You can use SCIM to onboard new employees into 15Five, update, and deactivate by syncing directly from Azure to 15Five. This saves you lots of time and ensures that data is accurate and up to date for all your employees.
Typically customers enable both Single Sign-On (SSO) and SCIM together. See our article on SSO to see if the integration is the right fit for your company. If you want to set up SSO, be sure to set that up before you set up SCIM. If you are using SSO and SCIM together, SSO will only pass Email and Name ID. All other attributes will be updated by SCIM.
What you’ll find in this article:
- Features synced
- How to set up SCIM with Azure
- How to disconnect
- Troubleshooting and FAQs
Automatic User Provisioning is supported for the 15Five application.
This enables Azure AD to:
- Add new people to 15Five
- Update select fields in people’s profile information in 15Five
- Deactivate people in 15Five
- Push groups and membership to 15Five
The following provisioning features are supported:
- Push New Users: Creating a new individual in Azure AD and assigning them to the 15Five application will create a new individual in 15Five.
- Push Profile Updates: Updates to an individual Azure AD will be pushed to 15Five.
- Push User Deactivation: Deactivating the individual or disabling the individual's access to 15Five within Azure AD will deactivate the individual in 15Five.
- Push Groups: Groups created in Azure AD can be pushed to 15Five. Attributes pushed include name and group members.
- Delete Groups: Groups deleted or removed from the 15Five application within Azure AD will be deleted within 15Five.
How to set up SCIM with Azure
Ready to set up the SCIM integration with Azure? Here are the steps to do so, with any tips you may need to know along the way.
If you want to use 15Five’s start date functionality, and the hire/start date in Azure AD is not the date you want the employee to actually gain access to 15Five (ex. start date is in the past), it is recommended that you first do a bulk import to import your employees to 15Five, and then turn off the ‘Start date’ option in your SCIM settings in 15Five. Since 15Five syncs the hire date from Azure AD, and can not accept a past start date, this would be the best way to onboard your existing employees.
Set up SCIM with Azure
1. Click on the Settings menu at the upper right corner of your 15Five account and then click Features under 'ADMIN SETTINGS'.
2. Click on 'Integrations'.
3. Click on Enable to the right of the SCIM 2.0 option. 4. Generate an access token by clicking the Generate OAuth token. This page will show you all access tokens that have been generated, and who generated them.
5. Review and/or update settings on this page:
- Enabled: This option indicates whether the SCIM integration is enabled/disabled
- Send welcome email: Checking this box means that you want emails to be sent to your new employees inviting them to 15Five when they are added to Azure AD.
- Make sure the settings on the 'Company settings' page under 'Invite details' are also set to reflect the same option, as having the SCIM option turned ON and the Company option turned OFF will cause the invitee emails to not go out.
- If SSO is enabled, employees will be sent a welcome email with a link to the SSO page for 15Five. If SSO is not enabled, the employee will be sent a link to sign in and set their password.
- Reassign reporters: Check this box if you want employees to be automatically reassigned to their manager’s manager, if their current manager is deactivated.
Now it is time to set up the gallery app in Azure.
6. Go to the 'Enterprise Applications' page and click on New application. Search for the app "15Five". You can also access this application in the marketplace.
7. Name the application and add.
Next, you will configure the application.
8. Navigate to this URL and start with the 'Getting Started' section under Step 4: Integrate your SCIM endpoint with the Azure AD SCIM client. Follow the 15 steps in that section and then return to this article.
You will need to use a tenant URL of the format below:
9. The SCIM key is 30 characters long and should be placed in the 'Secret Token' field. Make sure to use a SCIM key rather than a 15Five Public API key. A 15Five Public API key is 32 characters long.
It may take 40 minutes before the first people are pushed from Azure AD to 15Five after the Admin Credentials (tenant URL and secret token) have been tested and the non-gallery app has been saved. After that, pushes occur approximately every 20 minutes.
10. Navigate to the 'Mappings' section of the 'Provisioning' page.
11. Update the User Attribute Mappings to match the table below:
|AZURE ACTIVE DIRECTORY ATTRIBUTE||CUSTOMAPPSSO ATTRIBUTE|
emails[type eq "work"].value
|manager (or manager.value)||
( or urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value)
(or whichever extension attribute holds the startDate value for an individual)
12. If you would like managers and the employee’s location to sync, make sure the option is selected in 15Five and follow the below directions.
