System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once.
To set up SCIM provisioning in Azure AD you will need to have the involvement of both the monday.com admin and the manager of your Azure AD account.
SCIM capabilities supported in monday.com
- Provisioning of Users
- Deprovisioning of Users
- Provisioning of Teams
- Deprovisioning of Teams
- Team Renaming
- Updating User Details
- Assigning Users to Teams
- Unassigning Users from Teams
Configuration
Step 1 - Add monday.com to Azure AD
Go to your Azure AD homepage and click "Enterprise Applications" on the left pane.
Then, click the New application button:
Search for the monday.com application and select it from the search results:
Give the app a name and click on the "Create" button at the bottom:
Step 2 - Go to Provisioning
Go to the Provisioning section and click "Get Started".
On the following page, select the "Automatic" Provisioning mode:
In the "Admin Credentials" section, enter the following:
- Tenant URL:
This should be taken from your monday.com account (see instructions below) - Secret Token:
This should be taken from your monday.com account (see instructions below)
Go to monday.com Admin section to retrieve the provisioning token
- Open up your monday.com account
- Click on your avatar > Admin
- Go to the Security section
- Click on SCIM
Here you can generate and copy the provisioning URL and token and then copy and paste into Azure AD.
Click Test Connection button to verify the credentials that are authorized for provisioning:
Click "Save" on the left-hand side of the page to save the configuration.
Under Mappings, click Provision Azure Active Directory Users:
Scroll down to the Attribute Mapping table and make sure to delete the userType attribute by clicking the Delete button:
Click "Save" on the left-hand side of the page to save the configuration.
The userType attribute is aimed to set the user's access level within monday.com (whether the user is an admin, member, viewer, or guest) and this option will be made available in the coming weeks.
Under Settings, make sure to set the scope to "Sync only assigned users and groups":
To start provisioning, set Provisioning Status to "On":
Click "Save" on the left-hand side of the page to save the Provisioning Status.
Set Up User Provisioning
Go back to the application main page, and then go to "Users and groups":
Click "Add user":
Then, click "Users and groups":
Search for users and select them from the list, and then click the "Select" button at the bottom of the screen.
Click the "Assign" button at the bottom-left side:
User Attributes
These fields are supported for mapping user attributes:
- Name (can’t contain special characters)
- Email (must be lowercase)
- Title (user’s position in the company)
- Active (whether or not a user is enabled or disabled)
Set-Up Team Provisioning
You can provision Groups from Azure AD to monday.com by assigning a Group to the monday.com application. Doing this will create a new Team in your monday.com account with all the users that are assigned to that group in Azure AD.
For privacy measures, we recommend coordinating the team provisioning with the monday.com admin, in order to avoid users losing access to their data or users gaining access unintendedly.
To do this, go to the application main page, and then go to "Users and groups":
Click "Add user":
Then, click "Users and groups":
Search for a group and select it from the list, and then click the "Select" button at the bottom.
Click the "Assign" button at the bottom-left side:
FAQs
What happens if I change my personal attributes in my monday.com account?
The sync with Azure AD is a one-way sync, and any changes made to a user profile in the monday.com profile or teams page will be overwritten the next time Azure AD syncs with your account.
What does this mean?
- To change any attributes of the user profile you will need to update them in Azure AD
- In order to add users to teams or remove users from teams created by Azure AD (see: Set up team's provisioning), you will need to make these changes in Azure AD
- If you create a Team in monday.com that is not a group in Azure AD it will not be affected by the groups in Azure AD
What happens if I add users to a team in my monday.com account?
If that team is provisioned by Azure AD, these users will eventually be kicked out of the team and replaced by users that are provisioned to the matching Azure AD Group, otherwise when you add users to a team in your monday.com account, they will remain in that team.
For any further questions you may have about board permissions, please don't hesitate to reach out to us by sending an email to support@monday.com. We are available for you 24/7!
Comments