This article provides a comprehensive guide on how to integrate CybSafe with Microsoft Entra ID for automated user provisioning.
By configuring this integration, Microsoft Entra ID can automatically provision and de-provision users and groups to CybSafe using its provisioning service, streamlining identity management and ensuring your CybSafe user base is always up-to-date.
For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra.
⚠️ When automatic user provisioning is active, all user management should be performed in Microsoft Entra.
Any changes made within the CybSafe platform can be reverted when your provisioning sync next runs.
Capabilities supported
Create Users: Users created in Microsoft Entra ID can be automatically provisioned to CybSafe.
Any deactivated users will be reactivated.
Update User Profiles: Changes to user attributes (e.g., display name, email address) in Microsoft Entra ID are automatically synchronised to CybSafe.
Deactivate Users: When a user is disabled or removed from the sync'd group in Microsoft Entra ID, their account in CybSafe will be automatically deactivated.
Provision Groups: Group memberships can be synchronised and used to control your CybSafe user base.
Prerequisites
Before you begin, ensure you have the following:
Microsoft Entra ID Premium P1 or P2 license: SCIM provisioning capabilities require a premium Entra ID license.
Administrator access to Microsoft Entra ID: You'll need permissions to add and configure enterprise applications.
Administrator access to CybSafe: You'll need access to CybSafe's settings to obtain the necessary SCIM token.
Planning your provisioning deployment
Consider the following points as part of your deployment plan:
Learn about how the provisioning service works.
What is your provisioning scope? Determine which users and groups you want to provision to CybSafe. Will it be all users, specific groups, or only users or groups assigned to the CybSafe enterprise application?
Usually a specific Entra group is used and the members of this group are assigned to the CybSafe app for provisioning.
You can further restrict the users who are provisioning by using scoping filters against specific attribute mappings.
Attribute Mapping: Understand how user and group attributes in Microsoft Entra ID correspond to attributes in CybSafe. This is crucial for accurate data synchronisation.
Start by thinking about how you want to report on your users and how you'll assign content to them.
By syncing specific user details from Entra to CybSafe attributes Department, Division, and Organisation, you'll automatically create corresponding groups within CybSafe.
You can then use these groups to:
Filter your reports, giving you targeted insights.
Assign content or phishing campaigns to specific sets of users, making your security training more relevant.
Data Consistency: Ensure that the unique identifier for users (e.g.,
userPrincipalName, email
ormail
) is consistent across both systems to prevent duplicate accounts.Ensure you map the same attribute within your SSO configuration to avoid duplicate users.
Setup
CybSafe Recommends and good to know
Define your reporting or content assignment requirements and map these user profile attributes to our target attributes Department, Division and Organisation. Only these three root folders show in our dashboards and CSV exports.
Create an Entra group to add users to it who require access to CybSafe. Removing users from this group will de-provision them. Do not use an existing group that controls other permissions within your organisation as you may not be able to remove them from the group without impacting other services.
Ensure the addition or removal from the above group is part of your JML process.
Start with a small user set added to your group until you are comfortable that the correct attributes are being used.
If you hit your licence limit your provisioning service will continue to create new users however in a deactivated state on the CybSafe platform. Once you expand your licence limit you will need to manually activate these profiles on CybSafe.
Step 1. Add CybSafe from the Entra application gallery
Add CybSafe from the Entra application gallery to start managing provisioning to CybSafe.
Click ➕ New Application.
Search for CybSafe and install the App.
If you have previously setup your SSO integration with CybSafe using Entra our App will already be installed. Simply search for our app in your list of installed apps.
Learn more about adding an application from the gallery here.
Step 2. Configure the CybSafe Enterprise application for provisioning.
Add the admin credentials
Navigate to the Provisioning tab;
Click get started and set the Provisioning mode to "Automatic".
Add our Tenant URL for CybSafe is:
https://app.cybsafe.com/scim/v2/
.Ensure you maintain the trailing slash for our URL.
Generate a provisioning token from our User provisioning tab under the Identity management menu.
Add the token to the Secret token field in the app.
NB! this token can only be used with one CybSafe Entra App.
Final Step here is to click on Test connection to ensure you have not made a mistake adding the credentials.
If you encounter an error;
Ensure your CybSafe account has Admin permissions and try again.
Ensure you have not added a space before or after the Tenant URL.
Ensure that you have not incorrectly copied the SCIM token from the CybSafe platform.
Configure your attribute mappings
Navigate to the Mappings section of the Provisioning App.
Click on "Provision Azure Active Directory Users"
Set the attributes to ensure you provide the relevant information to CybSafe.
User attributes will populate their CybSafe profile and enrich your group management and reporting capabilities.
For a list of supported attributes see our Supported SCIM Attributes section.
Configure your Settings
Under the settings select Sync only assigned users and groups.
You can also choose to;
Send a notification to an internal team when a failure occurs
Prevent accidental deletion
Assign your user group to the CybSafe App
Navigate to the Users and groups menu within the App and add the group you created to provision users to CybSafe.
When adding the group or an individual user ensure the "Role" is set to "User", this is the only role we can accept.
We currently do not support setting user permissions from an automated provisioning sync. The users permissions for CybSafe can only be set from within the CybSafe platform.
As part of your initial deployment we recommend limiting the membership of this group to ensure you are happy with your configuration.
When you are ready to deploy to your entire organisation you can simply add the users as members to the group at this point.
