Azure SCIM configuration for Dynatrace

Early Adopter

This page describes the IdP (Azure) end of your SCIM SSO configuration, not the Dynatrace end. Use it as part of the entire SCIM configuration procedure for Dynatrace SaaS if you're using Azure.

While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation as your primary source of information for third-party products.

To set up SCIM for your domain

Create SCIM application in Azure

Configure provisioning

Configure group mappings

Configure user mappings

Assign users and groups

Enable SCIM

Create SCIM application in Azure

In Azure Active Directory

Select Enterprise applications from the Manage section of the menu.
Example: Select 'New application'
Select New application.
Example: Select 'New application'
Select Non-gallery application, enter a Name for the new application, and then select Add to start configuring the application in Azure.
Example: Select 'Non-gallery application'

Configure provisioning

To configure provisioning in Azure, you will need the Dynatrace SCIM Base URL and a secret token you got in the Get Dynatrace SCIM endpoint and create secret token procedure.

In Azure Active Directory with your application selected

Select Provisioning from the Manage section of the menu.
In Provisioning Mode, select Automatic.

Example: Select 'Automatic'
Expand Admin Credentials.

Example: Expand 'Admin Credentials'
Enter your admin credentials:
- Tenant URL
  Example: https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
- Secret Token
  You got this token from Dynatrace.
Example: Entering 'Admin Credentials'
Select Test Connection to validate the endpoint and credentials.
If the test succeeds, select Save at the top of the page to generate mappings.

Example: Connection Test Success
If the test fails, verify your settings:
- Tenant URL
  Example: https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
- Secret Token
  You created this earlier in the Get a secret token procedure.
Example: Connection Test Failure

Configure group mappings optional

Do this if you need to provision only certain groups in Dynatrace.

In Azure Active Directory with your application selected

On the Provisioning page, expand Mappings.

Example: Expand 'Mappings'
Select Synchronize Azure Active Directory Groups to customappsso.

Example: Select 'Synchronize Azure Active Directory Groups to customappsso'
Select Source Object Scope.

Example: Select 'Source Object Scope'
Select Add scoping filter.

Example: Select 'Add scoping filter'
Select Add New Scoping Clause if needed.
For instance, to filter only groups with names starting with a given prefix:

Example: Select 'Add New Scoping Clause'
Select OK on the Add Scoping Filter screen.
Select OK on the Source Object Scope screen.
You can leave all Target Object Actions selected.
Dynatrace SCIM supports all of these actions.
Set Attribute Mappings as follows:

Azure Active Directory Attribute customappsso Attribute
displayName
displayName
objectId
externalId
members
members

Example: Set 'Attribute Mappings'
Select Save on the Attribute Mapping screen.

Example: Save 'Attribute Mappings'

Azure Active Directory Attribute	customappsso Attribute
`displayName`	`displayName`
`objectId`	`externalId`
`members`	`members`

Configure user mappings

We require that you limit the scope of users that are provisioned by SCIM to those with matching email domains to prevent your SCIM requests from being rejected.

To create a filtering rule for users

On the Provisioning page, expand Mappings.

Example: Expand 'Mappings'
Select Synchronize Azure Active Directory Users to customappsso.

Example: Select 'Synchronize Azure Active Directory Users to customappsso'
Select Source Object Scope.

Example: Select 'Source Object Scope'
Select Add scoping filter.

Example: Select 'Add scoping filter'
Select Add New Scoping Clause:
- Target Attribute: mail
- Operator: ENDS_WITH
- Value: @<YOUR_DOMAIN> (for example, @example.com)
Example: Create 'New Scoping Clause'

Please keep in mind that subdomains should be verified for the account separately. Therefore, the @ in the domain string is required and will guarantee that your requests won't be rejected due to an invalid user domain.
Select OK on the Add Scoping Filter screen.
Select OK on the Source Object Scope screen.
You can leave all Target Object Actions selected.
Dynatrace SCIM supports all of these actions.

Limit Attribute Mappings to the following:

Azure Active Directory Attribute	customappsso Attribute
`userPrincipalName`	`userName`
`Switch([IsSoftDeleted],,"False","True","True","False")`	`active`
`displayName`	`displayName`
`givenName`	`name.givenName`
`surname`	`name.familyName`

Example: Set 'Attribute Mappings'

Select Show advanced options check box in Attribute Mappings and click on Edit attribute list for customappsso.

Example: Show 'advanced options'
If not selected, select Primary Key and Required for id and select Required for userName.

Example: Edit 'Attribute List'
Select Save on the Edit Attribute List.
Select Save on the Attribute Mapping screen.

Example: Save 'Attribute Mappings'

Assign users and groups

To assign users or groups to your application and send them via SCIM to Dynatrace

In the Manage section on the left, select Users and groups and then select Add user.
Example: Select 'Add user'
Select Users and groups in the next window and select groups or users you want to sync.
Example: 'Add Assignment'

Enable SCIM

To enable SCIM provisioning

Go to the Settings section at the bottom of Provisioning screen.
In Scope, select Sync only assigned users and groups.
Turn Provisioning Status on.
Example: Turn 'Provisioning Status' on

In Azure, the initial sync takes longer than subsequent syncs, which occur approximately every 40 minutes as long as the service is running.