ā¶ Activating SCIM on Riot
Connect to your Riot workspace, and go to Settings > Workforce.
There is a section called āSCIM Provisioningā. Click the āConnectā button to get started.
Select āMicrosoftā as your identity provider, and click āContinueā.
As the first step, you will need to connect via SSO with Microsoft.
Click on the āConnectā button, and sign-in on Microsoft. You will be redirected back to Riot after the sign-in is complete.
ā· Creating a Microsoft Entra application for SCIM provisioning
Connect to the Microsoft Entra admin center . In the left sidebar, go to Entra ID > Enterprise apps.
Click āNew applicationā. This will lead you to the Microsoft Entra App Gallery.
Click āCreate your own applicationā.
In the right panel that just opened, enter āRiot SCIM Provisioningā. Any name will do, so you can use something else if you prefer. Make sure the option āIntegrate any other application you don't find in the gallery (Non-gallery)ā is selected.
Click āCreateā.
After the application is created, you will be redirected to the application settings.
ā
Go to āProvisioningā.
Click āConnect your applicationā.
Make sure that āBearer Authenticationā is selected for the field āSelect authentication methodā.
Go to Riot, and copy the āSCIM Endpoint URLā into the āTenant URLā field in Microsoft Entra.
Click āGenerate Bearer Tokenā on Riot, and copy the value into the āSecret Tokenā field in Microsoft Entra.
Click āTest Connectionā. A toast notification should appear and tell you the test was successful.
ā
You can now click āCreateā.
ā
ā
āø Configuring the provisioning of groups
Go to āAttribute Mappingā.
ā
The default configuration is to allow provisioning of Groups. If you do not want Microsoft Entra to create groups in Riot, click āProvision Microsoft Entra ID Groupsā and in the following screen, make sure to switch the āEnabledā option to āNo" and click āSaveā.
The recommended Attribute Mappings for groups is the default configuration, as illustrated in the following screenshot :
ā
ā¹ Configuring the provisioning of employees
Go to āAttribute Mappingā one more time, and click āProvision Microsoft Entra ID Usersā.
As the default configuration of the āAttribute Mappingā section results in sending data that the Riot platform cannot actually use, we will need to make the following modifications:
displayName: Delete
emails[type eq "work"].value:
If the āmailā attribute is properly filled in your Entra tenant, you can leave as it is
If the āmailā attribute is not properly filled in your Entra tenant, and you use emails as the userPrincipalName, you can click āEditā and select āuserPrincipalNameā as the Source Attribute instead.
name.formatted: Delete
Everything containing āaddresses[type eq "work"]ā: Delete
Everything containing āphoneNumberā: Delete
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber: Delete
Click āSaveā to save the changes made so far.
externalId: Edit > Select āobjectIdā in the āSource attributeā option and click āOKā
Click āSaveā.
Click āShow advanced optionsā, and then āEdit attribute list for customappssoā, and make the following changes:
emails[type eq "work"].value : Click Required
name.givenName : Click Required
name.familyName : Click Required
The recommended Attribute Mappings are illustrated in the following screenshot:
āŗ Configuring the remaining settings
In the application settings, go to āProvisioningā and click āSettingsā to reveal some additional settings that might be of interest:
Send an email notification when a failure occurs: Enable this if you want to be notified in case of errors during the provisioning, enter your email address, and click āSaveā.
Scope: By default, Entra will provision only assigned users and groups. If you want to provision all users and all groups, you can select this here, and click āSaveā.
If you kept the Scope on āSync only assigned users and groupsā, now is the time to assign them.
Go to āUsers and groupsā and Click āAdd user/groupā.
Click āNone Selectedā and select some users and/or groups, and click āAssignā.
ā» Trying the provisioning on a few users
If you want to try on a few users, go to āProvisioning on Demandā and search for the users and/or groups you want to provision on demand. If provisioning a group, you will need to pick at most 5 users for the provisioning on demand, and then click āProvisionā to see if it works.
ā¼ Start the provisioning
When you are ready, go to āOverviewā, and click āStart Provisioningā.
Provisioning happens at fixed hours during the day, every 40 minutes. This means the provisioning will not start immediately, and you will have to wait before the Microsoft Entra Provisioning Service will provision all your users and groups.