If you do not wish to use a group but rather Scoping filters, see this section Using scoping filters on the tweaks to the setup.
Turn on your Provisioning sync.
Navigate back to the Provisioning menu and change provisioning Status to on.
This will start your provisioning sync, only action this step once you are happy with your configuration.
The initial synchronization cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Entra provisioning service is running.
Monitor your deployment
Once you've configured provisioning, use the following resources to monitor your deployment:
Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully
Check the progress bar to see the status of the provisioning cycle and how close it is to completion
If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states here.
Go to The Identity Management section in the CybSafe Platform, view the SCIM Token Section where you can observe the "Last SCIM Request" and "Last SCIM Change" date and time.
Note: You can assign someone via Entra who is already in the CybSafe platform, If the email addresses are identical we will sync the profiles.
If the email addresses do not match, a second identity will be created.
Supported SCIM attributes
Minimum for CybSafe user | Description |
|
userName | Required by SCIM, usually primary work email address |
|
emails[type eq "work"].value | Work email address marked as primary |
|
givenName | First name |
|
familyName | Last name |
|
addresses[type eq "work"].country | At least 1 address with only country subfield |
|
preferredLanguage | Language tag used for email communications, as defined per RFC 5646: |
|
| Option | Description |
| en_gb | English (U.K.) |
| en | International English |
| en-us | English (US) |
| nl | Dutch |
| ar | Arabic |
| es | Spanish (Latam) |
| es-ES | Spanish (Spain) |
| fr | French |
| de | German |
| it | Italian |
| pl | Polish |
| pt-BR | Potrugese (Brazil) |
| tr-TR | Turkish |
| ru | Russian |
| ja-JP | Japanese |
| zh-CN | Simplified Chinese |
| zh-HK | Traditional Chinese |
| ko-KR | Korean |
Optional but recommended |
|
|
active | Must be true (or user will be provisioned but archived) |
|
phoneNumbers[type eq "mobile"].value | Optional |
|
locale | Optional, default location for purposes of localizing |
|
department | Optional, for filtering in dashboards |
|
division | Optional, for filtering in dashboards |
|
organization | Optional, for filtering in dashboards |
|
title | optional, not used |
|
nickName | optional, used in CybSafe API as an alternative user identifying attribute |
|
timezone | not currently used |
|
We have three root folders in CybSafe to map attributes to, these are called Department, Division and Organization.
These fields can be used to assign content and Phishing to users and are available in your reporting to break down your users into groups.
Departments - Most customer point this to a department attribute that indicates, Sales, Finance, HR, Customer Service etc.
Division and Organisation - can be mapped to any other useful fields such as Office location a city or a higher level group/department structure such "Office of the CFO" as an example.
Please note: Any other attributes from your SCIM will not sync across. Only the above attributes will be captured by CybSafe. If you have attribute mappings that you wish to be synced across to Group management please ensure they are under Department, Division or Organisation. If you do have additional attributes that you need synced across, consult the guide further on in the article on How to add additional attributes to the CybSafe Gallery App Schema.
Custom attributes that can be optionally added (via add attribute process)
Attribute | Description | Values (if relevant) |
externalId | Captured, not currently used in reporting |
|
employeeType | used in CybSafe API for your external reporting |
|
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber | [Employee Number] used in CybSafe API for your external reporting |
|
city | Captured, not currently used in reporting |
|
office | Captured, not currently used in reporting |
|
businessUnit | Captured, not currently used in reporting |
|
grade | Captured, not currently used in reporting |
|
manager | Captured, not currently used in reporting |
|
Use Scoping filters instead of an entra group
If you do not wish to use an Entra group, you can use Scoping filters on our Attributes to sync through the relevant users. To Do so you will need to make the following tweaks to your setup.
⚠️ This setup will sync all Entra accounts to your CybSafe account, including all service accounts, meeting rooms and printers etc. Only use this method if you are certain on your scoping filters to only sync active legitimate users to CybSafe.
Under Settings set your Scope to sync all users and groups.
Navigate to the Mappings, selelct, "Provision Azure Active Directory Users"
Under Source Object Scope, select "All records".
Within this menu, click on "Add new filter group", you will need to build the relevant filters against each appropriate attribute to ensure the correct users are within scope of provisioning.
Build out the filters accordingly to sync the correct users.
How to add additional attributes to the CybSafe Gallery app schema
Cybsafe's Entra gallery app may not support the adding of custom target attributes for some customers. You may need to add additional attributes for a variety purposes so it is necessary to follow the below steps to ensure you can add them.
Contact our support team to ensure the target attribute is available and supported. This user data will not show in Group management or our CSV's and will only be available via our API bolt on.
Click the following link and login with your Microsoft administrator account: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . This will force the ability for you to edit schemas in Azure.
Navigate to your Azure environment and the Enterprise applications page. Click on CybSafe. From here, select "Provisioning" on the left hand menu.
Click on "Edit provisioning".
Select Azure Active Directory Users.
Open the advanced options.
Click on Edit attribute list for CybSafe.
Enter in the target attribute from CybSafe. If you are unsure of what attribute to enter contact your customer success manager or [email protected]. Save it as a string, and click save.
Go back to the Attribute Mapping page. Click on Add New Mapping.
Select the target attribute you entered earlier. Then select what source attribute you would like to map it to. Then hit save.
You should see the new mapping in the attribute mapping page
Still have any questions?
If you have any questions or concerns, you can contact the team at [email protected] and we’ll be happy to answer them.