure Active Directory Provisioning URL, set up the Cisco User Management Connector app in the Microsoft Entra ID portal and provision users and groups. For more information, see Tutorial: Configure Cisco Umbrella User Management for automatic user provisioning.
- Navigate to the Cisco User Management Connector app in the Microsoft Entra ID portal.
- Add your token to the Secret Token field.
- Add the Azure Active Directory Provisioning URL to the Tenant URL field.
- Click Test Connection to confirm that you can use your Umbrella SCIM token to connect the Umbrella API with Microsoft Entra ID.
- Complete the steps to provision users from Microsoft Entra ID to Umbrella.
Review the user attributes that are synchronized from Microsoft Entra ID to the Cisco User Management Connector app in Attribute Mappings. The attributes selected as Matching properties are used to match the user accounts in the Cisco User Management Connector app for update operations. If you choose to change the matching target attribute, ensure that the Cisco User Management Connector app supports filtering users based on that attribute. - Click Save.
Supported Attributes for Users
| Cisco Attributes for Users | Microsoft Entra ID Attributes |
|---|---|
| userName | userPrincipalName |
| active | Not ([IsSoftDeleted]) |
| displayName | displayName |
| name.givenName | givenName |
| name.familyName | surname |
| name.formatted | Join (" ", [givenName], [surname]) |
| externalId | objectId |
Supported Attributes for Groups
| Cisco Attributes for Groups | Microsoft Entra ID Attributes |
|---|---|
| displayName | displayName |
| externalId | objectId |
| members | members |
Configure Guest Users
To provision a guest user from Microsoft Entra ID to Umbrella, sign into the Cisco User Management Connector app in Microsoft Entra ID and associate the Cisco Umbrella userName attribute with the Microsoft Entra ID originalUserPrincipalName attribute.
-
In Microsoft Entra ID, navigate to the Cisco User Management Connector app.
-
Navigate to Attribute Mappings.
-
Click Add New Mapping.
-
Add a mapping for userName to originalUserPrincipalName.
-
Click Save.
View Users and Groups in Umbrella
- Navigate to Deployments > Users and Groups to view the users and groups provisioned from Azure AD.
Provision Identities Through Manual Import < Provision Identities from Microsoft Entra ID > Provision Identities from Okta
Updated 14 days ago