1. 15Five Help Center
  2. Company administration
  3. Manage integrations

Configure SCIM with Azure AD

Avatar
Kristin Reynolds

You can use SCIM to add, update, and deactivate employees in 15Five— all from within Azure AD. This saves you time and ensures that employee data is accurate and up to date.

✏️

Note

Typically customers enable both Single Sign-On (SSO) and SCIM together. Check out our "Single Sign-On (SSO)" Help Center article to see if the integration is the right fit for your company. If you want to set up SSO, be sure to set it up before you set up SCIM. If you are using SSO and SCIM together, SSO will only pass Email and Name ID. All other attributes will be updated via SCIM.

In this article, you will learn...

Supported features

Automatic User Provisioning is supported for the 15Five application. This enables Azure AD to:

  • Add new people to 15Five
  • Update select fields in people’s profile information in 15Five
  • Deactivate people in 15Five
  • Push groups and membership to 15Five

The following provisioning features are supported:

  • Push New Users: Creating a new individual in Azure AD and assigning them to the 15Five application will create a new individual in 15Five.
  • Push Profile Updates: Updates to an individual Azure AD will be pushed to 15Five.
  • Push User Deactivation: Deactivating the individual or disabling the individual's access to 15Five within Azure AD will deactivate the individual in 15Five.
  • Push Groups: Groups created in Azure AD can be pushed to 15Five. Attributes pushed include name and group members.
  • Delete Groups: Groups deleted or removed from the 15Five application within Azure AD will be deleted within 15Five.

Set up SCIM with Azure AD

Ready to set up the SCIM integration with Azure AD? This section walks through the steps you must take in both 15Five and Azure AD to do so.

✏️

Note

You must be an account admin in 15Five to set up SCIM.

In 15Five: Enable SCIM and generate an OAuth token

1. Click on the Settings gear in the top, right-hand corner of your 15Five account.
Settings.png

2. Select 'Features' from the dropdown menu.
Features.png

3. Click on 'Integrations'.
Integrations.png

4. Click on Enable to the right of the SCIM 2.0 option.
Screen_Shot_2022-06-23_at_12.36.49_PM.png

5. Check the box next to 'Enable SCIM' to open up SCIM settings.
EnableSCIM.png

6. Generate an access token by clicking the Generate OAuth token. The SCIM integration settings will refresh to display the generated OAuth token and who generated it. If previous tokens have been generated, those will also show on this page.
GenerateOAuthToken.png

7. Review and/or update the following settings on the SCIM Integration settings page:

  • Enabled: This option indicates whether the SCIM integration is enabled/disabled
  • Send welcome email: Checking this box means that you want emails to be sent to your new employees inviting them to 15Five when they are added to Azure AD.
    • Make sure the settings on the 'Company settings' page under 'Invite details' are also set to reflect the same option, as having the SCIM option turned ON and the Company option turned OFF will cause the invitee emails to not go out.
    • If SSO is enabled, employees will be sent a welcome email with a link to the SSO page for 15Five. If SSO is not enabled, the employee will be sent a link to sign in and set their password.
  • Reassign reporters: Check this box if you want employees to be automatically reassigned to their manager’s manager, if their current manager is deactivated.

In Azure AD: Set up the gallery app

1. Go to the 'Enterprise Applications' page and click on New application. Search for the app "15Five". You can also access this application in the marketplace.
1.png

2. Add and name the integration.
Screen_Shot_2021-01-12_at_8.35.40_AM.png

3. Now, it's time to configure the integration. Navigate to this URL and start with the 'Getting Started' section under "Step 4: Integrate your SCIM endpoint with the Azure AD SCIM client." Follow the 15 steps in that section and then return to this article. Some notes to help as you complete these steps:

  • You will need to use a tenant URL in this format: https://.15five.com/scim/v2/
  • The SCIM key is 30 characters long and should be placed in the 'Secret Token' field. Make sure to use a SCIM key rather than a 15Five Public API key. A 15Five Public API key is 32 characters long.

✏️

Note

It may take 40 minutes before the first people are pushed from Azure AD to 15Five after the Admin Credentials (tenant URL and secret token) have been tested and the non-gallery app has been saved. After that, pushes occur approximately every 20 minutes.

4. Navigate to the 'Mappings' section of the 'Provisioning' page.

7__3_.png

5. Update the User Attribute Mappings to match the table below:

AZURE ACTIVE DIRECTORY ATTRIBUTE CUSTOMAPPSSO ATTRIBUTE  
userPrincipalName userName  

Not([IsSoftDeleted])		 active  
jobTitle
title		  
mail
emails[type eq "work"].value		  
givenName
name.givenName		  
surname
name.familyName		  
objectId
externalId		  
employeeId
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber		  
manager (or manager.value)
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
( or urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value)		  
physicalDeliveryOfficeName

urn:ietf:params:scim:schemas:extension:15Five:2.0:User :location		  

extensionAttribute1
(or whichever extension attribute holds the startDate value for an individual)
urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate		  
     

6. If you would like managers and the employee’s location to sync, make sure the option is selected in 15Five and follow the below directions.

