User Provisioning and Synchronization with Entra ID

Contents

Overview

By using Entra ID (formerly Azure AD), user data can be populated, and synchronized to your Kintone environment.

This article guides on how to use Entra ID's Provisioning feature to sync Azure users with Kintone.

The User Provisioning Feature

  • User data and related services that are set up on Entra ID can be synced with Kintone.
    For example, if a new user is added into Entra ID, a new user can be automatically added into Kintone that can access Kintone services.
  • The User Provisioning Feature can be used with the following actions
    • Adding a User
    • Updating User Information
    • Deactivating a User
  • User data that can be synced are the following:
    • Login Name
    • Display Name
    • Surname
    • Given Name
    • Email Address
    • Status
  • Users that are already added into Kintone can also use the Provisioning feature.
  • After enabling the Provisioning feature, errors may occur when syncing users added into Kintone.
    In this case, disable the "Propagate Provisioning" option in Kintone, enable it again, and try re-synching.

Required Environments

Limitations

  • Departments, Job Titles and Groups (Roles) cannot be synced.
  • If a user is deleted from Kintone after syncing, the user will not be recreated on Kintone after another sync. In order to recreate a user on Kintone, first disable Propagate Provisioning via the settings page. Then reactivate Propagate Provisioning before attempting to synchronize user data.
  • Login names of synced users cannot be updated.
    To update their login names, the user needs to be deleted from Kintone, before recreating the user on Entra ID, and re-syncing the user data.

For other limitations, refer to the Kintone Help Site (External link) .

Important Notes

  • Before following this article to set up the Kintone settings on a production environment, it is best practice to set them up and test them on a testing environment. For a free developer's license apply for a developer license here.
  • If there is a need to restrict access to Kintone via IP addresses, consider setting up the restrictions on Entra ID. It is not recommended to place Entra ID's IP addresses on the Kintone settings for the list of allowed IP addresses. This is because Entra ID's IP addresses may be subject to change.

Set Up

The set up flow to use Entra ID's provisioning feature is as follows:

STEP1: Settings on Kintone

  1. Access your Kintone environment. This should be in the format of https://{sample}.kintone.com \ Subdomains differ for each customer. If you do not know your Kintone subdomain, refer to the following help page: Checking Subscription Details (External link)
  2. Log in with a user with Users & System Administrators permissions.
  3. Click on Administration.
  4. Click on Provisioning.

  5. Click on Create API Token.

  6. Set up the Validity period and Enter notes for this API token. fields, and click on Create.

  7. Note down the created API Token and SCIM Endpoint. There is no way to recheck the value of the API token after closing the dialog.

  8. Click on Close.
  9. Set the Propagate Provisioning settings to Enabled

STEP2: Settings on Entra ID

1. Add the Kintone Application to Entra ID
  1. Access your Microsoft Azure Portal (External link) .
  2. Log in with a user with Administrator permissions.
  3. Click on Microsoft Entra ID.

  4. Click on Manage Tenants

  5. Choose the Tenant you wish to synchronize, and click Switch.

  6. Choose Enterprise, and click the Add button.

  7. Search for Kintone and Select it.

  8. Click on the Create button on the right side panel

  9. Confirm the App was created successfully

2. Assign Users
  1. Click on the Assign Users and Groups Button

  2. Click on the Add user/group button

  3. Click on the None Selected option, choose users to provision, and click the select button

  4. Click on the Assign button to confirm

3. Connect to Kintone
  1. Click on the Provision User Accounts button

  2. Click on Get Started

  3. Select the Automatic provisioning mode

  4. Enter your SCIM endpoint and secret token:

    • Tenant URL:https://{sample}.kintone.com/scim/v2/
      The subdomain name is dependent on your Kintone environment.
    • Secret Token: The API Token created in STEP 1
  5. Click on Test Connection

    If an error occurs, check troubleshooting for more information.

  6. If successful, click save.

  7. In the Mapping tab, click on the Provision Azure Active Directory Groups button if it is shown. If not, continue to step 9.

  8. Disable Attribute Mapping and click Save

  9. In the Mapping tab, click on Provision Azure Active Directory Users

  10. Unneeded user mappings should be deleted. Delete all but the following mappings:

    • userPrincipalName
    • Not([IsSoftDeleted])
    • displayName
    • mail
    • givenName
    • surname

  11. Click Save and confirm changes.

  12. Once again Save all changes.

4. Start Provisioning
  1. Click the Start Provisioning button.

  2. When the process completes, check Kintone to see if the users are added.

When provisioning is active, it will run every 40 minutes.

Other Settings

Provision on demand

To immediately invoke provisioning, click on the Provisioning on demand button.

  1. On the provisioning screen, click on the Provisioning on demand button.

  2. Search for and select the user(s) you wish to synchronize.

  3. Click on the Provision button to begin.
  4. When the provisioning has completed, check on Kintone to confirm the changes.
  5. Close all tabs to return to the home page.

Stopping Provisioning

In order to stop provisioning, from the home menu:

  1. Click on Stop provisioning.

  2. Confirm the changes.

Restarting Provisioning

Clicking on Start Provisioning will restart provisioning at any time.
Any changes made while provisioning was inactive will retroactively be applied.

Removing or editing Kintone user access

In order to remove the users from Kintone, the user must be deleted from Entra ID.

  1. Open the Users and groups tab.

  2. Select the users to be deleted, and click the remove button.

  3. Confirm all changes to complete the process.

In order to re-add users, they must be re-created and added to the application then provisioned.

Troubleshooting

Error: An invalid certificate was entered

IP address restriction settings from the Kintone environment may be the cause. If IP address restrictions are necessary, consider setting IP restrictions on the Entra ID platform, as IP addresses may change on the Entra ID side, and would require continuing management on the Kintone side.

The User is able to sign in, however Kintone is not displayed

Kintone needs to be enabled as an available service. From the Users & System Administration page's Departments and Users tab, click on the edit button for the provisioned user. Enable Kintone via the checkbox under Available Services.

This article and its contents were last confirmed in November 2023.