How to Configure KnowBe4 with Microsoft Entra ID (Formerly Azure Active Directory)

In this article, you’ll learn how to configure SCIM with Microsoft Entra ID (formerly Azure Active Directory). Configuring SCIM for Microsoft Entra ID will allow you to add and manage users and groups in your KSAT console using Microsoft Entra ID.

The instructions in this article are for third-party software. If you experience issues with user provisioning in Microsoft Entra ID, we recommend reaching out to Microsoft Entra for specific instructions. You can also contact our support team and we will be happy to assist you.  

Note:To sync users and groups with SCIM, you must have a Microsoft Entra subscription. For more information about syncing users and groups through Microsoft Entra, see Microsoft’s Assign users and groups to an application article.

Configuring SCIM

In this section, you’ll learn how to configure your SCIM settings with Microsoft Entra. Please note that you should configure these steps after you’ve configured your settings in your KSAT console. For more information about configuring SCIM in your KSAT console, see our SCIM Configuration Guide.

To configure your SCIM settings with Microsoft Entra, follow the steps below:

  1. Log in to your Microsoft Entra portal and navigate to Microsoft Entra ID.
  2. From the Applications drop-down menu, click Enterprise applications.
  3. Click + New application.
  4. In the search bar, enter “KnowBe4” to filter your results. 
  5. Click the KnowBe4 Security Awareness Training tile.  
  6. Then, click Create. After you click Create, you’ll be redirected to the Overview page for the application that you created. If you are not directed to the Overview page, you’ll need to open the application from the list of Enterprise applications.
  7. Select the Provisioning tab from the menu on the left side of the page.
  8. Click Get started.
  9. Click the Provisioning Mode drop-down menu, and then select Automatic.
  10. Next, you’ll need to enter the information from your Account Settings page. For more information about where you can find this information, see our SCIM Configuration Guide. In the Tenant URL field, enter the Tenant URL, and in the Secret Token field, enter the SCIM TokenImportant:This feature does not currently work with on-demand provisioning.
  11. After you’ve entered your information, click the Test Connection button. Clicking this button will allow you to ensure that you entered the correct information. If the connection is successful, a success banner will display at the top-right corner of your screen.
  12. Click the Save button at the top of the screen.

Next, you’ll need to define which users and groups you would like Microsoft Entra ID to sync with your KSAT console.

Defining Which Users and Groups to Sync from Microsoft Entra

After completing the steps in the Configuring SCIM section above, you can decide which users and groups you would like to sync. This configuration is required in order to sync users and groups from your identity provider (IdP).

Note:The instructions in this section are for defining specific users and groups to sync. If you would like to sync all your users and groups from Microsoft Entra ID, see the Frequently Asked Questions (FAQ) section of this article.

Important:Nested groups are not currently supported by SCIM and Microsoft Entra ID provisioning. For more information, see the Scoping section of Microsoft’s How Application Provisioning works in Azure Active Directory article.

To define which users and groups you would like to sync from Microsoft Entra ID, follow the steps below:

  1. From your Microsoft Entra ID, navigate to Enterprise applications.
  2. Select the application you created for your KnowBe4 connection.
  3. Click Users and groups from the menu on the left side of the page.
  4. Click Add user/group to select the users or groups that you would like to sync.
  5. Click Users and groups to search for users or groups that you would like to include in your sync. To add a user or group, click on the name of the user or group. They will now show in the Selected items category.Note:We recommend that you only include a few users when you first configure your settings. Starting with a few users allows you to ensure that the connection works properly before you add all the users and groups that you want to include.
  6. After you’ve added the users and groups you want to include to the Selected items category, click Select.
  7. Click Assign.

The users and groups that you selected will now display in the table.

Starting Your Sync

After you have configured SCIM and have added the users and groups that you want to sync, you’ll need to start the sync. Once you start the sync, the system will automatically check for changes to your users and groups in Microsoft Entra ID every 40 minutes and will initiate a sync if changes were made.