  • Click Edit attribute list for customappsso at the bottom of the 'Attribute Mapping' page.
  • For location: Enter "urn:ietf:params:scim:schemas:extension:15Five:2.0:User :location" for the attribute name and "String" for the type. Click Add Attribute.
  • If "manager" is not avialable as an AD attribute, enter "manager.value" for the attribute name, "Reference" for the type, and "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" for the referenced object attribute. Click Add Attribute.
  • Navigate back to the 'User Attribute Mapping' page.
  • Click Add New Mapping at the bottom of the Attribute Mappings table to add each mapping for location and manager.

✏️

Note

No changes need to be made to the Group attributes.

If, for whatever reason, you want to prevent email invites from being sent out to employees upon the intial sync between Azure AD and 15Five, refer to the next section of this article.

Delay invite emails

Interested in having your people gain access to 15Five for the first time on a specific day? With 15Five start dates, you can opt to give individuals access to 15Five on a specific day. They will not be able to log into 15Five before this day, nor will they receive notifications. On the specified start date, they will be sent an email notifying them that they have been invited to 15Five and can log in.

There are two options you can use to add start dates for individuals and delay their invites to 15Five: either 1) create a start date attribute in Azure AD to sync it to 15Five, or 2) bulk import new users to 15Five with the "start_date" attribute.

✏️

Note

Please note that you must add the start date to the individual before assigning the person to 15Five for the first time. If an individual is assigned to 15Five for the first time without a start date, it is assumed that the individual should start immediately and a welcome email will be sent immediately.

Option #1: Create a 'Start date' attribute in Azure AD

  1. Make sure that each individual that needs to be added to 15Five with a start date has a start date of the form "MM/DD/YYYY" stored in an extension attribute. For this example, "extensionAttribute1" will be used. If you would like information on setting extension attributes in Azure AD, please see these documents from Azure's Help Center: Custom attributes in Exchange Server and Set-AzureADUserExtension (with PowerShell).
  2. Enter "urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate" for the attribute name and "String" for the type. Click Add Attribute.
  3. Navigate back to the 'User Attribute Mapping' page.
  4. Click Add New Mapping at the bottom of the Attribute Mappings table.
  5. For "Source Attribute", select the extension attribute that holds the individual's start date value. For example, (extensionAttribute1)
  6. For "Target Attribute", select "urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate".
  7. Click OK to save your mappings and application.

Option #2: Bulk import individuals to 15Five using the 'start_date' attribute

The other option for setting a start date for individuals whose email invites you want to be delayed is to add those individuals to 15Five via bulk import CSV. The only fields you need to include in the bulk import CSV are 'email' and 'start_date'. Once Azure AD syncs with 15Five, all other employee attributes will sync to 15Five from Azure AD, using email address as employees' unique identifiers.

Information about syncing

Syncing via SCIM happens when a field changes in Azure AD— the sync function is controlled by Azure and can take up to 40 mins to complete, so if you don’t see the sync going through to 15Five, make sure to wait that amount of time to confirm. You can also test a sync by updating a field in Azure AD, which will kick start a sync with the same possible wait time.

✏️

Note

We verify individuals by SCIM ID, then User ID, then Email, then Employee ID, stopping at any point if we hit a match. If you are seeing issues with the "managerId" field not syncing correctly, check the id that you have mapped here or any downstream software you have syncing to Azure. If you are having issues with fields not syncing correctly, email our Support Team at support@15Five.com and we can take a look.

Sync passwords

Azure AD can be configured to sync passwords with 15Five. This sync is directed from Azure AD to 15Five. That is, passwords are only ever sent from Azure AD to 15Five for an individual; never from 15Five to Azure AD.

  • If your company uses SSO with 15Five, do not send the "passwordProfile.password" as an attribute via SCIM. User authentication will be determined from the SAML setup associated with 15Five.

When updating an individual's Azure AD password, that individual's 15Five password may be updated (depending on whether the"passwordProfile.password" attribute is being sent by Azure AD).

  • If SSO is enabled for the company in 15Five, no password changes will occur for the person within 15Five.

If SSO is not enabled in 15Five and the"passwordProfile.password" attribute is being sent by Azure AD to 15Five, then the individual will receive an email with a link to reset their password in 15Five.

Sync groups

Please note that these are the only Group attributes that are updatable via the Azure AD integration:

  • Group name
  • Group members

✏️

Note

Groups created in 15Five cannot be imported into Azure AD. Since groups cannot be imported from 15Five into Azure AD it is suggested to create groups in Azure AD first. These groups, when assigned to the 15Five non-gallery app, will be pushed to 15Five along with individuals.

