Azure SCIM configuration for Dynatrace
This page describes the IdP (Azure) end of your SCIM SSO configuration, not the Dynatrace end. Use it as part of the entire SCIM configuration procedure for Dynatrace SaaS if you're using Azure.
While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation from your IdP as your primary source of information for third-party products.
To set up SCIM for your domain
Create SCIM application in Azure
Configure provisioning
Configure group mappings
Configure user mappings
Assign users and groups
Enable SCIM
Create SCIM application in Azure
In Microsoft Entra ID
-
From the leftmost menu, select Manage > Enterprise applications.
-
Select New application > Create your own application.
-
In the pop-up window on the right, enter an Input name for your app.
Make sure that you have selected Integrate any other application you don't find in the gallery (Non-gallery).
-
Select Create.
Configure provisioning
To configure provisioning in Azure, you need the Dynatrace SCIM base URL and a secret token you got in the Get Dynatrace SCIM endpoint and create secret token procedure.
In Microsoft Entra ID with your application selected
-
If you're already on the application Overview page, select 3. Provision User Accounts in the Getting Started section.
Alternatively, from the leftmost menu, select Manage > Provisioning.
-
If you're doing this for the first time, select Get started.
-
In Provisioning Mode, select Automatic.
-
Expand Admin Credentials.
-
Enter your admin credentials:
- Tenant URL
Example:https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
- Secret Token
You got this token from Dynatrace.
- Tenant URL
-
Select Test Connection to validate the endpoint and credentials.
-
If the test succeeds, select Save in the upper-left corner of the page to generate mappings.
If the test fails, verify your settings:
- Tenant URL
Example:https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
- Secret Token
You created this earlier in the Get a secret token procedure.
- Tenant URL
Configure group mappings optional
Do this if you need to provision only certain groups in Dynatrace.
In Microsoft Entra ID with your application selected
-
On the Provisioning page, expand Mappings.
-
Select Synchronize Azure Active Directory Groups to customappsso.
Make sure that the Enabled toggle is set to Yes.
-
In Source Object Scope, select All records.
-
Select Add new filter group.
-
Fill in the fields.
-
Select Apply in the lower-left corner.
-
You can leave all Target Object Actions selected.
Dynatrace SCIM supports all of these actions. -
Set Attribute Mappings as follows:
Microsoft Entra ID Attribute
customappsso Attribute
displayName
displayName
objectId
externalId
members
members
-
Select Save on the Attribute Mapping page.
Configure user mappings
You need to limit the scope of users that are provisioned by SCIM to those with matching email domains to prevent your SCIM requests from being rejected.
To create a filtering rule for users
-
On the Provisioning page, expand Mappings.
-
Select Synchronize Azure Active Directory Users to customappsso.
-
Select your Source Object Scope.
-
Select Add new filter group.
-
On Add Scoping Filter, fill in the fields as follows:
- Source Attribute:
mail
- Operator:
ENDS_WITH
- Clause value:
@<YOUR_DOMAIN>
(for example,@example.com
)
Keep in mind that subdomains should be verified for the account separately. Therefore, the
@
in the domain string is required and will guarantee that your requests won't be rejected due to an invalid user domain. - Source Attribute:
-
Select Apply in the lower-left corner.
-
You can leave all Target Object Actions selected.
Dynatrace SCIM supports all of these actions. -
Limit Attribute Mappings to the following:
Microsoft Entra ID Attribute
customappsso Attribute
userPrincipalName
userName
Switch([IsSoftDeleted],,"False","True","True","False")
active
displayName
displayName
givenName
name.givenName
surname
name.familyName
-
Select Show advanced options in Attribute Mappings, and select Edit attribute list for customappsso.
-
Make sure the following checkboxes are selected.
- For id—select Primary Key? and Required?
- For userName—select Required?
-
Select Save on the Edit Attribute List page.
-
Select Save on the Attribute Mapping page.
Assign users and groups
To assign users or groups to your application and send them via SCIM to Dynatrace, in Microsoft Entra ID
-
If you're already on the application Overview page, select 1. Assign users and groups in the Getting Started section.
Alternatively, from the leftmost menu, select Manage > Users.
-
Select Add user/group.
-
Select the Users and groups you want to sync.
-
Select Assign.
Enable SCIM
To enable SCIM provisioning
- Go to the Provisioning page and expand Settings.
- In Scope list, select Sync only assigned users and groups.
- Turn Provisioning Status on.
In Azure, the initial sync takes longer than subsequent syncs, which occur approximately every 40 minutes as long as the service is running.