Overview

By using Azure Active Directory (Azure AD), user data can be populated, and synchronized to your Kintone environment.

This article guides on how to use Azure AD's Provisioning feature to sync Azure users with Kintone.

The User Provisioning Feature

• User data and related services that are set up on Azure AD can be synced with Kintone.
  For example, if a new user is added into Azure AD, a new user can be automatically added into Kintone that can access Kintone services.
• The User Provisioning Feature can be used with the following actions
  • Adding a User
  • Updating User Information
  • Deactivating a User
• User data that can be synced are the following:
  • Login Name
  • Display Name
  • Surname
  • Given Name
  • Email Address
  • Status
• Users that are already added into Kintone can also use the Provisioning feature

Required Environments

• SAML Authentication must be implemented before setting up User Provisioning.
  • Refer to the following article to set up SAML through Azure AD:
    SSO with Azure Active Directory
    • Refer to the following important points when setting up SAML
      • Areas Affected by This Restriction
      • User API Overview (Setting up SAML)
  • Add users to be provisioned as tenants in Azure AD
    • Create a new tenant in Azure Active Directory
    • Add or delete users using Azure Active Directory
• The following permissions are needed when using the Provisioning feature
  • Kintone: Users & System Administrators
  • Azure AD: Application Administrator or User Administrator or greater

Limitations

• Departments, Job Titles and Groups (Roles) cannot be synced.
• If a user is deleted from Kintone after syncing, the user will not be recreated on Kintone after another sync. In order to recreate a user on Kintone, first disable Propagate Provisioning via the settings page. Then reactivate Propagate Provisioning before attempting to synchronize user data.
• Login names of synced users cannot be updated.
  To update their login names, the user needs to be deleted from Kintone, before recreating the user on Azure AD, and re-syncing the user data.

For other limitations, refer to the Kintone Help Site .

Important Notes

• Before following this article to set up the Kintone settings on a production environment, it is best practice to set them up and test them on a testing environment. For a free developer's license apply for a developer license here.
• If there is a need to restrict access to Kintone via IP addresses, consider setting up the restrictions on Azure AD. It is not recommended to place Azure AD's IP addresses on the Kintone settings for the list of allowed IP addresses. This is because Azure AD's IP addresses may be subject to change.

Set Up

The set up flow to use Azure AD's provisioning feature is as follows:

• STEP1：Settings on Kintone
  Activate the User Provisioning feature, and generate an API Token.
• STEP2：Settings on Azure AD
  1. Add an Application
  2. Assign Users for Provisioning
  3. Configure the API Integration
  4. Start Provisioning

STEP1: Settings on Kintone

1. Access your Kintone environment. This should be in the format of https://{sample}.kintone.com \ Subdomains differ for each customer. If you do not know your Kintone subdomain, refer to the following help page: Checking Subscription Details
2. Log in with a user with Users & System Administrators permissions.
3. Click on Administration.
4. Click on Provisioning.
   

   

5. Click on Create API Token.
   

   

6. Set up the Validity period and Enter notes for this API token. fields, and click on Create.
   

   

7. Note down the created API Token and SCIM Endpoint. There is no way to recheck the value of the API token after closing the dialog.

   

8. Click on Close.
9. Set the Propagate Provisioning settings to Enabled

   

STEP2: Settings on Azure AD

1. Add the Kintone Application to Azure AD

1. Access your Microsoft Azure Portal .
2. Log in with a user with Administrator permissions.
3. Click on [Azure Active Directory].
   

   

4. Click on Manage Tenants
   

   

5. Choose the Tenant you wish to synchronize, and click Switch.
   

   

6. Choose Enterprise, and click the Add button.
   

   

7. Click Create an App.
   

   

8. Enter information:
   • What's the name of your app?
     Application Name: Kintone Test
   • What are you looking to do with your application?
     Integrate any other application you don't find in the gallery (Non-gallery)
9. Click on the create button
10. Confirm the App was created successfully
    

    

2. Assign Users

1. Click on the Assign Users and Groups Button
   

   

2. Click on the Add user/group button
   

   

3. Click on the None Selected option, choose users to provision, and click the select button
   

   

4. Click on the Assign button to confirm
   

   

3. Connect to Kintone

1. Click on the Provision User Accounts button
   

   

2. Click on Get Started
   

   

3. Select the Automatic provisioning mode
   

   

4. Enter your SCIM endpoint and secret token:

   • Tenant URL：https://{sample}.kintone.com/scim/v2/
     The subdomain name is dependent on your Kintone environment.
   • Secret Token: The API Token created in STEP 1

5. Click on Test Connection

   If an error occurs, check troubleshooting for more information.

   

6. If successful, click save.

7. In the Mapping tab, click on the Provision Azure Active Directory Groups button.
   

   

8. Disable Attribute Mapping and click Save
   

   

9. In the Mapping tab, click the second option Provision Azure Active Directory Users
   

   

10. Unneeded user mappings should be deleted. Delete all but the following mappings:

    • user-PrincipalName
    • Switch([IsSoftDeleted], , "False", "True", "True", "False")
    • displayName
    • mail
    • givenName
    • surname
    • mailNickName

      

11. Click Save and confirm changes.

12. Once again Save all changes.

4. Start Provisioning

1. Click the Start Provisioning button.
   

   

2. When the process completes, check Kintone to see if the users are added.

When provisioning is active, it will run every 40 minutes.

Other Settings

Provision on demand

To immediately invoke provisioning, click on the Provisioning on demand button.

1. On the provisioning screen, click on the Provisioning on demand button.
   

   

2. Search for and select the user(s) you wish to synchronize.
   

   

3. Click on the Provision button to begin.
4. When the provisioning has completed, check on Kintone to confirm the changes.
5. Close all tabs to return to the home page.
   

   

Stopping Provisioning

In order to stop provisioning, from the home menu:

1. Click on Stop provisioning.
   

   

2. Confirm the changes.

Restarting Provisioning

Clicking on Start Provisioning will restart provisioning at any time.
Any changes made while provisioning was inactive will retroactively be applied.

Removing or editing Kintone user access

In order to remove the users from Kintone, the user must be deleted from Azure AD.

1. Open the users and groups tab.
   

   

2. Select the users to be deleted, and click the remove button.
   

   

3. Confirm all changes to complete the process.

In order to re-add users, they must be re-created and added to the application then provisioned.

• Assign Users
• Provision on Demand

Troubleshooting

Error: An invalid certificate was entered

IP address restriction settings from the Kintone environment may be the cause. If IP address restrictions are necessary, consider setting IP restrictions on the Azure AD platform, as IP addresses may change on the Azure AD side, and would require continuing management on the Kintone side.

This article and its contents were last confirmed in March 2023.