Azure Active Directory Integration (SCIM)

What does the integration do in Leapsome?

Setting up the integration

Optional settings

Frequently asked questions

What does the integration do in Leapsome?

Once set up, our integration with Azure Active Directory (Azure AD) allows you to automate the user management and/or to use Single Sign-On in Leapsome:

• Create new users in Leapsome
  When the next sync runs the following users and teams (groups) are added to Leapsome:

  • Users that were added to the application
  • User that were added to a Group that already was added to the application
  • Users that are part of a new group that was added to the application (sub-group users are not considered)

• Update users
  Changes you make to a user in Azure AD will automatically be reflected in Leapsome within 40 minutes

• Deactivate and reactivate users
  Leapsome will automatically deactivate users, whose status is not active in Azure AD or re-activate them if they had been deactivated before

• Create teams
  Leapsome will create new teams for every group in Azure AD, that has not yet been set up manually in Leapsome

• Assign users to teams
  Leapsome will automatically assign users to teams, based on the groups a user belongs to in Azure AD

• Create levels and assign users to them (optional)
  If you include your Azure AD level information in the synchronization, these levels will automatically be created in Leapsome and assigned to the respective users

• Enable Single Sign-On (SSO)
  Learn more about this in this article

Importantly, Azure AD will be treated as the source of truth: Any changes you make in Active Directory will be reflected in Leapsome, even if that means overriding changes made in Leapsome. Leapsome will not make any changes in Active Directory data. Please note, that even with the active integration, you can still add additional teams manually in Leapsome. These teams will not be overwritten by the integration.

Just a note: If you already created teams manually in Leapsome before switching on the integration, please make sure that the teams you have in Leapsome are spelled exactly like in your HRIS (take into account spaces, commas, etc). Otherwise, the integration may add duplicate teams with a slightly different spelling to Leapsome.

Which attributes can be synchronized?

When setting up the integration, you can choose which attributes should be synchronized with Leapsome. This table shows you, how attributes in Azure AD will be reflected in Leapsome and give you an overview of the mandatory and optional fields.

Information from Azure AD, that can be synchronized using the integration include:

• First Name
• Last Name
• Position/Job title
• Department (reflected as a team in Leapsome)
• Manager
• Level
• Division (reflected as a team in Leapsome)
• Cost center (reflected as a team or custom attribute in Leapsome)
• Location
• Gender
• Start Date
• End Date
• Birthday
• Photo
• Custom attributes (reflected as custom attributes in Leapsome)

In addition, Leapsome will create a team for each group, that the user is a member of. 

Important notes on attributes

Provisioning the User Status with "IsSoftDeleted"-Attribute

The attribute IsSoftDeleted will determine whether a user in Azure AD is active or not. In consequence, the user will be (de-) activated in Leapsome. IsSoftDeleted is often part of the default mappings for an application. It is not recommended to remove the IsSoftDeleted attribute from your attribute mappings. IsSoftdeleted can be true in one of four scenarios:

• the user is out of scope due to being unassigned from the application
• the user is out of scope due to not meeting a scoping filter
• the user has been soft deleted in Azure AD
• the property AccountEnabled is set to false on the user

Once one of these cases occurs, the respective User will be treated as "active=false", and in consequence, Leapsome will deactivate this user's account.

Provisioning of Null attributes

Azure AD currently can't provision null attributes. If an attribute is null on the user object, it will be skipped. If you for example used to provision the Manager via the integration, but now delete the manager information in Azure AD, the Manager value becomes a null attribute. This will then not be included in the next synchronization, which implies that the old manager information will remain in Leapsome and has to be removed manually in Leapsome.

