Skip to main content
Skip table of contents

Configure iGrafx for automatic user provisioning

This tutorial describes how to configure the iGrafx platform with Azure AD to have automatic user provisioning and de-provisioning. User provisioning is only available in an iGrafx cloud offering. For more information on how this technology works see this Azure document. 


The following items are required to continue:

  1. An Azure Active Directory tenant
  2. An Enterprise or Dedicated iGrafx Cloud Tenant
  3. A secret token (instructions to generate the token are found below)
  4. A custom tenant identifier (requested via our support page)<identifier>

To create your SCIM directory and generate your secret token: 

The user performing the steps requires Manage user directories server permission

  1. Log into iGrafx Process360 Live Process design
  2. Go to Administration → User Management → Directories
  3. Click Add new directory
  4. Enter the name of the directory
  5. Select directory type SCIM
  6. Click Create directory
  7. Note your SCIM secret token for later use
    Note: To generate a new token, click edit on the SCIM directory and then generate new token

To configure automatic user account provisioning to iGrafx in Azure AD:

  1. In the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section.

  2. Click New Application at the top of the page. 
  3. Click Create your own application
    1. Enter a name in Input Name field
    2. Select "Integrate any other application you don't find in the gallery"
  4. Now click Provisioning Tab
    1. May have to click Get Started button to see the next step
  5. Set the provisioning mode to Automatic
  6. Enter the Tenant URL and Secret Token received in the prerequisites

  7. Click Test Connection to see if your connection was successful ((question) Not successful? Contact our support for further assistance)
  8. Under Settings → Enter an email to receive any synchronization issues

Configuring Mappings

Enable User Mapping 

Now open the mappings dropdown located under the "Admin Credentials" section

  1. Enable Provisioning of Users and select what users you want to synchronize
  2. Select Create, Update, and Delete under target object actions
  3. By default, Azure sets a lot of mappings. iGrafx only needs the following 5 attributes mapped which are included in the defaults set by Azure.

    We suggest changing the defaults to the below, in particular the username must be adjusted to be a valid email address. The mail  attribute is commonly suitable for this.

    iGrafx User AttributeAttribute Mapping Values
    Mapping TypeSource Attribute/ExpressionTarget Attribute
    EmailDirectmailemails[type eq "work"].value
    First nameDirectgivenNamename.givenName
    Last nameDirectsurnamename.familyName

    You can delete these extra Attribute Mappings. If you delete the mappings, the remaining ones should look like this:

  4. Click Save

Enable Group Mapping

  1. Enable Provisioning of Groups and select the group source
  2. Select Create, Update, and Delete under the Target object actions
  3. By default, only the group Attribute Mappings should be properly mapped and look like the following:

    1. If missing either objectId or members, click Add New Mapping and input the following values based on the missing attributes

      Mapping TypeSource Attribute/ExpressionTarget Attribute

      Afterwards, your Attribute Mappings should look like this:

  4. Click Save

Once configured, press save at the top of the main window and synchronization should begin. Synchronization should happen every 40 minutes. 

For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.

Additional resources

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.