Note:If you have more than several thousand users in your SCIM provisioning application, it’s likely all of your users won’t be included in your initial sync. Instead, the users will be synced to your account in stages. We recommend that you keep user provisioning in Test Mode until you see only a few changes between your sync reports. Waiting until you only see a few changes helps prevents users from being archived in your KSAT console. Additionally, syncing group memberships can take longer than syncing users. If you have a larger account, you can expect to see periodic syncs in your KSAT console.

To start your sync, follow the steps below:

  1. From your Microsoft Entra ID, navigate to Enterprise applications.
  2. Select the application that you created for your KnowBe4 connection.
  3. From the menu on the left side of the page, select Provisioning.
  4. Click Start provisioning.

The sync will be initiated immediately. After your initial sync, the system will check for changes to your Microsoft Entra ID every 40 minutes and will initiate a sync if changes were made.

Important:Once you are satisfied that your users have synced correctly, you’ll need to turn off Test Mode in your KSAT Account Settings. Turning off Test Mode will allow users to be added and archived during the next sync. For more information about Test Mode, see our SCIM Configuration Guide.

To see the status of these syncs as well as any errors and additional information about your syncs, navigate to Users > Provisioning in your KSAT console.

Advanced Configuration Options

Note: Location, Phone Number, and Mobile Number fields are not configured by default. To configure these, please follow the instructions in our Update SCIM from a Legacy Version article.

By enabling SCIM, the fields in your identity provider are automatically connected to the corresponding fields in your KSAT console. If you want to change the default mapping or add custom fields, you have the option to update these fields in Microsoft Entra.

Important:Email aliases are not currently supported by SCIM provisioning.

To learn more about advanced configuration options for Microsoft Entra, see the subsections below:

Default Mappings

The default field mappings are shown below:

Supported Fields

Unsupported Fields

Default Azure Active Directory AttributeKSAT AttributeKSAT Field
userPrincipalNameuserNameEmail
givenNamename.givenNameFirst Name
surnamename.familyNameLast Name
employeeIdurn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumberEmployee Number
jobTitletitleJob Title
companyNameurn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organizationOrganization
departmenturn:ietf:params:scim:schemas:extension:enterprise:2.0:User:departmentDepartment
managerurn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.valueNote:For manager information to sync, the applicable managers must be included in the sync. To add these managers to the sync, see the Defining Which Users and Groups to Sync from Microsoft Entra section above.Manager Email
displayName from the manager’s Entra ID profiledisplayNameNote:The displayName for a user comes from their manager’s Entra ID profile. As a result, a user’s displayName will not display on their user profile in KSAT since their name is synced using other attributes. But it will display on their direct reports’ user profiles.Manager Name
physicalDeliveryOfficeNameaddresses[type eq “work”].formattedLocation
telephoneNumberphoneNumbers[type eq “work”].valuePhone Number
mobilephoneNumbers[type eq “mobile”].valueMobile Phone Number

Note:The Division and Organization fields are unmapped by default. If you plan to use these fields, you’ll need to add the mapping. You can add these attributes by following the instructions in the Adding Attribute Mapping for Custom User Fields section below.

Changing the Default Mappings

You can change the default mappings to customize the user information that syncs between Microsoft Entra and your KSAT console.

To change the default mappings, follow the steps below:

