What can we help you with?

SCIM Provisioning of Users and Teams with Azure AD

System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once. 

To set up SCIM provisioning in Azure AD you will need to have the involvement of both the monday.com admin and the manager of your Azure AD account. 

 

SCIM capabilities supported in monday.com

  • Provisioning of Users
  • Deprovisioning of Users
  • Provisioning of Teams
  • Deprovisioning of Teams
  • Team Renaming
  • Updating User Details
  • Assigning Users to Teams
  • Unassigning Users from Teams

Configuration

Step 1 - Add monday.com to Azure AD

Go to your Azure AD homepage and click "Enterprise Applications" on the left pane.

Then, click the New application button:

mceclip0.png

 

Search for the monday.com application and select it from the search results:

mceclip3.png

 

Give the app a name and click on the "Create" button at the bottom:

mceclip0.png

 

Step 2 - Go to Provisioning

Go to the Provisioning section and click "Get Started".

On the following page, select the "Automatic" Provisioning mode:

mceclip1.png

 

In the "Admin Credentials" section, enter the following:

  • Tenant URL:
    This should be taken from your monday.com account (see instructions below)
  • Secret Token:
    This should be taken from your monday.com account (see instructions below)

Go to monday.com Admin section to retrieve the provisioning token

  • Open up your monday.com account
  • Click on your avatar > Admin
  • Go to the Security section
  • Click on SCIM

mceclip4.png

Here you can generate and copy the provisioning URL and token and then copy and paste into Azure AD.

 

Click Test Connection button to verify the credentials that are authorized for provisioning:

 

mceclip4.png

 

Click "Save" on the left-hand side of the page to save the configuration.

 

Under Mappings, click Provision Azure Active Directory Users:

mceclip0.png

 

Scroll down to the Attribute Mapping table and make sure to delete the userType attribute by clicking the Delete button:

mceclip0.png

 

Click "Save" on the left-hand side of the page to save the configuration.


Important Note: The userType attribute is currently not applicable in the integration. Please make sure to delete it from the attribute mapping, in order for provisioning to work properly.
The userType attribute is aimed to set the user's access level within monday.com (whether the user is an admin, member, viewer, or guest) and this option will be made available in the coming weeks.

 

Under Settings, make sure to set the scope to "Sync only assigned users and groups":

mceclip0.png

 

Important Note: For security measures, we recommend that you verify that the Scope is set to "Sync only assigned users and groups" before starting provisioning. This will ensure that the provisioning will be limited to assigned users/groups only, and that no other Azure AD users will have access to monday.com unintendedly.

 

To start provisioning, set Provisioning Status to "On":

mceclip9.png

 

Click "Save" on the left-hand side of the page to save the Provisioning Status.

 

Note: Provisioning sync is done every 40 minutes. 

 

Set Up User Provisioning

Go back to the application main page, and then go to "Users and groups":


Click "Add user":

mceclip6.png

Then, click "Users and groups":

mceclip12.png

Search for users and select them from the list, and then click the "Select" button at the bottom of the screen.

 

Click the "Assign" button at the bottom-left side:

mceclip14.png

 

Note: If you deprovision a user from the monday.com app, the user will exist in monday.com as an inactive user and will not be counted towards your monday.com user count.

  

Note:  Setting the user type (admin, member, viewer, guest) is done through your monday.com account. Provisioning the user type will be supported in the future.


User Attributes

These fields are supported for mapping user attributes:

  • Name (can’t contain special characters)
  • Email (must be lowercase)
  • Title (user’s position in the company)
  • Active (whether or not a user is enabled or disabled)
Note: Username should always be the user’s email address.

 

Set-Up Team Provisioning

You can provision Groups from Azure AD to monday.com by assigning a Group to the monday.com application. Doing this will create a new Team in your monday.com account with all the users that are assigned to that group in Azure AD.

 

Important Note: If you assign a group to monday.com app within Azure AD, and there is a monday.com team with the same name, then the Azure AD group will replace it.
For privacy measures, we recommend coordinating the team provisioning with the monday.com admin, in order to avoid users losing access to their data or users gaining access unintendedly.

 

To do this, go to the application main page, and then go to "Users and groups":


Click "Add user":

mceclip6.png

 

Then, click "Users and groups":

mceclip13.png

Search for a group and select it from the list, and then click the "Select" button at the bottom.

 

Click the "Assign" button at the bottom-left side:

mceclip15.png

 

 

FAQs

What happens if I change my personal attributes in my monday.com account? 

The sync with Azure AD is a one-way sync, and any changes made to a user profile in the monday.com profile or teams page will be overwritten the next time Azure AD syncs with your account. 

What does this mean? 

  • To change any attributes of the user profile you will need to update them in Azure AD
  • In order to add users to teams or remove users from teams created by Azure AD (see: Set up team's provisioning), you will need to make these changes in Azure AD
  • If you create a Team in monday.com that is not a group in Azure AD it will not be affected by the groups in Azure AD

 

What happens if I add users to a team in my monday.com account? 

If that team is provisioned by Azure AD, these users will eventually be kicked out of the team and replaced by users that are provisioned to the matching Azure AD Group, otherwise when you add users to a team in your monday.com account, they will remain in that team.

 

For any further questions you may have about board permissions, please don't hesitate to reach out to us by sending an email to support@monday.com. We are available for you 24/7!