When using the SCIM (System for Cross Domain Identity Management) provisioning protocol, Azure AD can be used to manage users in Tribe CRM from Azure AD, such as creating, modifying and blocking users. This simplifies the management of access to Tribe CRM.
This document is intended for experienced Azure AD administrators.
What does the link with Azure AD do?
How do I activate the link?
Settings if SSO is not used.
1 What does the link with Azure AD do?
The link simplifies user management, as the actions of creating, changing and deleting users are performed in Azure AD.
Tribe CRM receives data from Microsoft in the following situations:
Creating a new user
Updating a user
Blocking a user
Deleting a user
When creating a new user in Azure AD, the link checks if the email address is already present with an employee in Tribe. If it this is not the case, a new account and user is created in Tribe. If it did find an employee in Tribe, then the Azure user is linked to the existing Tribe user.
When a user is blocked or deleted in Azure, the 'blocked' checkmark is activated in the employee configuration in Tribe.
After the user is automatically created in Tribe CRM, the Tribe administrator can add the necessary roles to the user so that the correct permissions are set.
2 How do I activate the link?
Follow the steps below to activate the link.
Tribe CRM
Log in to Tribe.
Navigate to the marketplace.
Open the identity management tab and click Azure Scim.
Activate the link.
Copy the tenant url and the secret token and use this in Azure AD.
If you are not using SSO, activate the Email recovery password slider. The user will receive an activation email to log in to Tribe.
Azure AD
Note: There may be a delay in the message Microsoft sends to Tribe for processing the data in Tribe.
Open the Azure Active Director portal and go to Enterprise applications (Enterprise applications - Azure Active Directory admin centre).
Next, click + New application and then + Create your own application.
Give the app a name (e.g. TribeCRM-SCIM), choose Integrate any other application you don't find in the gallery (Non-gallery) and click Create.
The app will now be created. This can sometimes take a while.
When the app is created, you are automatically taken to the overview of the application you just created. Now click Provisioning and then Provisioning again (under Manage).
Now change the Provisioning mode from Manual to Automatic. At Tenant URL and Secret Token, enter the data you obtained from TribeCRM. Then click Test Connection to test the connection.
If the connection is successful, a confirmation appears at the top right. Click Save.
Additional options will now become available. Open the Mappings option and set Provision Azure Active Directory Groups to No. (Within TribeCRM, there are no groups as in Azure. However, groups can just be added to provisioning as then the members of this group are created in TribeCRM). Then set Provisioning Status to On and click Save again.
Additional options now become available. Open the Mappings option and set Provision Azure Active Directory Groups to No. (Within TribeCRM, there are no groups as in Azure. However, groups can just be added to provisioning as then the members of this group are created in TribeCRM). Then set Provisioning Status to On and click Save again.
Now click Users and Groups and then + Add user/group to add the desired user(s) or group(s). After these are added to the app, they will be automatically created in TribeCRM.
After clicking Assign, the users will be created in TribeCRM.
However, this may take a while so should you start testing it immediately it might not work yet. Via Azure, you can view the status via Audit logs (under Activity).
Note: when a user's e-mail address is modified in Azure AD, it must be manually modified in Tribe CRM.
If the username provided by Azure is a valid email address, then this will be used as the username in Tribe, otherwise the primary email address provided by Azure will be used. If it is not present, the creation will fail.
Deleting a user
To deny a user or group access in TribeCRM, it must be deleted again under Users and groups.
Force provisioning
It is also possible to force provisioning for a particular user. You will then immediately see a clear log. To do so, click on Provision on demand on the left-hand side. Then select the desired user and click on Provision.
3. Settings if SSO is not used
The user no longer needs to enter his password if Single Sign-On is activated in Azure. If SSO is not used, first activate the email recovery password slider in the pairing screen in Tribe. When a new user is created in Azure, the user will receive an email from Tribe to set his password.