- Click Edit attribute list for customappsso at the bottom of the 'Attribute Mapping' page.
- For location: Enter "urn:ietf:params:scim:schemas:extension:15Five:2.0:User :location" for the attribute name and "String" for the type. Click Add Attribute.
- If "manager" is not avialable as an AD attribute, enter "manager.value" for the attribute name, "Reference" for the type, and "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" for the referenced object attribute. Click Add Attribute.
- Navigate back to the 'User Attribute Mapping' page.
- Click Add New Mapping at the bottom of the Attribute Mappings table to add each mapping for location and manager.
No changes need to be made to the Group attributes.
14. Interested in having your people gain access to 15Five for the first time on a specific day? With 15Five start dates, you can set a date before which your people will not be able to log in to 15Five, nor will they receive notifications. On the specified date, they will be sent an email notifying them that they have been invited to 15Five and can log in. To send start dates to 15Five, follow these steps:
- Ensure each individual that needs to be provisioned with a start date has a start date of the form "MM/DD/YYYY" stored in an extension attribute. For this example, "extensionAttribute1" will be used. If you would like information on setting extension attributes in Azure AD, please see these documents:
https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaduserextension?view=azureadps-2.0 (With PowerShell)
- Enter " urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate " for the attribute name and "String" for the type. Click Add Attribute.
- Navigate back to the 'User Attribute Mapping' page.
- Click Add New Mapping at the bottom of the Attribute Mappings table.
- For "Source Attribute", select the extension attribute that holds the individual's start date value. For example (extensionAttribute1)
- For "Target Attribute", select " urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate ".
- Click OK to save your mappings and application.
Please note that you must add the start date to the individual before assigning the person to 15Five for the first time. If an individual is assigned to 15Five for the first time without a start date, it is assumed that the individual should start immediately and a welcome email will be sent immediately.
Syncing via SCIM happens when a field changes in Azure—the sync function is controlled by Azure and can take up to 40 mins to complete, so if you don’t see the sync going through, make sure to wait that amount of time to confirm. You can also test a sync by updating a field, which will kick start a sync with the same possible wait time.
We verify individuals by SCIM ID, then User ID, then Email, then Employee ID, stopping at any point if we hit a match. If you are seeing issues with the "managerId" field not syncing correctly, check the id that you have mapped here or any downstream software you have syncing to Azure. If you are having issues with fields not syncing correctly, email our Support Team at support@15Five.com and we can take a look.
Azure AD can be configured to sync passwords with 15Five. This sync is directed from Azure AD to 15Five. That is, passwords are only ever sent from Azure AD to 15Five for an individual; never from 15Five to Azure AD.
- If your company uses SSO with 15Five, do not send the "passwordProfile.password" as an attribute via SCIM. User authentication will be determined from the SAML setup associated with 15Five.
When updating an individual's Azure AD password, that individual's 15Five password may be updated (depending on whether the"passwordProfile.password" attribute is being sent by Azure AD).
- If SSO is enabled for the company in 15Five, no password changes will occur for the person within 15Five.
- If SSO is not enabled in 15Five and the"passwordProfile.password" attribute is being sent by Azure AD to 15Five, then the individual will receive an email with a link to reset their password in 15Five.
Please note that these are the only Group attributes that are updatable via the Azure AD integration:
- Group name
- Group members
Note: Groups created in 15Five cannot be imported into Azure AD. Since groups cannot be imported from 15Five into Azure AD it is suggested to create groups in Azure AD first. These groups, when assigned to the 15Five non-gallery app, will be pushed to 15Five along with individuals.
When a new group gets created and synced over via SCIM, that new group will go into the 'Groups' group type in 15Five. In terms of attributes, the only thing 15Five will read from SCIM in regards to groups and group types is the Group ID. After a group is appearing in 15Five, it will be up to the account administrators to reorganize this group(s) to other group types as needed. Groups can be moved to a new group type (manually, via CSV, or via API) in 15Five and future SCIM syncs will not override the group type because the group ID itself hasn't changed.
