• Home
  • Manage
  • Access control
  • User management and SSO
  • Manage users and groups with SCIM in Dynatrace SaaS
  • Azure SCIM configuration for Dynatrace

Azure SCIM configuration for Dynatrace

Early Adopter

Important

This page describes the IdP (Azure) end of your SCIM SSO configuration, not the Dynatrace end. Use it as part of the entire SCIM configuration procedure for Dynatrace SaaS if you're using Azure.

While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation as your primary source of information for third-party products.

To set up SCIM for your domain

Create SCIM application in Azure

Configure provisioning

Configure group mappings

Configure user mappings

Assign users and groups

Enable SCIM

Create SCIM application in Azure

In Azure Active Directory

  1. Select Enterprise applications from the Manage section of the menu.
    Example: Select 'New application'

    Azure SCIM configuration

  2. Select New application.
    Example: Select 'New application'

    Azure SCIM configuration

  3. Select Non-gallery application, enter a Name for the new application, and then select Add to start configuring the application in Azure.
    Example: Select 'Non-gallery application'

    Azure SCIM configuration

Configure provisioning

To configure provisioning in Azure, you will need the Dynatrace SCIM Base URL and a secret token you got in the Get Dynatrace SCIM endpoint and create secret token procedure.

In Azure Active Directory with your application selected

  1. Select Provisioning from the Manage section of the menu.

  2. In Provisioning Mode, select Automatic.

    Example: Select 'Automatic'

    Azure SCIM configuration

  3. Expand Admin Credentials.

    Example: Expand 'Admin Credentials'

    Azure SCIM configuration

  4. Enter your admin credentials:

    • Tenant URL
      Example: https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
    • Secret Token
      You got this token from Dynatrace.
    Example: Entering 'Admin Credentials'

    Azure SCIM configuration

  5. Select Test Connection to validate the endpoint and credentials.

  6. If the test succeeds, select Save at the top of the page to generate mappings.

    Example: Connection Test Success

    Azure SCIM configuration

    If the test fails, verify your settings:

    • Tenant URL
      Example: https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
    • Secret Token
      You created this earlier in the Get a secret token procedure.
    Example: Connection Test Failure

    Azure SCIM configuration

Configure group mappings optional

Do this if you need to provision only certain groups in Dynatrace.

In Azure Active Directory with your application selected

  1. On the Provisioning page, expand Mappings.

    Example: Expand 'Mappings'

    Azure SCIM configuration

  2. Select Synchronize Azure Active Directory Groups to customappsso.

    Example: Select 'Synchronize Azure Active Directory Groups to customappsso'

    Azure SCIM configuration

  3. Select Source Object Scope.

    Example: Select 'Source Object Scope'

    Azure SCIM configuration

  4. Select Add scoping filter.

    Example: Select 'Add scoping filter'

    Azure SCIM configuration

  5. Select Add New Scoping Clause if needed.
    For instance, to filter only groups with names starting with a given prefix:

    Example: Select 'Add New Scoping Clause'

    Azure SCIM configuration

  6. Select OK on the Add Scoping Filter screen.

  7. Select OK on the Source Object Scope screen.

  8. You can leave all Target Object Actions selected.
    Dynatrace SCIM supports all of these actions.

  9. Set Attribute Mappings as follows:

    Azure Active Directory Attributecustomappsso Attribute

    displayName

    displayName

    objectId

    externalId

    members

    members

    Example: Set 'Attribute Mappings'

    Azure SCIM configuration

  10. Select Save on the Attribute Mapping screen.

    Example: Save 'Attribute Mappings'

    Azure SCIM configuration

Configure user mappings

We require that you limit the scope of users that are provisioned by SCIM to those with matching email domains to prevent your SCIM requests from being rejected.

To create a filtering rule for users

  1. On the Provisioning page, expand Mappings.

    Example: Expand 'Mappings'

    Azure SCIM configuration

  2. Select Synchronize Azure Active Directory Users to customappsso.

    Example: Select 'Synchronize Azure Active Directory Users to customappsso'

    Azure SCIM configuration

  3. Select Source Object Scope.

    Example: Select 'Source Object Scope'

    Azure SCIM configuration

  4. Select Add scoping filter.

    Example: Select 'Add scoping filter'

    Azure SCIM configuration

  5. Select Add New Scoping Clause:

    • Target Attribute: mail
    • Operator: ENDS_WITH
    • Value: @<YOUR_DOMAIN> (for example, @example.com)
    Example: Create 'New Scoping Clause'

    Azure SCIM configuration

    Please keep in mind that subdomains should be verified for the account separately. Therefore, the @ in the domain string is required and will guarantee that your requests won't be rejected due to an invalid user domain.

  6. Select OK on the Add Scoping Filter screen.

  7. Select OK on the Source Object Scope screen.

  8. You can leave all Target Object Actions selected.
    Dynatrace SCIM supports all of these actions.

  9. Limit Attribute Mappings to the following:

    Azure Active Directory Attributecustomappsso Attribute

    userPrincipalName

    userName

    Switch([IsSoftDeleted],,"False","True","True","False")

    active

    displayName

    displayName

    givenName

    name.givenName

    surname

    name.familyName

    Example: Set 'Attribute Mappings'

    Azure SCIM configuration

  10. Select Show advanced options check box in Attribute Mappings and click on Edit attribute list for customappsso.

    Example: Show 'advanced options'

    Azure SCIM Configuration

  11. If not selected, select Primary Key and Required for id and select Required for userName.

    Example: Edit 'Attribute List'

    Azure SCIM configuration

  12. Select Save on the Edit Attribute List.

  13. Select Save on the Attribute Mapping screen.

    Example: Save 'Attribute Mappings'

    Azure SCIM configuration

Assign users and groups

To assign users or groups to your application and send them via SCIM to Dynatrace

  1. In the Manage section on the left, select Users and groups and then select Add user.
    Example: Select 'Add user'

    Azure SCIM configuration

  2. Select Users and groups in the next window and select groups or users you want to sync.
    Example: 'Add Assignment'

    Azure SCIM Configuration

Enable SCIM

To enable SCIM provisioning

  1. Go to the Settings section at the bottom of Provisioning screen.
  2. In Scope, select Sync only assigned users and groups.
  3. Turn Provisioning Status on.
    Example: Turn 'Provisioning Status' on

    Azure SCIM configuration

In Azure, the initial sync takes longer than subsequent syncs, which occur approximately every 40 minutes as long as the service is running.