Skip to content

Set up Microsoft Entra ID (Azure AD) SSO/SCIM#

Lens premium subscription feature. See details on Lens Pricing.

Info

When you enable SSO authentication and SCIM provisioning, it only applies to users of your Lens Business ID. Users with the same domain but from a different Lens Business ID log in according to the settings of their own Lens Business ID.

On this page, you can find instructions on integration with the Microsoft Entra ID platform (former Azure Active Directory). You can create an enterprise application and configure both SSO and SCIM by associating the Entra ID application with the Lens Business ID. For details, see the Microsoft Entra documentation .

Prerequisites#

  • Microsoft Entra ID/Azure AD account
  • Sufficient permissions in the organization Entra ID/Azure AD directory

Create an enterprise application#

  1. From Microsoft Entra ID profile, navigate to Enterprise applications.
  2. Click New application in the top bar.
  3. Click Create your own application in the top bar.
  4. In the following dialog menu, specify the name of the application.

    Tip

    For clarity purposes, we recommend using the value of the Organization Name field in the Profile section of your Lens Business ID.

  5. In the mentioned above menu, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

Find the created application in Enterprise applications.


Create a user group#

Create a group of users to be synchronized with your Lens Business ID:

  1. From the Microsoft Entra ID profile, select Groups in the left panel.
  2. Click New group in the top bar.
  3. Configure the group parameters and click Create:

    Parameter Possible value Comment
    Group type Security, Microsoft 365 Contact Entra administrators before setting this option
    Group name group-name
    Group email address group-email@directory-name.onmicrosoft.com Only with the Microsoft 365 group type
    Group description group-description
    Membership type Assigned, Dynamic Contact Entra administrators before setting this option
    Owners Entra directory users
    Members Entra directory users

Find the user group in Groups.


Add users to the application#

  1. From the Microsoft Entra ID profile, navigate to Enterprise applications > Application Name > Users and groups.
  2. Click Add user/group in the top bar.
  3. In the following menu, configure the following:
    • Specify users and/or user groups
    • Select a role
  4. Click Assign.

Find added users and user groups in Enterprise applications > Application Name > Users and groups.


Set up SSO#

  1. From the application profile, select Single sign-on > SAML.
  2. In Basic SAML Configuration, click Edit and configure the following parameters:

    Entra ID parameter Lens Business ID parameter Comments
    Identifier (Entity ID) Service Provider Entity ID Find this value in Lens Business ID > Authentication
    Reply URL (Assertion Consumer Service URL) ACS URL Find this value in Lens Business ID > Authentication. Use this URL for SSO from Lens Portal (SP-Initiated SSO)
    Reply URL (Assertion Consumer Service URL) ACS URL for IdP Initiated Logins Use this URL for configuring the IdP SSO mode
  3. Transfer the Entra ID parameters to Lens Business ID (link Entra ID with LBID from our site)

    Lens Business ID parameter Entra ID parameter Comments
    SSO Service URL Login URL
    Identity Provider Entity ID Microsoft Entra Identifier
  4. In Lens Business ID, click Save Single Sign-On Settings.

  5. Optional. In Test single sign-on with application-name, click Test and in the following dialog click Test sign in.
  6. Click Attributes & Claims > Edit to set the format of the required claim.
  7. Click Unique User Identifier (Name ID) and in the following menu, set the following parameters to:

    Parameter Value
    Name identifier format Default or Email address
    Source Attribute
    Source attribute user.mail
  8. Assign a user or a user group.

Now users of your Lens Business ID, are required to log in to their Lens IDs through SSO. Make sure that all Lens Business ID users are added to the corresponding Entra ID application.


Set up SCIM#

Before you start:

  • Set up SSO for your enterprise application
  • Make sure that you have properly set parameters in step 7 of Set up SSO
  • Your Entra subscription plan allows using SCIM

To enable provisioning (SCIM) in your enterprise application:

  1. From the application profile, navigate to Provisioning and set the Provisioning Mode to automatic.
  2. In the Admin Credentials drop-down list, specify the following parameters:

    Option Recommended value Comments
    Tenant URL Base URL Find this value in Lens Business ID > Authentication > Base URL
    Secret Token API Token Find this value in Lens Business ID > Authentication > API Token
  3. Click Test Connection and then click Save at the top bar.

Now users added to your Entra ID application are automatically provisioned to your Lens Business ID. If Automatic Seat Assignment is enabled, each new user assigned a subscription seat upon provisioning.


Preventing user-duplication issues#

To avoid creating duplicate user accounts, make sure that the following attributes are configured consistently:

  • SSO

      emailaddress: user.mail
    
  • SCIM

      emails{type eq "work"}.value: mail
    

Ensure that user.mail (SSO) and mail (SCIM) always point to the same email.