Identity Provisioning with Microsoft Entra ID

Diese Seite ist noch nicht in deiner Sprache verfügbar. Englische Seite aufrufen

This guide explains how to integrate Microsoft Entra ID with the STACKIT Identity Provider (IdP). This integration enables identity provisioning, which reduces or eliminates the need to work with a proprietary user management API.

Prerequisites

Before you begin ensure you have:

An active STACKIT customer account: Create a STACKIT customer account
Administrative access to your Microsoft Entra ID tenant.

Connect STACKIT IdP to your Microsoft Entra ID tenant

Request the Entra ID tenant integration

To integrate Microsoft Entra ID with the STACKIT IdP for your organization, open a ticket in the Help Center. The ticket must include your organization ID, which is linked to your STACKIT customer account.

During this request, you will need to specify your preferred method for secure authentication with the SCIM endpoint:

STACKIT-managed Token (Recommended): We will generate a secure Bearer Token for you. This token is valid for one (1) year.
Customer-managed Private Key: You can opt to use a token generated via your own private key. You will provide us with the corresponding public key during this request for registration.

In response to your ticket, you will receive the following essential items for configuration:

Your Client ID and Client Secret.
Confirmation of your chosen authentication method:
- The STACKIT-managed Bearer Token, OR
- Confirmation that your public key has been successfully registered.

Register STACKIT IdP as enterprise application

The Microsoft identity platform manages identities and access only for registered applications. Registering your application creates a trust relationship between your application and the Microsoft identity platform.

For detailed instructions, refer to the official Microsoft documentation: Integrate your SCIM endpoint with the Microsoft Entra provisioning service.

In Entra ID, navigate to Entra ID > Enterprise apps.
Select + New application > + Create your own application.
Enter a meaingful name to recognize this instance of the application. Select option Integrate any other application you don’t find in the gallery.
Select Create.

You will be taken to the application you registered.

Configuration

Follow these steps to set up the SCIM provisioning connection within your registered application:

Select Provisioning.
Select + New configuration.
In the Tenant URL field, enter the STACKIT IdP SCIM endpoint: https://accounts.stackit.cloud/scim/v2/.
Configure either one of the two options:
- In the field Client ID and Client Secret, enter the credentials you received from the STACKIT support team.
- In the field Token,:
  - enter the Bearer Token you received from the STACKIT support team. OR
  - enter the securely generated JSON Web Token (JWT) using your private key, corresponding to the public key you registered with STACKIT. This method provides full control over the token lifecycle.

Test connection

Select Test Connection to have Microsoft Entra ID attempt to connect to the SCIM endpoint. If the attempt fails, error information will display.

Testing the provisioning feature can be challenging because Just in time (JIT) provisioning might mask a provisioning failure. The best approach is to use the provisioning logs from Microsoft Entra ID.

Alternatively, you can verify user provisioning by fetching the SCIMv2 /Users endpoint. For example, use ?filter=email eq "user@example.com" to check for a specific user. This test requires a bearer token to authenticate your request.

Attribute mapping

Review the attribute mappings for the user and group objects. Select Save to commit any changes.

Start on-demand provisioning

You can validate the integration by following Microsoft Entra ID’s synchronization flows, such as triggering a Provision on-demand action.

Property settings

Select Overview in the left panel, then Properties. Here you can enable notification emails and accidental deletion prevention. Click Apply to save any changes.

Start provisioning service

Select Start provisioning. Microsoft provides a detailed list of Provisioning logs to check for any failures. For more information on how to read the Microsoft Entra provisioning logs, see Reporting on automatic user account provisioning .

Verify your integration

After completing all tests on the Entra ID side, you can perform a practical validation by attempting to authenticate within the STACKIT Portal with the provisioned user.

For OAuth, you can use previously provided credentials to exchange a token for the provisioned user (authorization code) with all available scopes. This allows you to verify that all returned claims match those provided by Microsoft Entra ID SCIM Provisioning.

To maintain uninterrupted provisioning, you must manage your authentication token’s lifecycle. The required renewal process and support requests are managed through the STACKIT Help Center.

A. STACKIT-managed Token (Validity: 1 Year)

Renewal Process: Approximately 60 days before the token expires, open a new ticket in the Help Center and request a Token Renewal. STACKIT Support will generate and securely provide the new Bearer Token.
Support Workflow: After receiving the new token, immediately update the Secret Token field within the Provisioning settings of your Entra ID application. Save the configuration to maintain service continuity.

B. Customer-managed Private Key

Renewal Process: When your private key is due for renewal:
1. Generate a new public/private key pair.
2. Open a ticket in the Help Center requesting a Public Key Rotation, providing the new public key.
Support Workflow:
1. STACKIT Support registers the new public key.
2. Update your local process to ensure all subsequent JWTs generated for SCIM provisioning use the newly registered private key.