Sync group types

When a new group gets created and synced over via SCIM, that new group will go into the 'Groups' group type in 15Five. In terms of attributes, the only thing 15Five will read from SCIM in regards to groups and group types is the Group ID. After a group is appearing in 15Five, it will be up to the account administrators to reorganize this group(s) to other group types as needed. Groups can be moved to a new group type (manually, via CSV, or via API) in 15Five and future SCIM syncs will not override the group type because the group ID itself hasn't changed.

The gist: Group types within 15Five do not talk to SCIM. SCIM does not talk to 15Five about group types. SCIM only talks to 15Five from a group perspective (ie creating a group, naming a group, adding or removing members, deleting a group). The group type organization and maintenance is manually done in 15Five alone (ie creating a new group type, moving to a group type, enabling features per group type).

✏️

Note

If an existing group and department (or two groups) need to be combined, this action will need to be taken in SCIM and then 15Five will update accordingly.

Groups cannot be used to remove access to 15Five. For example, the following steps will NOT cause an individual to be de-provisioned from 15Five:

  1. Create a group in Azure AD
  2. Assign individuals to that group in Azure AD
  3. Assign the group to 15Five application in Azure AD
  4. Remove an individual (Person A) from the group in Azure AD

Steps 1 through 3 will cause individuals to be provisioned to 15Five, but the last step will not cause Person A to be removed from 15Five. Person A will only be removed from the group within 15Five.

To remove individuals from 15Five, they must be individually unassigned from the application within Azure AD. Therefore, it is suggested that individuals be individually assigned to the 15Five application within Azure AD (rather via group assignment) for consistency.

Disconnect the integration

Disconnecting the SCIM integration is a matter of unchecking the ‘Enabled’ box in your SCIM settings and saving your changes.

Screen_Shot_2021-05-17_at_4.23.39_PM.png

Once deactivated, individual user accounts will remain active in 15Five but will no longer be managed by Azure AD.

Troubleshooting, Support, and FAQs

Q: We have data currently in 15Five, if we turn on SCIM provisioning do we risk having data deleted for people with existing data?
A: No, the data will not be deleted if the email addresses are the same. You will need to reimport all of your people so that SCIM will work with individuals that were active in 15Five prior to SCIM being enabled. Doing this does not affect check-ins, objectives, and other user-generated content.

Q: Can I sync employee timezones via SCIM?
A: Not at this time.

Q: If SCIM is on can I still add people on a one-off basis?
A: No, if SCIM is on you cannot manually add individuals via the 'Manage people' page or the team 15Five page. Importing new individuals via CSV is an option if SCIM is enabled for your organization. Please reach out to Support at support@15Five.com.

Q: Should we make groups in our IdP and then push them over to 15Five? If so, how do we pass over the group administrator?
A: It is advisable to pass over the groups through IdP. However, there is no way to pass over a group admin. The field for group admin will be blank in 15Five. After you set up the groups between IdP and 15Five, you can add a group admin for each group.

Q: What is the frequency of SCIM uploads from our IdP to 15Five?
A: It’s an on-demand basis, i.e. you make a change and your IdP pushes it immediately to 15Five.

Q: Can SCIM update custom attributes in 15Five?
A: No, not at this time. You can update them using bulk imports or by manually updating the employee’s profile. The bulk import option is not automatically turned on for companies that use SCIM. If you would like this turned on, email support@15Five.com.

Q: Manager/Reviewer field is not syncing.
A: There are a few potential reasons for this:

  • Confirm that ‘Sync Managers’ is selected in your SCIM settings.
  • Did the manager exist in 15Five before assigning them to the employee in Azure? If not, try changing their manager field to initiate another sync. You can review the system logs within Azure for details about what jobs have taken place.
  • Confirm that your managerId or managerEmail attributes are mapped correctly.
  • If you have a downstream software connecting to Azure AD, confirm that the id mapped from that software to Azure AD is an id that is passed to 15Five. We verify individuals by SCIM ID, then User ID, then Email, then Employee ID, stopping at any point if we hit a match. If we do not see an ID we recognize, often the reviewer field will appear blank in 15Five.
  • Modify the individual(s) profile in some way (perhaps by altering an unused field (State, Zip, etc)). Bulk modification of individuals is possible in Azure AD.
  • Un-assign and re-assign the direct report to the 15Five application. Please note this will trigger a "Welcome Back" email to be sent to the re-assigned individual(s).

Updates or de-provisioning not working for some individuals?
Individuals added to 15Five before SCIM was enabled for the 15Five account may not be tracked by Azure AD. To make Azure AD aware of these individuals' membership in 15Five/run a force sync between Azure AD <> 15Five, click Restart provisioning and save the non-gallery app.

✏️

Note

This could remove individuals from 15Five if they are not assigned to the non-gallery app in Azure AD.

80749-image.png

Was this article helpful?
7 out of 7 found this helpful

Articles in this section

See more