User provisioning with Azure Active Directory (Azure AD)
Use Azure Active Directory (Azure AD) SCIM provisioning with Front to fine-tune control of your users in Front.
- Automatically create users in Front.
- Automatically block users when the Azure AD profile is suspended.
To set up user provisioning with Azure AD, you must be a Company Admin.
Create a Front API token
You’ll need to create a Front API token to complete the setup process in your Azure portal.
In Front, follow the steps on this article to create an API token.
On Step 4 of creating a token, select the Provisioning and Auto-Provisioning Scopes.
Click the name of your token.
Click Copy to add the token to your clipboard.
Your token can now be pasted into your Azure portal.
Part 1: Connect Front to Azure AD
Follow these steps as defined by Microsoft to create a “non-gallery application” that will be able to provision from Azure AD.
In Step 7 of Microsoft’s instructions, enter the URL for Front’s SCIM endpoint in the Tenant URL field: https://scim.frontapp.com/v2/
In Step 8 of Microsoft’s instructions, paste your Front API token in the Secret Token field.
Click the Test Connection button to confirm Azure AD connects with Front. Click Save when finished.
Part 2: Edit attribute mappings
In your Azure portal, select Provisioning in the left panel, then click Edit attribute mappings.
In the Mappings section, click Provision Azure Active Directory Users.
You will see a list of Azure Active Directory Attributes and their corresponding Front SCIM API fields (customappsso Attributes). We recommend configuring your field mapping like the screenshot below. Delete any Attributes omitted from this list.
There are 4 main adjustments you will need to make that deviate from the defaults.
Adjustment 1: Add the ToLower function onto the active field mapping.
Adjustment 2: Change the mail Azure Active Directory Attribute to userPrincipalName.
Adjustment 3: Click into the mailNickname mapping, and ensure the field is only applied on object creation.
Adjustment 4: Navigate to the advanced options section of the attribute mapping portal. Set externalId as required.
Part 3: Select users or groups to sync
In your Azure portal, select Users and Groups in the left panel.
Select Add User/Group, then click None Selected.
Identify a net new user to be added to Front. If the user already existed in Front and was deleted this will likely cause an error.
Select the user, then click Assign at the bottom left of the screen.
Click back to the Provisioning section of your Azure portal, then click Start provisioning.
By default, the provisioning cycle runs once every 40 minutes. Check the provisioning logs to verify successful provisioning. Ideally we something like the screenshot below.
You can also confirm whether a user was successfully provisioned in Front via the Teammates tab in your company settings.
Remove a user
You can remove a user from your custom application portal in Azure AD. This will block the teammate account in Front.
Open your Azure portal, then click Users and groups in the left panel.
Check the box next to the user you’ve like to remove, then click Remove.
This is effectively a soft delete, so the user will appear as Blocked in your instance of Front and their session will be immediately invalid once the next provisioning cycle completes.
This user’s Front license can now be assigned to someone else.
What happens when I remove access to Front from Azure AD?
When you remove access to Front from Azure AD for a specific teammate, that teammate will be blocked. Should you re-authorize access to Front, the teammate will be unblocked automatically. Azure AD does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Azure AD.
What happens when someone is deleted from Azure AD?
Azure AD does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Azure AD.
SCIM provisioning is available on the Scale plan. Some legacy plans with different names may also have this feature.