Set up Microsoft Entra ID (Azure AD) SSO/SCIM#
Lens premium subscription feature. See details on Lens Pricing.
Info
When you enable SSO authentication and SCIM provisioning, it only applies to users of your Lens Business ID. Users with the same domain but from a different Lens Business ID log in according to the settings of their own Lens Business ID.
On this page, you can find instructions on integration with the Microsoft Entra ID platform (former Azure Active Directory). You can create an enterprise application and configure both SSO and SCIM by associating the Entra ID application with the Lens Business ID. For details, see the Microsoft Entra documentation .
Prerequisites#
- Microsoft Entra ID/Azure AD account
- Sufficient permissions in the organization Entra ID/Azure AD directory
Create an enterprise application#
- From Microsoft Entra ID profile, navigate to Enterprise applications.
- Click New application in the top bar.
- Click Create your own application in the top bar.
-
In the following dialog menu, specify the name of the application.
Tip
For clarity purposes, we recommend using the value of the Organization Name field in the Profile section of your Lens Business ID.
-
In the mentioned above menu, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.
Find the created application in Enterprise applications.
Create a user group#
Create a group of users to be synchronized with your Lens Business ID:
- From the Microsoft Entra ID profile, select Groups in the left panel.
- Click New group in the top bar.
-
Configure the group parameters and click Create:
Info
Find more information in the official Microsoft Entra documentation:
Parameter Possible value Comment Group type Security
,Microsoft 365
Contact Entra administrators before setting this option Group name group-name
Group email address group-email@directory-name.onmicrosoft.com
Only with the Microsoft 365
group typeGroup description group-description
Membership type Assigned
,Dynamic
Contact Entra administrators before setting this option Owners Entra directory users Members Entra directory users
Find the user group in Groups.
Add users to the application#
- From the Microsoft Entra ID profile, navigate to Enterprise applications > Application Name > Users and groups.
- Click Add user/group in the top bar.
- In the following menu, configure the following:
- Specify users and/or user groups
- Select a role
- Click Assign.
Find added users and user groups in Enterprise applications > Application Name > Users and groups.
Set up SSO#
- From the application profile, select Single sign-on > SAML.
-
In Basic SAML Configuration, click Edit and configure the following parameters:
Entra ID parameter Lens Business ID parameter Comments Identifier (Entity ID) Service Provider Entity ID Find this value in Lens Business ID > Authentication Reply URL (Assertion Consumer Service URL) ACS URL Find this value in Lens Business ID > Authentication. Use this URL for SSO from Lens Portal (SP-Initiated SSO) Reply URL (Assertion Consumer Service URL) ACS URL for IdP Initiated Logins Use this URL for configuring the IdP SSO mode -
Transfer the Entra ID parameters to Lens Business ID (link Entra ID with LBID from our site)
Lens Business ID parameter Entra ID parameter Comments SSO Service URL Login URL Identity Provider Entity ID Microsoft Entra Identifier -
In Lens Business ID, click Save Single Sign-On Settings.
- Optional. In Test single sign-on with application-name, click Test and in the following dialog click Test sign in.
- Click Attributes & Claims > Edit to set the format of the required claim.
-
Click Unique User Identifier (Name ID) and in the following menu, set the following parameters to:
Parameter Value Name identifier format Default
orEmail address
Source Attribute
Source attribute user.mail
-
Assign a user or a user group.
Now users of your Lens Business ID, are required to log in to their Lens IDs through SSO. Make sure that all Lens Business ID users are added to the corresponding Entra ID application.
Set up SCIM#
Before you start:
- Set up SSO for your enterprise application
- Make sure that you have properly set parameters in step 7 of Set up SSO
- Your Entra subscription plan allows using SCIM
To enable provisioning (SCIM) in your enterprise application:
- From the application profile, navigate to Provisioning and set the Provisioning Mode to automatic.
-
In the Admin Credentials drop-down list, specify the following parameters:
Option Recommended value Comments Tenant URL Base URL
Find this value in Lens Business ID > Authentication > Base URL Secret Token API Token
Find this value in Lens Business ID > Authentication > API Token -
Click Test Connection and then click Save at the top bar.
Now users added to your Entra ID application are automatically provisioned to your Lens Business ID. If Automatic Seat Assignment is enabled, each new user assigned a subscription seat upon provisioning.
Preventing user-duplication issues#
To avoid creating duplicate user accounts, make sure that the following attributes are configured consistently:
-
SSO
emailaddress: user.mail
-
SCIM
emails{type eq "work"}.value: mail
Ensure that user.mail
(SSO) and mail
(SCIM) always point to the same email.