User Provisioning and Synchronization with Entra ID
Overview
By using Entra ID (formerly Azure AD), user data can be populated, and synchronized to your Kintone environment.
This article guides on how to use Entra ID's Provisioning feature to sync Azure users with Kintone.
The User Provisioning Feature
- User data and related services that are set up on Entra ID can be synced with Kintone.
For example, if a new user is added into Entra ID, a new user can be automatically added into Kintone that can access Kintone services. - The User Provisioning Feature can be used with the following actions
- Adding a User
- Updating User Information
- Deactivating a User
- User data that can be synced are the following:
- Login Name
- Display Name
- Surname
- Given Name
- Email Address
- Status
- Users that are already added into Kintone can also use the Provisioning feature.
- After enabling the Provisioning feature, errors may occur when syncing users added into Kintone.
In this case, disable the "Propagate Provisioning" option in Kintone, enable it again, and try re-synching.
Required Environments
- SAML Authentication must be implemented before setting up User Provisioning.
- Refer to the following article to set up SAML through Entra ID:
SSO with Entra ID- Refer to the following important points when setting up SAML
- Add users to be provisioned as tenants in Entra ID
- Refer to the following article to set up SAML through Entra ID:
- The following permissions are needed when using the Provisioning feature
- Kintone: Users & System Administrators
- Entra ID: Application Administrator or User Administrator or greater
Limitations
- Departments, Job Titles and Groups (Roles) cannot be synced.
- If a user is deleted from Kintone after syncing, the user will not be recreated on Kintone after another sync. In order to recreate a user on Kintone, first disable Propagate Provisioning via the settings page. Then reactivate Propagate Provisioning before attempting to synchronize user data.
- Login names of synced users cannot be updated.
To update their login names, the user needs to be deleted from Kintone, before recreating the user on Entra ID, and re-syncing the user data.
For other limitations, refer to the following article:
Provisioning
Important Notes
- Before following this article to set up the Kintone settings on a production environment, it is best practice to set them up and test them on a testing environment. For a free developer's license apply via the following page:
Developer License Registration Form - If there is a need to restrict access to Kintone via IP addresses, consider setting up the restrictions on Entra ID. It is not recommended to place Entra ID's IP addresses on the Kintone settings for the list of allowed IP addresses. This is because Entra ID's IP addresses may be subject to change.
Set Up
The set up flow to use Entra ID's provisioning feature is as follows:
-
STEP1:Settings on Kintone
Activate the User Provisioning feature, and generate an API Token. - STEP2:Settings on Entra ID
STEP1: Settings on Kintone
- Access your Kintone environment. This should be in the format of https://{sample}.kintone.com \ Subdomains differ for each customer. If you do not know your Kintone subdomain, refer to the following help page: Checking the Billing Information
- Log in with a user with Users & System Administrators permissions.
- Click on Administration.
- Click on Provisioning.
- Click on Create API Token.
- Set up the Validity period and Enter notes for this API token. fields, and click on Create.
- Note down the created API Token and SCIM Endpoint.
There is no way to recheck the value of the API token after closing the dialog.
- Click on Close.
- Set the Propagate Provisioning settings to Enabled
STEP2: Settings on Entra ID
1. Add the Kintone Application to Entra ID
- Access your Microsoft Azure Portal
- Log in with a user with Administrator permissions.
- Click on Microsoft Entra ID.
- Click on Manage Tenants
- Choose the Tenant you wish to synchronize, and click Switch.
- Choose Enterprise, and click the Add button.
- Search for Kintone and Select it.
- Click on the Create button on the right side panel
- Confirm the App was created successfully
2. Assign Users
- Click on the Assign Users and Groups Button
- Click on the Add user/group button
- Click on the None Selected option, choose users to provision, and click the select button
- Click on the Assign button to confirm
3. Connect to Kintone
-
Click on the Provision User Accounts button
-
Click on Get Started
-
Select the Automatic provisioning mode
-
Enter your SCIM endpoint and secret token:
- Tenant URL:https://{sample}.kintone.com/scim/v2/
The subdomain name is dependent on your Kintone environment. - Secret Token: The API Token created in STEP 1
- Tenant URL:https://{sample}.kintone.com/scim/v2/
-
Click on Test Connection
If an error occurs, check troubleshooting for more information.
-
If successful, click save.
-
In the Mapping tab, click on the Provision Azure Active Directory Groups button if it is shown. If not, continue to step 9.
-
Disable Attribute Mapping and click Save
-
In the Mapping tab, click on Provision Azure Active Directory Users
-
Unneeded user mappings should be deleted. Delete all but the following mappings:
- userPrincipalName
- Not([IsSoftDeleted])
- displayName
- givenName
- surname
externalId
attribute must be the user's unique Microsoft Entra ID, if used. A non-unique value can result in the following error:"status":"409","scimType":"uniqueness","detail":"[SLASH_SC03] The specified resource already exists.
-
Click Save and confirm changes.
-
Once again Save all changes.
4. Start Provisioning
- Click the Start Provisioning button.
- When the process completes, check Kintone to see if the users are added.
When provisioning is active, it will run every 40 minutes.
Other Settings
Provision on demand
To immediately invoke provisioning, click on the Provisioning on demand button.
- On the provisioning screen, click on the Provisioning on demand button.
- Search for and select the user(s) you wish to synchronize.
- Click on the Provision button to begin.
- When the provisioning has completed, check on Kintone to confirm the changes.
- Close all tabs to return to the home page.
Stopping Provisioning
In order to stop provisioning, from the home menu:
- Click on Stop provisioning.
- Confirm the changes.
Restarting Provisioning
Clicking on Start Provisioning will restart provisioning at any time.
Any changes made while provisioning was inactive will retroactively be applied.
Removing or editing Kintone user access
In order to remove the users from Kintone, the user must be deleted from Entra ID.
- Open the Users and groups tab.
- Select the users to be deleted, and click the remove button.
- Confirm all changes to complete the process.
In order to re-add users, they must be re-created and added to the application then provisioned.
Troubleshooting
Error: An invalid certificate was entered
IP address restriction settings from the Kintone environment may be the cause. If IP address restrictions are necessary, consider setting IP restrictions on the Entra ID platform, as IP addresses may change on the Entra ID side, and would require continuing management on the Kintone side.
The User is able to sign in, however Kintone is not displayed
Kintone needs to be enabled as an available service. From the Users & System Administration page's Departments and Users tab, click on the edit button for the provisioned user. Enable Kintone via the checkbox under Available Services.
This article and its contents were last confirmed in November 2023.