User Provisioning with Entra ID
User Provisioning with Microsoft Entra ID
This document provides step-by-step instructions to create a Netskope SCIM app on Microsoft Entra ID for provisioning users to your Netskope tenant.
Microsoft Entra ID provisioning via SCIM can sync Users and Groups which also includes Users within the groups (nested groups not supported by Azure SCIM).
Microsoft Entra ID provisioning does not support assigning apps to nested groups.Before You Begin
Ensure that you have the following before you begin creating the Netskope SCIM app.
-
If your Netskope tenant is hardened using IP Allowlist (Settings > Administration > IP Allowlist), then ensure that you add the respective source IP addresses of your IdP to the Custom IP list.
-
Global admin access to Microsoft Entra ID admin console.
Creating Netskope SCIM App on Microsoft Entra ID
Log in to your Microsoft Entra admin center (https://entra.microsoft.com) with global admin credentials and follow these steps:
-
Go to Applications > Enterprise Applications. Click New Application.
-
Search for Netskope User Authentication.
-
Enter a Name, for example, Netskope User Provisioning, and click Create.
-
Click Provision User Accounts.
-
Click Get Started.
-
Select Provisioning Mode as Automatic and enter the following:
-
Tenant URL: Enter the REST API v2 URL
https://<tenant-name>.goskope.com/api/v2/scim
-
Secret Token: Enter the generated token.
See the SCIM Settings for User Provisioning topic for steps to generate token and get the REST API v2 URL.
-
Test the connection before saving the configuration; otherwise, an error will occur during the save process.
-
-
In the Entra admin center, Click Save.
-
Next set Provisioning Status to ON and click Save.
The Default SCIM Mappings and Provisioning Scopes are listed under Mappings. You can click on the mappings to view details.
-
Under the Settings tab, if required select the option to send email notifications (optional) and set the scope to Sync only assigned users and groups.
-
Next, add users and groups to provision to the Netskope tenant. Select Users and Groups and select Add user.
-
Select Users and Groups and then select the users and groups from the list and click Select.
-
Go back to the SCIM app Overview section to monitor the provisioning status.
Entra initial sync, for SCIM Provisioning interval, is 40 minutes
-
Click View Audit Logs to view all account related events and click Provisioning Logs to view account provisioning status.
-
Check Microsoft Entra ID provisioned users in the Netskope UI under Settings > Security Cloud Platform > Users.
-
Check Microsoft Entra ID provisioned groups in the Netskope UI under Settings > Security Cloud Platform > Groups.
-
The Microsoft Entra ID provisioned Users & Groups will also be available for selection in Real-time Protection
The SCIM configuration is complete.