If you have users in Microsoft Entra ID (AD), you can take advantage of the Microsoft Entra ID Provisioning Service to provision users and groups from Microsoft Entra ID to STA. This service is designed to provision users from Microsoft Entra ID to external systems like STA. It provides a simpler alternative to using the SafeNet Synchronization Agent for synchronizing users between Microsoft Entra ID and STA.

The Microsoft Entra ID Provisioning Service is based on the System for Cross-Domain Identity Management (SCIM) 2.0 protocol. It can connect to the SCIM API for STA user management endpoint, to automatically create, update, and remove users and groups.

You cannot run Microsoft Entra ID Provisioning Service and SafeNet Synchronization Agent in parallel.

Configure the Microsoft Entra ID immutable ID management solution

Microsoft Entra ID uses an attribute named immutableId to identify users and their virtual server (tenant) in their infrastructure. Microsoft Entra ID expects the immutable ID in the authentication request response, to uniquely identify a user. Therefore, the immutable ID needs to be synchronized between Microsoft Entra ID and STA.

By default, users that exist only in Microsoft Entra ID don't have an immutable ID. If you have users that exist only in Microsoft Entra ID and need to be authenticated by STA, you must configure the Microsoft Entra ID immutable ID management solution in your Microsoft Entra ID environment. This solution sets an immutable ID on every user and synchronizes it to STA. It runs periodically, finds users that are missing the immutable ID, and patches them with a new, generated immutable ID value.

• If you have users that exist only in Microsoft Entra ID, and you use full federation, configure the Microsoft Entra ID immutable ID management solution. Custom controls, such as Microsoft Entra Conditional Access, do not require adding the immutable ID in Microsoft Entra ID.

With full federation, passwords can no longer be managed in Microsoft Entra ID.

Get an API key and the SCIM endpoint for authorization

The Microsoft Entra ID Provisioning Service needs credentials to connect to STA. Because it uses the SCIM protocol, it needs an API key and the SCIM API endpoint, which you can get from the STA Access Management console:

• Generate an API key.

• Copy the SCIM API endpoint without the trailing forward slash (/).

You need these when you create an enterprise application in Microsoft Entra ID. When you create an enterprise application, you can test the credentials to ensure that the connection is successful.

Create an enterprise application in Microsoft Entra ID

Microsoft Entra ID Provisioning Service is available for applications in Microsoft Entra ID. To take advantage of Microsoft Entra ID Provisioning Service, you need to add an enterprise application to represent STA in Microsoft Entra ID. You can then assign users and groups that are in Microsoft Entra ID to your enterprise application. Users and groups that are assigned to your enterprise application are synchronized to STA when the setup is complete.

1. On the Microsoft Entra ID portal, under Microsoft Entra services, select Enterprise applications.

   

2. Select New application.

   

3. Select Create your own application.

   

4. Type a descriptive name for the application and select Integrate any other application you don't find in the gallery (Non-gallery).

   

   Any applications in the gallery with a similar name are listed. If there are existing applications with a similar name, you might want to choose a different name to avoid confusion.

5. Click Create.

Configure the connection to STA

To configure the connection to STA, you need the API key and SCIM API endpoint URL that you copied from the STA Access Management console. After you create the connection, you can test it to ensure that it is successful.

1. In your newly created enterprise application, select Provisioning and then select Get started.

   

2. In the Provisioning Mode list, select Automatic.

   

3. Under Admin Credentials, enter the Tenant URL that you copied from the STA Access Management console (no trailing slash "/").

4. In the Secret Token field, enter the API key that you copied from the STA Access Management console.

5. Select Test Connection, and then select Save.

Map the user and group attributes

After the connection from Microsoft Entra ID to STA is established, you map the Microsoft Entra ID schema to the STA SCIM schema:

• Replace the Microsoft Entra ID schema: The simplest and quickest way to map the schema is to replace the Microsoft Entra ID schema with the STA SCIM schema.

