Auto-Provisioning and Deprovisioning Users from M365 into MSP Process

Overview:

Onboarding and offboarding employees is something MSPs always look to make as efficient as possible. By taking advantage of Microsoft's support for the SCIM protocol, it's easy to provide your technicians with access to MSP Process simply by adding and removing them from Security Groups in Microsoft 365. This KB article will walk you through the steps you'll need to follow.

Creating the Enterprise Application in Microsoft Azure

Launch the Azure management portal (https://portal.azure.com)
Browse to Microsoft Entra ID.
On the left side select Enterprise applications.
At the top of the page select + New application.
Select the + Create your own application.
Add the name of the application, for instance MSP Process SCIM.
Select the radio button Integrate any other application you don't find in the gallery (Non-gallery) and click Create.
On the left side under Manage select Provisioning.
Again on the left side under Manage select Provisioning.
Change the Provisioning Mode to Automatic.
Expand Admin Credentials

Grabbing the Tenant URL and Secret Token from MSP Process

In a separate browser tab, login to the MSP Process platform (https://app.mspprocess.com) as an Admin-level user
Navigate to the Settings -> User Management -> SSO page and find the Tenant URL and Secret Token fields.
Come back to Azure portal

Finishing the Configuration of the Enterprise Application in Microsoft Azure

In the Admin Credentials section of the Enterprise application, make sure that Authentication Method is Bearer Authentication.
Paste the found Tenant URL and Secret Token to the fields under Authentication Method.
Click Test Connection.
If it’s successful, then Save the configuration.
Expand the Mappings section.
Click on Provision Microsoft Entra ID Groups, make it disabled and Save the change.
Click on Provision Microsoft Entra ID Users.
Make sure that the following attribute mappings are set:

customappsso Attribute Microsoft Entra ID Attribute

userName userPrincipalName

displayName displayName

externalId objectId

Click the Add New Mapping button at the bottom of the page
Configure it as shown below:
- Mapping Type= Expression
- Expression = SingleAppRoleAssignment([appRoleAssignments])
- Target Attribute = roles[primary eq "True"].value
Save the user mappings changes.
In a new browser tab login to Azure, go to App registrations and find the App Registration that's been created.
On the left side under Manage select App roles.
Remove the User role:
1. Edit the User role, and uncheck the Do you want to enable this app role? option
2. Save the change
3. Edit the User role again, and click the Delete button
Add Admin and Technician roles - both the Display name and the Value here needs to exactly match "Admin" or "Technician", as this is what assigns the user a specific role in MSP Process.

Pushing Users from Microsoft Into MSP Process

In the other browser tab, where you were editing the Enterprise Application, click on the Manage -> Users and Groups tab.
Click on + Add user/group.
Select the security group(s) to be provisioned.
Select the Role for the group and click Assign.
On the left side under Manage select Provisioning.
Click on the Start provisioning button.

Results!

It'll take anywhere from 10-40 minutes for Microsoft to provision users into MSP Process; it depends on how many users you've got in the Security Groups.

If you're interested in how Microsoft describes why provisioning through SCIM can take a bit of time, and what you should expect in your specific circumstance, check out this KB article:

Check the status of user provisioning

You can see how things are going from the Settings -> User Management -> Users page in MSP Process.

Logging in as as Provisioned User

Your technicians just need to click the Microsoft button on the MSP Process login page: