Edit

Share via

Automate User provisioning into ThousandEyes with Microsoft Entra ID

The objective of this article is to show you the steps you need to perform in ThousandEyes and Microsoft Entra ID to automatically provision and de-provision user accounts from Microsoft Entra ID to ThousandEyes.

Prerequisites

The scenario outlined in this article assumes that you already have the following items:

Note

The Microsoft Entra provisioning integration relies on the ThousandEyes SCIM API, which is available to ThousandEyes teams on the Standard plan or better.

Step 1: Assign users to ThousandEyes

Microsoft Entra ID uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Microsoft Entra ID is synchronized.

Before configuring and enabling the provisioning service, you need to decide what users and/or groups in Microsoft Entra ID represent the users who need access to your ThousandEyes app. Once decided, you can assign these users to your ThousandEyes app by following the instructions here:

Assign a user or group to an enterprise app

Important tips for assigning users to ThousandEyes

  • It's recommended that a single Microsoft Entra user is assigned to ThousandEyes to test the provisioning configuration. More users and/or groups may be assigned later.

  • When assigning a user to ThousandEyes, you must select either the User role, or another valid application-specific role (if available) in the assignment dialog. The Default Access role doesn't work for provisioning, and these users are skipped.

Step 2: Configure user provisioning to ThousandEyes

This section guides you through connecting your Microsoft Entra ID to ThousandEyes's user account provisioning API, and configuring the provisioning service to create, update, and disable assigned user accounts in ThousandEyes based on user and group assignment in Microsoft Entra ID.

Tip

You may also choose to enable SAML-based single sign-on for ThousandEyes, following the instructions provided in the Azure portal. Single sign-on can be configured independently of automatic provisioning, though these two features complement each other.

Configure automatic user account provisioning to ThousandEyes in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Browse to Entra ID > Enterprise apps

    Screenshot of Enterprise applications blade.

  3. If you have already configured ThousandEyes for single sign-on, search for your instance of ThousandEyes using the search field. Otherwise, select Add and search for ThousandEyes in the application gallery. Select ThousandEyes from the search results, and add it to your list of applications.

    Screenshot of ThousandEyes link in the Applications list.

  4. Select your instance of ThousandEyes, then select the Provisioning tab.

    Screenshot of Provisioning tab.

  5. Select + New configuration.

    Screenshot of New configuration.

  6. Under the Admin Credentials section, enter the OAuth Bearer Token generated by your ThousandEyes's account (you can find and generate a token under your ThousandEyes account Profile section).

    Screenshot shows where to find the Account Settings link for the Current Account Group.

  7. Select Test Connection to ensure Microsoft Entra ID can connect to your ThousandEyes app. If the connection fails, ensure your ThousandEyes account has Admin permissions and try step 5 again.

  8. Select Create to create your configuration.

  9. Select Properties on the Overview page.

  10. Select the Edit icon to edit the properties. Enable notification emails and provide an email to receive quarantine notifications. Enable Accidental deletions prevention. Select Apply to save the changes.

    Screenshot of Provisioning properties.

  11. Select Attribute Mapping in the left panel and select users.

  12. Review the user attributes that are synchronized from Microsoft Entra ID to ThousandEyes in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the user accounts in ThousandEyes for update operations. If you choose to change the matching target attribute, you need to ensure that the ThousandEyes API supports filtering users based on that attribute. Select the Save button to commit any changes.

    Attribute Type Supported for filtering
    externalId String
    userName String
    active Boolean
    displayName String
    emails[type eq "work"].value String
    name.formatted String

  13. To configure scoping filters, refer to the instructions provided in the Scoping filter article.

  14. Use on-demand provisioning to validate sync with a small number of users before deploying more broadly in your organization.

  15. When you're ready to provision, select Start Provisioning from the Overview page.

Step 6: Monitor your deployment

Once you've configured provisioning, use the following resources to monitor your deployment:

  1. Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully
  2. Check the progress bar to see the status of the provisioning cycle and how close it's to completion
  3. If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states here.

Additional resources

Related content

Learn how to review logs and get reports on provisioning activity

  • Last updated on