• Manually map the user attributes and Manually map the group attributes: If you map the attributes manually, you must map both the user and group attributes.

Replace the Microsoft Entra ID schema

The simplest way to map the Microsoft Entra ID schema to the STA SCIM schema, is to replace the schema. When you replace the schema, both the user and group attributes are mapped. You don't need to add the STA custom SCIM extensions, map the STA SCIM attributes to Microsoft Entra ID attributes, or delete unnecessary or unsupported attributes.

If there are credentials stored in the schema JSON file, they are ignored when you save the schema in Microsoft Entra ID.

1. Copy the ADS_Default_STA_User_and_Group_Schema.json from GitHub.

2. On the Provisioning page, under Manage provisioning, select Edit attribute mappings.

   

3. Expand the Mappings section, and select Provision Microsoft Entra ID Users.

   

4. On the Attribute Mapping page, ensure that Enabled is set to Yes, and scroll down to the Attribute Mappings section.

   

5. Under the Attribute Mappings list, select Show advanced options check box, and at the bottom of the page, select Review your schema here.

   

6. Select Download, so that you have a backup copy of the Microsoft Entra ID schema.

   

7. In the schema editor, press Ctrl+a to select all of the text and then press Delete.

8. Paste the ADS Default STA User and Group Schema in the schema editor, and then select Save.

   

9. Select Yes on the confirmation message.

   

10. Refresh the page.

11. On the Attribute Mapping page, check the user mappings:

    

12. Go back to the Provisioning page, expand the Mappings section, and select Provision Microsoft Entra ID Groups.

    

13. Scroll down to the Attribute Mappings section, and check the group mappings:

    

Map the user attributes manually

The Microsoft Entra ID Provisioning Service uses attribute mappings to determine which user and group attributes to synchronize from Microsoft Entra ID to STA.

Microsoft Entra ID has a default set of attributes and attribute mappings. However, the default mapping doesn't include any STA extensions to the SCIM user or group attributes. You need to create the STA extension attributes that you want to synchronize, and then add the mappings.

To be able to federate using Microsoft Entra tenant federation or Microsoft Entra Conditional Authentication Factors, at a minimum, you must synchronize the following attributes to STA:

• userName: Map the Microsoft Entra userPrincipalName to the STA userName.

  The attribute that is mapped to the STA userName must not exceed 64 characters.

• active: The Microsoft Entra Switch(/[IsSoftDeleted/], , "False", "True", "True", "False") expression is mapped to the STA active attribute by default.

• userPrincipalName: You need to add this STA extension and then map the Microsoft Entra userPrincipalName to the extension.

• immutableID: You need to add this STA extension and then map the Microsoft Entra immutable ID to the extension.

• externalId: Map the Microsoft Entra objectId to the STA externalId. This mapping must be present for delete operations to work properly.

Delete any attributes that you don't want to synchronize or that STA does not support.

1. On the Provisioning screen, under Manage provisioning, select Edit attribute mappings.

2. Expand the Mappings section, and select Provision Microsoft Entra ID Users.

   

3. On the Attribute Mapping page, ensure that Enabled is set to Yes, and scroll down to the Attribute Mappings section.

   

4. Delete unsupported attributes, such as preferredLanguage and physicalDeliveryOfficeName. The formatted name cannot be set and is computed automatically.

5. To add the STA extension attributes, under the list of attribute mappings, select Show advanced options, and then select Edit attribute list for customappsso.

   

6. At the bottom of the customappsso User Attributes list, enter the Name and select the Type for each STA extension attribute that you want to add. Add only the attributes that you need to synchronize. The table below lists the Name and Type for the STA extension attributes.

   

   Name	Type
   urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:isSynchronized	Boolean
   urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:immutableId	String
   urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:userPrincipalName	String
   urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:alias1	String
   urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:alias2	String
   urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:custom1	String
   urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:custom2	String
   urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:custom3	String

7. Select Save.

8. On the Attribute Mapping screen, select Add New Mapping.

   

9. Map the isSynchonized extension to the Constant true:

   

   • Mapping type: Select Constant.