Setting up the integration

Before you get started

• Please make sure that the person setting up the integration has Admin rights in Leapsome as well as the "Global Administrator" role in Azure AD. You can give Leapsome Admin rights to the person helping you with the setup by editing their platform role in the 'Users & Teams' section
• User provisioning through SCIM 2.0 is only available through the hosted AD version called Azure Active Directory. If you are currently using an on-premise Active Directory solution it will need to first be configured to sync its data to Azure Active Directory using Azure AD Connect, as described in this article.
• To integrate with Leapsome, you will have to set up a new application in Azure AD. There already is a gallery app called 'Leapsome' available in Azure AD. Please do not use the gallery app, as it does not support the advanced customizations that may be needed for your use case, like the expanded configuration possibilities with attribute mappings for example
• If you want to synchronize custom attributes from Azure AD with Leapsome, please make sure to create a corresponding custom attribute in Leapsome first, as you will need this attributes' ID to set up the synchronization

Create new application

• In your Azure Active Directory, go to 'Enterprise Applications'
• Select 'New application'
• Choose 'Non-gallery application' / 'Create your own application'
• You will be asked for a name, write 'Leapsome'
• Below the name select 'Integrate any other application you don't find in the gallery (Non-gallery)' as the reason for this custom application
• Click 'Create'
• The Leapsome application, that you just created can now be used for both user provisioning and Single Sign-On (SSO).

Configure User Provisioning

• Go to the 'Provisioning' tab in your new application
• Click 'Get Started'
• From the 'Provisioning mode' dropdown, select 'Automatic provisioning'
• For the tenant URL, enter "https://www.leapsome.com/api/scim"
• To obtain your secret token, enter your Leapsome administrator account, go to your 'Settings' > 'Integrations', select 'HRIS Integrations', then choose the 'SCIM API' tab, and click 'Update & Synchronize'. Now a SCIM Authentication Token should be displayed in Leapsome.
• Enter your new secret token on the Active Directory Application page and click 'Test connection'; a success message should appear.
• Click 'Save' at the top of your screen.

Configure Mapping

• In the Provisioning Tab in Azure AD, click on 'Edit Attribute mappings'

1. Configure Group Mapping

• On the next page's 'Mappings' section, click on 'Provision Azure Active Directory Groups'

• Adjust your Group mappings so that the result matches the following screenshot (this should be set by default, any other mappings should be deleted):

  

• Save your changes

2. Configure User Mapping

• Similarly, in the 'Mappings' section, click on 'Provision Azure Active Directory Users'
• Adjust your User mappings so that the result matches this table. Any other mappings should be deleted.
  
  • Please make sure to include all attributes marked as 'mandatory' to your mapping
  • If desired, you can also include more (custom) attributes to the mapping. Read more about this in the 'Optional Settings' section of this article
  • If you cannot select a target attribute as shown in the table, you'll need to edit the attribute list for your application
    • Below the mapping table in Azure click on 'Show advanced options'
    • Then, click on 'Edit attribute list for customappsso' to create the Leapsome attributes you want to use in your mapping
• Save your changes

Assigning users and groups

• Go to the 'Users and groups' tabs
• Add all users/groups that should be present on Leapsome
• 'Groups' will appear as 'Teams' on Leapsome
• AD users and AD group members will be created as users on Leapsome
  (for security groups only, no nested groups)

Provisioning status

• In Azure AD, make sure that within 'Provisioning' > 'Settings', the scope is set to 'Sync only assigned users and groups' to prevent all of your users in Azure AD from syncing with Leapsome.
• Switch Provisioning status to 'On'
• Save your changes 

Finalize the synchronization

For the initial user provisioning, 2 forced syncs are recommended: the first sync will create the users and the second sync will update the reporting lines.

That's it - you're all set. Please get in touch with our support team if you have any questions!

Optional settings

Automatically Invite Users

In the integration settings in Leapsome, if you check the box 'Automatically send Leapsome invite emails to provisioned employees', if you want users to be notified via email, right after the integration has created an account for them in Leapsome. If you don't check this box, you can invite your users at a later point in time by visiting the 'Users & Teams' Tab and clicking on 'Actions' > 'Send Invites'.

