Azure SCIM configuration for Dynatrace

Early Adopter

This topic describes the IdP (Azure) end of your SSO configuration, not the Dynatrace end. Use it as part of the entire SCIM configuration procedure for Dynatrace SaaS if you're using Azure.

While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation as your primary source of information for third-party products.

Integrate Dynatrace SCIM in Azure

To set up SCIM for your domain

  1. Create SCIM application in Azure
  2. Configure provisioning
  3. Configure group mappings
  4. Configure user mappings
  5. Assign users and groups
  6. Enable SCIM

1. Create SCIM application in Azure

In Azure Active Directory

  1. Select Enterprise applications from the Manage section of the menu.

  2. Select New application.

  3. Select Non-gallery application, enter a Name for the new application, and then select Add to start configuring the application in Azure.

2. Configure provisioning

To configure provisioning in Azure, you will need the Dynatrace SCIM Base URL and a secret token you got in the Get Dynatrace SCIM endpoint and create secret token procedure.

In Azure Active Directory with your application selected

  1. Select Provisioning from the Manage section of the menu.

  2. In Provisioning Mode, select Automatic.

  3. Expand Admin Credentials.

  4. Enter your admin credentials:

    • Tenant URL
      Example: https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
    • Secret Token
      You got this token from Dynatrace.
  5. Select Test Connection to validate the endpoint and credentials.

  6. If the test succeeds, select Save at the top of the page to generate mappings.

    If the test fails, verify your settings:

    • Tenant URL
      Example: https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
    • Secret Token
      You created this earlier in the Get a secret token procedure.

3. Optional: configure group mappings

Do this if you need to provision only certain groups in Dynatrace.

In Azure Active Directory with your application selected

  1. On the Provisioning page, expand Mappings.

  2. Select Synchronize Azure Active Directory Groups to customappsso.

  3. Select Source Object Scope.

  4. Select Add scoping filter.

  5. Select Add New Scoping Clause if needed.
    For instance, to filter only groups with names starting with a given prefix:

  6. Select OK on the Add Scoping Filter screen.

  7. Select OK on the Source Object Scope screen.

  8. You can leave all Target Object Actions selected.
    Dynatrace SCIM supports all of these actions.

  9. Set Attribute Mappings as follows:

    Azure Active Directory Attribute customappsso Attribute
    displayName displayName
    objectId externalId
    members members
  10. Select Save on the Attribute Mapping screen.

4. Configure user mappings

We recommend that you limit the scope of users that are provisioned by SCIM to those with matching email domains to prevent your SCIM requests from being rejected.

To create a filtering rule for users

  1. On the Provisioning page, expand Mappings.

  2. Select Synchronize Azure Active Directory Users to customappsso.

  3. Select Source Object Scope.

  4. Select Add scoping filter.

  5. Select Add New Scoping Clause:

    • Target Attribute: mail
    • Operator: ENDS_WITH
    • Value: @<YOUR_DOMAIN> (for example, @example.com)
  6. Select OK on the Add Scoping Filter screen.

  7. Select OK on the Source Object Scope screen.

  8. You can leave all Target Object Actions selected.
    Dynatrace SCIM supports all of these actions.

  9. Limit Attribute Mappings to the following:

    Azure Active Directory Attribute customappsso Attribute
    userPrincipalName userName
    Switch([IsSoftDeleted],,"False","True","True","False") active
    displayName displayName
    givenName name.givenName
    surname name.familyName
  10. Select Show advanced options checkbox in Attribute Mappings and click on Edit attribute list for customappsso.

  11. If not selected, select Primary Key and Required for id and select Required for userName.

  12. Select Save on the Edit Attribute List.

  13. Select Save on the Attribute Mapping screen.

5. Assign users and groups

To assign users or groups to your application and send them via SCIM to Dynatrace

  1. In the Manage section on the left, select Users and groups and then select Add user.

  2. Select Users and groups in the next window and select groups or users you want to sync.

6. Enable SCIM

To enable SCIM provisioning

  1. Go to the Settings section at the bottom of Provisioning screen.

  2. In Scope, select Sync only assigned users and groups.

  3. Turn Provisioning Status on.

In Azure, the initial sync takes longer than subsequent syncs, which occur approximately every 40 minutes as long as the service is running.