Configure iGrafx for automatic user provisioning

This tutorial describes how to configure the iGrafx platform with Azure AD to have automatic user provisioning and de-provisioning. User provisioning is only available in an iGrafx cloud offering. For more information on how this technology works see this Azure document.

Prerequisites

The following items are required to continue:

An Azure Active Directory tenant
An Enterprise or Dedicated iGrafx Cloud Tenant
A secret token (instructions to generate the token are found below)
A custom tenant identifier (requested via our support page) https://scim.igrafxcloud.com/scim/v2/<identifier>

To create your SCIM directory and generate your secret token

The user performing the steps requires Manage user directories server permission

Log into iGrafx Process360 Live Process design
Go to Administration → User Management → Directories
Click Add new directory
Enter the name of the directory
Select directory type SCIM
Click Create directory
Note your SCIM secret token for later use
Note: To generate a new token, click edit on the SCIM directory and then generate new token

To configure automatic user account provisioning to iGrafx in Azure AD:

In the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section.
Click New Application at the top of the page.
Click Create your own application
1. Enter a name in Input Name field
2. Select "Integrate any other application you don't find in the gallery"
Now click Provisioning Tab
1. May have to click Get Started button to see the next step
Set the provisioning mode to Automatic
Enter the Tenant URL and Secret Token received in the prerequisites
Click Test Connection to see if your connection was successful ( Not successful? Contact our support for further assistance)
Under Settings → Enter an email to receive any synchronization issues
Click Save
Open the Mappings accordion that appears after saving

Configuring Mappings

Enable User Mapping

Now open the mappings dropdown located under the "Admin Credentials" section

Enable Provisioning of Users
Select Create, Update, and Delete under target object actions

By default, Azure Entra ID defines a large number of mappings. iGrafx only needs the following 5 attributes mapped which are listed below.

We suggest changing the defaults to the below, in particular the username must be adjusted to be a valid email address. The mail attribute is commonly available for this.

iGrafx User Attribute	Attribute Mapping Values
iGrafx User Attribute	Mapping Type	Source Attribute/Expression	Target Attribute
Username	Direct	mail	userName
Enabled	Expression	Not([IsSoftDeleted])	active
Email	Direct	mail	emails[type eq "work"].value
First name	Direct	givenName	name.givenName
Last name	Direct	surname	name.familyName

You can delete all other extra Attribute Mappings. The remaining ones should look like this:

Click Save at the top

Enable Group Mapping

Enable Provisioning of Groups
Select Create, Update, and Delete under the Target object actions
Change the Group Attribute mappings as follows
1. If objectId or members is missing in your mappings, click Add New Mapping and configure them as shown below
  Mapping Type Source Attribute/Expression Target Attribute
  Direct members members
  Direct objectId externalId
Click Save
Once both user and group mappings are configured, press Save at the top of the main window.

Configure Users and Groups to provision

To select which users and groups are synchronized, go to the Users and Groups blade on your Enterprise application, and choose the users and groups you would like to have provisioned:

Once you have selected the users and groups you would like to provision, the synchronization should run every 40 minutes and create your users and groups as configured.

For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.