  1. From your Microsoft Entra ID, navigate to Enterprise applications.
  2. Select the application you created for your KnowBe4 connection.
  3. From the menu on the left side of the page, select Provisioning.
  4. From the Provisioning window, click Edit attribute mappings under Manage provisioning.
  5. Click the Mappings drop-down arrow to expand the Mappings tab.
  6. Click Provision Azure Active Directory Users.
  7. Scroll down to the Attribute Mappings section. From this section, you’ll see a list of all the attributes that have been mapped. The Azure Active Directory Attribute column displays the name of the attribute in Microsoft Entra. The KnowBe4 Attribute column displays the SCIM standard name for this attribute. 
  8. Select the attribute you would like to edit.
  9. In the Edit Attribute side pane, customize the attribute. For details about the customization options, see the list below:
    1. Mapping type: Select Direct from the drop-down menu.
    2. Source attribute: Select the Azure field that you want to map to this custom field.Note:If you’re using SSO for Microsoft Entra ID, this attribute should be the same as the SSO Source attribute. By default, the SSO Source attribute is user.userprincipalname. For more information, see Add the KnowBe4 Application to Azure AD section of our How Do I Configure SSO/SAML with Azure Active Directory (AD)? article.
    3. Default value if null: This field is optional, and we recommend that you leave it blank.
    4. Target attribute: Select the custom field that you want to map to the Azure field you selected.
    5. Match objects using this attribute: We recommend you select No.
    6. Apply this mapping: We recommend you select Always.Note:If there is an attribute you don’t want to sync, you can click the Delete button next to that attribute to disable syncing. This action will only remove the connection between this attribute and the corresponding field in your KSAT console. No data will be deleted from Azure.
  10. Once you have made the changes you would like to make, click Ok.Note:We recommend that you only change the Source attribute field. Changing the other settings on the attribute may break the connection between Microsoft Entra and your KSAT console.

Adding Attribute Mapping for Custom User Fields

You also have the option to add six custom fields. These fields are not mapped by default, but you can add them to Microsoft Entra by following the steps below:

  1. From your Microsoft Entra ID, navigate to Enterprise applications.
  2. Select the application you created for your KnowBe4 connection.
  3. From the menu on the left side of the page, select Provisioning.
  4. From the Provisioning window, select Edit attribute mappings under Manage provisioning.
  5. Click the Mappings drop-down arrow to expand the Mappings tab.
  6. Click Provision Azure Active Directory Users.
  7. Click Add New Mapping at the bottom of the table.
  8. From the Edit Attribute window, select the Source attribute you would like to use.
  9. Then, select the Target Attribute that you would like to use. We offer the following custom fields:KSAT FieldTarget AttributeCustom Field 1 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField1 Custom Field 2 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField2 Custom Field 3 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField3 Custom Field 4 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField4 Custom Date 1 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customDate1 Custom Date 2 urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customDate2 Division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division Organization urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization
  10. We recommend leaving the rest of the settings at their default settings.
  11. Repeat step 9 for all of the custom fields you added in step 8.
  12. Click Save at the top of the screen to save your changes.

These custom fields will now sync to your KSAT console.

Frequently Asked Questions (FAQs)

Below is a list of frequently asked questions about using SCIM with Microsoft Entra ID.

How often do syncs occur?

The system will check for updates to the users and groups in your Microsoft Entra ID every 40 minutes. If changes are found, a sync will begin automatically. However, you can force a sync at any time by clicking the Force Sync Now button in the SCIM Settings section of your KSAT Account Settings.

How do you restore the default mappings?

You can restore the default mapping at any time by following the steps below:

  1. Navigate to Enterprise applications.
  2. Select the application you created for your KnowBe4 connection.
  3. From the menu on the left side of the page, select Provisioning.
  4. Click Edit attribute mapping under Manage provisioning.
  5. Click the Mappings drop-down arrow to expand the Mappings drop-down menu.
  6. Select Restore default mappings.
  7. Click Save at the top of the screen.

How do I sync all my users and groups?

If you would like to sync all users and groups from your Microsoft Entra ID, follow the steps below:

  1. Navigate to the application you set up for your SCIM connection.
  2. Navigate to Provisioning.
  3. Select Edit provisioning at the top of the screen or select Add scoping filters under Manage provisioning.
  4. Click the Settings drop-down menu.
  5. From the Scope drop-down menu, select Sync all users and groups.
  6. Click Save at the top of the page.

I don’t have the ability to assign users to an application by group. How can I limit the users being synced to my KSAT console?

Answer: To limit the users being synced to your KSAT console, you can set up a scoping filter. For more information about making a scoping filter, see Microsofts Attribute-based application provisioning with scoping filters article.

Ref: Configure SCIM for Microsoft Entra ID – Knowledge Base (knowbe4.com)