   • Constant value: Type true.

   • Target attribute: Select urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:isSynchronized.

   • Select Ok.

   Set this attribute to true to indicate that these users are synchronized from an external user repository, rather than internal users that are created in STA.

   Synchronized users have the following characteristics:

   • Cannot be modified on the STA consoles

   • Can be members of synchronized and internal groups

   • Can have the 24-hour delayed synchronization removal to prevent accidental deletion

   Internal users have the following characteristics:

   • Exist only in STA, such as operator accounts

   • Can only be members of STA internal groups

10. For each of the remaining STA extensions, select Add New Mapping, and map the extension directly to the Microsoft Entra source attribute:

    

    • Mapping type: Select Direct.

    • Source attribute: Select the Microsoft Entra attribute that corresponds to the STA extension:

      • immutableID

      • userPrincipalName

    • Target attribute: Select the STA extension:

      • urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:immutableId

      • urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User:userPrincipalName

    • Select Ok.

11. At the top of the Attribute Mapping screen, select Save.

    

Map the group attributes manually

There are only two STA extension attributes for groups, but the process for adding and mapping them is the same as the process for users. Delete any attributes that you don't need to synchronize or that STA does not support.

1. On the Provisioning page, in the Mappings section, select Provision Microsoft Entra ID Groups.

   

2. On the Attribute Mapping screen, ensure that Enabled is set to Yes, and scroll down to the Attribute Mappings section.

   

3. Delete any attribute that you don't want to synchronize or that STA doesn't support.

4. To add the STA extension attributes, under the list of attribute mappings, select Show advanced options, and then select Edit attribute list for customappsso.

   

5. At the bottom of the customappsso Group Attributes list, enter the Name and select the Type for each STA extension attribute that you want to add. Add only the attributes that you need to synchronize. The table below lists the Name and Type for the STA extension attributes.

   

   Name	Type
   urn:ietf:params:scim:schemas:extension:stagroupextension:2.0:Group:isSynchronized	Boolean
   urn:ietf:params:scim:schemas:extension:stagroupextension:2.0:Group:description	String

6. Select Save.

7. On the Attribute Mapping screen, select Add New Mapping.

   

8. Map the isSynchonized extension to the Constant true:

   • Mapping type: Select Constant.

   • Constant value: Type true.

   • Target attribute: Select urn:ietf:params:scim:schemas:extension:stagroupextension:2.0:Group:isSynchronized.

   • Select Ok.

   Set this attribute to true to indicate that these users are synchronized from an external user repository, rather than internal users that are created in STA.

   

9. For the description extension, select Add New Mapping, and map it directly to the Microsoft Entra description attribute:

   • Mapping type: Select Direct.

   • Source attribute: Select description.

   • Target attribute: Select urn:ietf:params:scim:schemas:extension:stagroupextension:2.0:Group:description.

   • Select Ok.

10. At the top of the Attribute Mapping screen, select Save.

Assign users and groups to the enterprise application

By default, Microsoft Entra ID synchronizes only the users and groups that are assigned to the newly created enterprise application. This enables you to synchronize only a partial, dedicated user population to STA.

Start with a few test users before you assign the full set of target groups. The SCIM API for STA and the Microsoft Entra Provisioning Service do not support nested groups, so your provisioning groups must have a flat structure.

• On the Provisioning screen, in the Settings section, select the Scope:

  • Sync only assigned users and group: (Default) The Microsoft Entra ID Provisioning Service provisions users based on whether they are members of a group that is assigned to the application.

  • Sync all users and groups: The Microsoft Entra ID Provisioning Service provisions all users and groups in Microsoft Entra ID to your application.

  

Test the attribute mappings

To validate the user schema, manually provision a test user to your enterprise application.