Synchronizing Custom Attributes

Aside from the attributes listed in the attribute mapping overview as 'mandatory', you are free to also include custom attributes to the synchronization. To do this, you have to first set up the corresponding attribute in Leapsome.

• Go to 'Users & Teams' and click on 'Custom Attributes'. In the Pop-up window, you can configure the custom attribute according to your needs and can also define which format its values can have.
• Once you've set up your attribute and click on 'edit', you can see the attribute's SCIM ID. This will be needed for your mapping in Azure AD
  
• In Azure AD, add this attribute to your mapping by selecting a source value from your AD and entering the corresponding value from Leapsome.
• This will always have the form of a prefix + the SCIM ID of the attribute: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.YOUR_CUSTOM_ATTRIBUTE_ID

Exclude users from being synchronized

If you want to exclude certain groups of people from the synchronization, this can be done in Azure AD by editing the Users & Groups assigned to the enterprise application or through additional scoping filters.

Frequently asked questions

What will happen with existing teams that I have manually set up in Leapsome?

Teams from Azure AD will be added to your manually created teams. Once the synchronization is up and running, Azure AD will automatically update team memberships for teams initially set up through AD.

I have some users with two accounts in Leapsome, why is that?

Most likely, the external ID is not part of the synchronization and you have changed the email address in Azure AD. If no external ID is provisioned, Leapsome will identify users by their email address. If this email now changes, Leapsome will treat this new email as a new user and create an account for them. Adding the "externalID" attribute to your mapping in AzureAD will prevent this.

Can I delete users in Leapsome through the integration?

No, users can only be deactivated automatically. To delete a user, you have to do this manually in the 'Users & Teams' section of Leapsome

Can I edit the synchronization frequency?

The synchronization frequency is fixed. It will run approximately every 40 minutes.

I cannot find the attributes listed as 'target attributes' in Azure AD. How can I add them to my view?

In some cases, the target attributes that will be used for the attribute mapping are not showing as an option by default. In these cases, you have to set them up first, before using them in the mapping. The section 'Configure Mapping' > '2. Configure User Mapping' describes how to do that.

It seems like the 'manager' attribute cannot be updated. How can I fix this?

If you are setting up the integration for the first time, you may need to perform two full synchronization runs, in order for the manager to show up in Leapsome. The first run will create the user profiles, and the second one will create the reporting lines.

Please also note, that managers will only be assigned, if that manager's profile has already been created in Leapsome. Please check if the managers that are missing in Leapsome are in scope for provisioning.

Which 'Email' should be used for the user mapping?

We recommend using the userPrincipalName attribute, but hypothetically also all other filelds that contain an email adress can work. If you want to use SSO or integrations (Teams, Slack or Outlook), please make sure the email you use is the same one used in the other platforms, so that we can match accounts using this address.

How can I prevent Leapsome from creating a team from each group I assign to the App in Azure AD?

Once you assign users to the Leapsome App in Azure AD, Leapsome will read the group memberships of these users and create 'teams' for each of the groups. However, there may be groups that are only used for administrative purposes (e.g. 'Leapsome Pilot', 'Leapsome Test Group', etc.). To prevent these groups from being shown as teams, just set up a scoping filter to exclude the group name from being submitted to Leapsome.
Such a scoping filter can be defined as e.g. 'objectId‘ NOT EQUALS <objectId of the group which you don’t want to appear as a team in Leapsome>. Learn more about scoping filters here.

I want to synchronize photos from Azure AD with Leapsome. How does the photos attribute need to be formatted?

To synchronize photos from Azure with Leapsome, we require a string containing the full URL to the user's picture (including prefixes such as 'https://'). 

Is there additional support available?

Yes! Have a look at this Microsoft support article or get in touch with our support team via the green 'Help' button if you need any help. In case some attributes are not syncing correctly, please share a screenshot of your user mapping as well as the logs of a 'Provisioning on demand' run with our support team.