The gist: Group types within 15Five do not talk to SCIM. SCIM does not talk to 15Five about group types. SCIM only talks to 15Five from a group perspective (ie creating a group, naming a group, adding or removing members, deleting a group). The group type organization and maintenance is manually done in 15Five alone (ie creating a new group type, moving to a group type, enabling features per group type).
If an existing group and department (or two groups) need to be combined, this action will need to be taken in SCIM and then 15Five will update accordingly.
Groups cannot be used to remove access to 15Five. For example, the following steps will NOT cause an individual to be de-provisioned from 15Five:
- Create a group in Azure AD
- Assign individuals to that group in Azure AD
- Assign the group to 15Five application in Azure AD
- Remove an individual (Person A) from the group in Azure AD
Steps 1 through 3 will cause individuals to be provisioned to 15Five, but the last step will not cause Person A to be removed from 15Five. Person A will only be removed from the group within 15Five.
To remove individuals from 15Five, they must be individually unassigned from the application within Azure AD. Therefore, it is suggested that individuals be individually assigned to the 15Five application within Azure AD (rather via group assignment) for consistency.
How to disconnect
Disconnecting the SCIM integration is a matter of unchecking the ‘Enabled’ box in your SCIM settings.
Once deactivated, the individual accounts will remain active but will no longer be automatically updated by Azure.
Troubleshooting, Support, and FAQs
Q: We have data currently in 15Five, if we turn on SCIM provisioning do we risk having data deleted for people with existing data?
A: No, the data will not be deleted if the email addresses are the same. You will need to reimport all of your people so that SCIM will work with individuals that were active in 15Five prior to SCIM being enabled. Doing this does not affect check-ins, objectives, and other user-generated content.
Q: Can I sync employee timezones via SCIM?
A: Not at this time.
Q: If SCIM is on can I still add people on a one-off basis?
A: No, if SCIM is on you cannot manually add individuals via the 'Manage people' page or the team 15Five page. Importing new individuals via CSV is an option if SCIM is enabled for your organization. Please reach out to Support at support@15Five.com.
Q: Should we make groups in our IdP and then push them over to 15Five? If so, how do we pass over the group administrator?
A: It is advisable to pass over the groups through IdP. However, there is no way to pass over a group admin. The field for group admin will be blank in 15Five. After you set up the groups between IdP and 15Five, you can add a group admin for each group.
Q: What is the frequency of SCIM uploads from our IdP to 15Five?
A: It’s an on-demand basis, i.e. you make a change and your IdP pushes it immediately to 15Five.
Q: Can SCIM update custom attributes in 15Five?
A: No, not at this time. You can update them using bulk imports or by manually updating the employee’s profile. The bulk import option is not automatically turned on for companies that use SCIM. If you would like this turned on, email support@15Five.com.
Q: Manager/Reviewer field is not syncing.
A: There are a few potential reasons for this:
- Confirm that ‘Sync Managers’ is selected in your SCIM settings.
- There's an active Best-Self Review cycle in your company's account. Since changing reviewers during a review cycle causes changes to the review cycle, manager updates are not performed during active Best-Self Reviews.
- Did the manager exist in 15Five before assigning them to the employee in Azure? If not, try changing their manager field to initiate another sync. You can review the system logs within Azure for details about what jobs have taken place.
- Confirm that your managerId or managerEmail attributes are mapped correctly.
- If you have a downstream software connecting to Okta, confirm that the id mapped from that software to Okta is an id that is passed to 15Five. We verify individuals by SCIM ID, then User ID, then Email, then Employee ID, stopping at any point if we hit a match. If we do not see an ID we recognize, often the reviewer field will appear blank in 15Five.
- Modify the individual(s) profile in some way (perhaps by altering an unused field (State, Zip, etc)). Bulk modification of individuals is possible in Okta.
- Un-assign and re-assign the direct report to the 15Five application. Please note this will trigger a "Welcome Back" email to be sent to the re-assigned individual(s).
Updates or de-provisioning not working for some individuals?
Individuals added to 15Five before SCIM was enabled for the 15Five account may not be tracked by Azure AD. To make Azure AD aware of these individuals' membership in 15Five/run a force sync between Azure AD <> 15Five, click Restart provisioning and save the non-gallery app. NOTE: This could remove individuals from 15Five if they are not assigned to the non-gallery app in Azure AD.