Provision Users and Groups using Azure AD (SCIM)
System for Cross-Domain Identity Management (SCIM) is an open standard protocol for the automation of user provisioning.
Automatic provisioning refers to creating users and user groups in Harness. In addition to creating these, automatic provisioning includes the maintenance and removal of users and user groups as and when required.
This topic explains how to configure Azure Active Directory (Azure AD) to automatically provision users or groups to Harness.
In this topic:
- Before You Begin
- Review: Harness Azure AD SCIM Integration
- Step 1: Add Harness from the Gallery
- Step 2: Provision Users to Harness
- Copy Groups
Before You Begin
- This topic assumes you understand the System for Cross-domain Identity Management (SCIM). For an overview, see the article Introduction to System for Cross-domain Identity Management (SCIM).
- Learn Harness' Key Concepts
- Access Management (RBAC) Overview
- Make sure you are an Administrator in your Azure AD account and have the Account Admin permissions in Harness.
- Make sure you have a Harness API Key and a valid Token under it. The API Key must have all permissions on the Users and User Groups.
Review: Harness Azure AD SCIM Integration
By using Azure AD as your identity provider, you can efficiently provision and manage users in your Harness Account, Org and Project. Harness' SCIM integration enables Azure AD to serve as a single identity manager, for adding and removing users, and for provisioning User Groups. This is especially efficient for managing many users.
In exchange for the convenience of Azure AD-provisioned users and groups, you must configure several aspects of Azure AD, as described in the following sections. You will also have restrictions on modifying Azure AD-provisioned users and groups natively within Harness, as described in Limitations.
Once you have set up the SCIM integration between Azure AD and Harness (as described below), Administrators will be able to perform the following Harness actions within Azure AD:
- Create users, individually, in your Harness app.
- Assign Azure AD-defined groups to your Harness app.
- Group push already-assigned groups to Harness.
- Update User Attributes from Azure AD to Harness.
- Deactivate Users in Azure AD and Harness.
This integration does not support updating a configured user's Primary email or Username in Azure AD. (However, you can freely update the Display name field.)
When you provision Harness User Groups and users from Azure AD, you will not be able to modify some of their attributes in Harness Manager. You must do so in Azure AD.
Operations that you cannot perform on Azure AD-provisioned User Groups within Harness Manager are:
- Managing users within the User Group.
- Adding users to the User Group.
- Removing users from the User Group.
- Renaming the User Group.
- Deleting the User Group.
If a User Group provisioned from Azure AD duplicates the name of an existing Harness User Group, Harness will maintain both groups. To prevent confusion, you are free to rename the native User Group (but not the Azure AD-provisioned group).
Where a User Group has been provisioned from Azure AD, you cannot use Harness Manager to edit the member users' details (Email Address, Full Name, or User Groups assignments).
You must use Azure AD to assign these users to other User Groups (to grant corresponding permissions). You must also use Azure AD to delete these users from Harness, by removing them from the corresponding Azure AD app.
Step 1: Add Harness from the Gallery
Before you configure Harness for automatic user provisioning with Azure AD, you need to add Harness from the Azure AD application gallery to your list of managed SaaS applications.
- In the Azure portal, in the left pane, select Azure Active Directory.
- Select Enterprise applications > All applications.
- Click New application to add a new application.
- In the search box, enter Harness, select Harness in the results list, and then select the Add button to add the application. You can now provision users to Harness.
Step 2: Provision Users to Harness
- In your Azure portal, go to Enterprise Applications > All applications.
- In the applications list, select Harness.
- Select Provisioning.
- In the Provisioning Mode drop-down list, select Automatic.
- Under Admin Credentials, do the following:
- In the Tenant URL box, enter
You can obtain your Harness account ID from the Account Overview of your Harness account.
- In the Secret Token box, enter the SCIM Authentication Token value. This is your Harness API token within your API Key. Make sure this key's permissions are inherited from the Account Administrator User Group.
For more information on how to create API token, see Add and Manage API Keys.
- Select Test Connection to ensure that Azure AD can connect to Harness.If the connection fails, ensure that your Harness account has Admin permissions, and then try again.
- In the Tenant URL box, enter
- In Settings, in the Notification Email box, enter the email address of a person or group that should receive the provisioning error notifications.
- Select Save.
- Under Mappings, enable Provision Azure Active Directory Groups, and Provision Azure Active Directory Users.
- Click Provision Azure Active Directory Users.
- Under Attribute Mappings, review the user attributes that are synchronized from Azure AD to Harness. The attributes selected as Matching are used to match the user accounts in Harness for update operations. Select Save to commit any changes.
- In Provisioning, click Provision Azure Active Directory Groups.
- Under Attribute Mappings, review the group attributes that are synchronized from Azure AD to Harness. The attributes selected as Matching properties are used to match the groups in Harness for update operations. Select Save to commit any changes.
- To configure scoping filters, see Attribute-based application provisioning with scoping filters.
- In Provisioning, under Settings, to enable the Azure AD provisioning service for Harness, toggle the Provisioning Status switch to On.
- Under Settings, in the Scope drop-down list, select how you want to sync the users or groups that you're provisioning to Harness.
- Click Save.
This operation starts the initial sync of the users or groups you're provisioning. The initial sync takes longer to perform than later ones. Syncs occur approximately every 40 minutes, as long as the Azure AD provisioning service is running. To monitor progress, go to the Synchronization Details section. You can also follow links to a provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Harness.
For more information about how to read the Azure AD provisioning logs, see Report on automatic user account provisioning.
When you provision groups using Azure AD, they get added to your Account scope. To add them to your Org or Project scope, use the Copy option. This copies the specified group to the desired scope.
Any modifications you make to this User Group through SCIM are reflected in the User Groups in the Account scope as well as all other scopes where it has been copied.
Here is an example to copy a group from the Account scope to Organization scope:
In Harness, go to Account Settings->Access Control. Click User Groups.
Click more options (︙) next to the User Group you want to copy.
Click Copy. The Copy group settings appear.
Select the Organization where you want this User Group to be copied.
To copy User Group to Projects within the scope of this Organization, click Copy to project(s) and then select Projects.
The User Group and its members are copied to the selected Organization.