1. In your enterprise application, select User and groups, and then select Add user/group.

   

2. On the Add Assignment screen, under Users and groups, select None Selected.

   

3. On the Users and groups screen, Select a user.

4. On the Add Assignment screen, select Assign.

5. In your enterprise application, select Provisioning, and then select Provision on demand.

   

6. Search for your test user and select Provision.

   

If provisioning is unsuccessful, there might be errors in your user schema configuration. If there is an error, check the provisioning logs. Customer support can use the error ID to look up the error in the STA server logs.

You can confirm that the user was provisioned successfully on the STA Access Management console, on the Users tab.

Schedule provisioning

The Microsoft Entra ID Provisioning Service synchronizes users and groups every 40 minutes if it detects a delta, or earlier if the number of changes exceeds a certain threshold.

Before you start provisioning, ensure that all users and groups that you want to synchronize are assigned to the enterprise application.

• In your enterprise application, select Provisioning, and then select Start provisioning.

  

Troubleshooting

See also the Microsoft documentation about known issues for application provisioning in Microsoft Entra ID.

Resolve provisioning errors

You can use the Microsoft Graph API to resolve provisioning errors.

Get the status and restart a provisioning job

With the Microsoft Graph API, you can get the status of a provisioning job and then restart a job.

If Microsoft Entra ID determines that a provisioning job is unhealthy, it can place the job in the quarantine state. For example, a job is unhealthy if most, or all, of the calls made against STA fail consistently.

You can use the Microsoft Graph API to programmatically get the status of a provisioning job:

GET https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/{jobId}/

The response to this request includes the reasons for the quarantine. To resolve the issue that caused the quarantine, check the credentials and ensure that Microsoft Entra ID can connect to STA, and then review the provisioning logs in Microsoft Entra ID.

After you resolve the issue, use Microsoft Graph to restart the provisioning job:

POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/restart

For information about the quarantine state, see https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-quarantine-status.

Stop a provisioning job

You can use the Graph API to stop a provisioning job and permanently delete all the associated states.

DELETE /servicePrincipals/{id}/synchronization/jobs/{jobId}/

For information about stopping a provisioning job and deleting the associated states, see: https://docs.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-delete?view=graph-rest-beta&tabs=http.

Synchronize the sAMAccountName to Microsoft Entra ID and STA

The sAMAccountName is the default UserID for STA when synchronizing using the SafeNet Synchronization Agent. By default, Microsoft Entra Connect does not synchronize the sAMAccountName to Microsoft Entra ID. To synchronize the sAMAccountName to Microsoft Entra ID, modify the Microsoft Entra Connect Sync Schema, to map the AD sAMAccountName to an Microsoft Entra extension attribute.

For information about synchronizing extension attributes, see https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.

1. Open the Microsoft Entra Connect console.

   If it complains that the ADSync service has not started, open services.msc and start the Microsoft Microsoft Entra Connect Sync service.

2. Log on with your Microsoft Entra ID administrator credentials, and then select Customize synchronization options.

   

3. Select Directory extension attribute sync.

   

4. Search for sAMAcc and add the attribute to the synchronization list.

   

   When the synchronization completes, the sAMAccountName is available for mapping as an extension attribute.

   

   It is also available as an extension attribute on the user.

   

List Microsoft Entra ID users using Windows PowerShell

1. Import the AzureAD module.

   For Windows PowerShell 7, you need to activate compatibility mode.

   

2. Connect to Microsoft Entra ID.

   

3. List the users.

   

4. List specific user attributes.

   

Known Issue: Disabled users accumulate in STA

Microsoft Entra ID synchronization does not delete users from a remote server, such as STA, unless the users are deleted from Microsoft Entra ID. If you delete a user from a synchronized group, ADS removes the user from the group on the remote server and makes the user inactive.

If the whole synchronized group is removed from the synchronized application in Microsoft Entra ID, the group is deleted, but the users remain in a disabled state. These users accumulate in STA, and you might need to manually delete them to free up capacity.

See https://docs.microsoft.com/en-us/answers/questions/664848/azure-scim-remove-user-from-sync-group-does-not-de.html.