Set up Microsoft Entra ID (Azure AD) SSO/SCIM

Lens premium subscription feature. See details on Lens Pricing.

Info

When you enable SSO authentication and SCIM provisioning, it only applies to users of your Lens Business ID. Users with the same domain but from a different Lens Business ID log in according to the settings of their own Lens Business ID.

On this page, you can find instructions on integration with the Microsoft Entra ID platform (former Azure Active Directory). You can create an enterprise application and configure both SSO and SCIM by associating the Entra ID application with the Lens Business ID. For details, see the Microsoft Entra documentation .

Prerequisites

• Microsoft Entra ID/Azure AD account
• Sufficient permissions in the organization Entra ID/Azure AD directory

---

Create an enterprise application

1. From Microsoft Entra ID profile, navigate to Enterprise applications.
2. Click New application in the top bar.
3. Click Create your own application in the top bar.

4. In the following dialog menu, specify the name of the application.

   Tip

   For clarity purposes, we recommend using the value of the Organization Name field in the Profile section of your Lens Business ID.

5. In the mentioned above menu, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

Find the created application in Enterprise applications.

---

Create a user group

Create a group of users to be synchronized with your Lens Business ID:

1. From the Microsoft Entra ID profile, select Groups in the left panel.
2. Click New group in the top bar.

3. Configure the group parameters and click Create:

   Info

   Find more information in the official Microsoft Entra documentation:

   • Learn about group types, membership types, and access management
   • Manage Microsoft Entra groups and group membership

   Parameter	Possible value	Comment
   Group type	Security, Microsoft 365	Contact Entra administrators before setting this option
   Group name	group-name
   Group email address	group-email@directory-name.onmicrosoft.com	Only with the Microsoft 365 group type
   Group description	group-description
   Membership type	Assigned, Dynamic	Contact Entra administrators before setting this option
   Owners	Entra directory users
   Members	Entra directory users

Find the user group in Groups.

---

Add users to the application

1. From the Microsoft Entra ID profile, navigate to Enterprise applications > Application Name > Users and groups.
2. Click Add user/group in the top bar.
3. In the following menu, configure the following:
   • Specify users and/or user groups
   • Select a role
4. Click Assign.

Find added users and user groups in Enterprise applications > Application Name > Users and groups.

---

Set up SSO

1. From the application profile, select Single sign-on > SAML.

2. In Basic SAML Configuration, click Edit and configure the following parameters:

   Entra ID parameter	Lens Business ID parameter	Comments
   Identifier (Entity ID)	Service Provider Entity ID	Find this value in Lens Business ID > Authentication
   Reply URL (Assertion Consumer Service URL)	ACS URL	Find this value in Lens Business ID > Authentication. Use this URL for SSO from Lens Portal (SP-Initiated SSO)
   Reply URL (Assertion Consumer Service URL)	ACS URL for IdP Initiated Logins	Use this URL for configuring the IdP SSO mode

3. Transfer the Entra ID parameters to Lens Business ID (link Entra ID with LBID from our site)

   Lens Business ID parameter	Entra ID parameter	Comments
   SSO Service URL	Login URL
   Identity Provider Entity ID	Microsoft Entra Identifier

4. In Lens Business ID, click Save Single Sign-On Settings.

5. Optional. In Test single sign-on with application-name, click Test and in the following dialog click Test sign in.
6. Click Attributes & Claims > Edit to set the format of the required claim.

7. Click Unique User Identifier (Name ID) and in the following menu, set the following parameters to:

   Parameter	Value
   Name identifier format	Default or Email address
   Source	Attribute
   Source attribute	user.mail

8. Assign a user or a user group.

Now users of your Lens Business ID, are required to log in to their Lens IDs through SSO. Make sure that all Lens Business ID users are added to the corresponding Entra ID application.

---

Set up SCIM

Before you start:

• Set up SSO for your enterprise application
• Make sure that you have properly set parameters in step 7 of Set up SSO
• Your Entra subscription plan allows using SCIM

To enable provisioning (SCIM) in your enterprise application:

1. From the application profile, navigate to Provisioning and set the Provisioning Mode to automatic.

2. In the Admin Credentials drop-down list, specify the following parameters:

   Option	Recommended value	Comments
   Tenant URL	Base URL	Find this value in Lens Business ID > Authentication > Base URL
   Secret Token	API Token	Find this value in Lens Business ID > Authentication > API Token

3. Click Test Connection and then click Save at the top bar.

Now users added to your Entra ID application are automatically provisioned to your Lens Business ID. If Automatic Seat Assignment is enabled, each new user assigned a subscription seat upon provisioning.

---

Preventing user-duplication issues

To avoid creating duplicate user accounts, make sure that the following attributes are configured consistently:

• SSO

    emailaddress: user.mail
  

• SCIM

    emails{type eq "work"}.value: mail
  

Ensure that user.mail (SSO) and mail (SCIM) always point to the same email.