This guide outlines how to install and configure the Azure Active Directory (Azure AD / Microsoft Entra ID) SCIM provisioning app from the Freshservice Marketplace. The SCIM integration allows automated user provisioning, updating, and de-provisioning between Azure AD and Freshservice.

Prerequisites

  • You must be a Freshservice Account Admin (not an Occasional Agent).

  • You need Enterprise Application admin rights in Azure AD.

  • Ensure your Freshservice instance is accessible via the default Freshservice domain (e.g., yourcompany.freshservice.com) during setup.

  • Identify the Azure AD attributes to be mapped to Freshservice user fields (e.g., email, name, title, department).

Step 1: Install the SCIM App in Freshservice

  1. Log in to the Freshservice Admin portal.

  2. Navigate to Admin > Apps > Get More Apps.

  3. Search for Azure AD Provisioning (SCIM) in the Marketplace.

  4. Click Install.

  5. Generate an API Key from an Account Admin profile (avoid using occasional agent credentials).

  6. After installation, the system will provide you with:

    • A SCIM Endpoint URL

    • A Bearer Token

Copy both the SCIM URL and token securely. These will be used to configure Azure.

Step 2: Create and Configure the Enterprise Application in Azure AD

  1. Sign in to Azure Portal as a Global Administrator.

  2. Navigate to Azure Active Directory > Enterprise Applications.

  3. Click + New Application > Create your own application.

  4. Name the application (e.g., Freshservice SCIM) and select Integrate any other application you don't find in the gallery.

  5. Click Create.

Step 3: Set Up Provisioning in Azure

  1. In the newly created app, go to the Provisioning section.

  2. Set Provisioning Mode to Automatic.

  3. In the Admin Credentials section, enter:

    • Tenant URL: Use the SCIM URL from Freshservice.

    • Secret Token: Use the Bearer Token from Freshservice.

  4. Click Test Connection to confirm the setup.

  5. If successful, click Save.

Step 4: Configure Attribute Mapping

  1. Under Provisioning > Mappings, click Provision Azure Active Directory Users.

  2. Review and adjust the default mappings:

    • Ensure mail or userPrincipalName is mapped to userName in Freshservice.

    • Optionally map attributes like department, jobTitle, physicalDeliveryOfficeName, etc.

  3. To add custom attributes:

    • Scroll to the bottom and click Show advanced options > Edit attribute list for Freshservice.

    • Add custom attribute in SCIM format:

      urn:ietf:params:scim:schemas:extension:freshservice:2.0:User:<field_key>

    • Choose the appropriate data type (e.g., String) and click Save.

    • Return to the mapping screen, and click Add New Mapping to map your Azure attribute to this custom SCIM field.

Step 5: Assign Users or Groups

  1. Navigate to the Users and Groups tab.

  2. Click Add User/Group.

  3. Select and assign the users or groups to be provisioned to Freshservice.

  4. Click Assign.

Step 6: Start Provisioning

  1. Go back to the Provisioning tab.

  2. Click Start Provisioning.

Azure will begin syncing users based on your assignments and mappings. Provisioning typically runs every 40 minutes.

Best Practices

  • Map Azure’s mail to Freshservice’s userName to prevent duplicate records.

  • Avoid manual edits to userName in Freshservice once SCIM is enabled.

  • Use Provision on Demand for targeted user testing and troubleshooting.

  • Ensure dropdown fields (like company, region) have valid values in Freshservice or the provisioning will fail.

  • Confirm departments and locations exist in Admin > Departments before syncing.

Additional Help

For complex provisioning issues or log interpretation assistance, contact support at: support@effy.co.in