Provisioning Users from Microsoft Entra ID (Azure AD) into CloudLink

CloudLink supports automatic provisioning of users from Microsoft Entra ID (Azure AD) into the CloudLink database. For this, the user data in this directory is synchronized with the CloudLink database using System for Cross-domain Identity Management (SCIM). This enables a Mitel Partner or an Account Admin to manage the users and application services in Entra ID and have them provisioned into the CloudLink database, which minimizes data entry and administration tasks.

Best practice:

If you use SCIM to provision users from Microsoft Entra ID (Azure AD) into CloudLink, manage all user additions, updates, and deletions in Entra ID. This keeps data in sync, reduces manual work, and helps prevent errors.

Note: For MiVoice Office 400, Mitel recommends the Microsoft Entra ID (Azure AD) integration to be configured through Mitel Open Interface Platform (OIP) as this method is used as a directory integration rather than the user creation. This allows all PBX users access to all the imported contacts, provided PBX extended search is enabled in the Contacts (Web client) or Contacts (Mobile client). For more details about AD integration using Mitel OIP, see Mitel Open Interfaces Platform - System Manual

Prerequisites

To configure provisioning of users from Entra ID into CloudLink, the Mitel Partner or Account Admin:

  • Requires:

    • An Entra ID subscription

    • A Mitel CloudLink account.

  • The user ID, email address, mobile number, phone number, extension number, and login ID, must be unique while importing users from Entra ID into CloudLink.

In this document, it is assumed:

  • The Entra ID environment and Azure accounts setup are available.
  • The administrator has a good understanding of cloud technologies, especially, Microsoft Azure.
  • The Azure integration with CloudLink is approved by the customer’s IT or equivalent department.
  • The connectivity between Azure and the customer premises is active and it supports real time applications, for example, the connectivity must have low latency.
  • The HTTPS and SIP/TLS protocols (highly recommended) are used in the Azure setup.
  • The NTP and DNS servers are configured and accessible from Azure, so Mitel Administration can access these servers during the provisioning.

Adding Entra ID Sync integration to a customer account

Provisioning users from Entra ID into a customer account in Mitel Administration requires Entra ID Sync integration to be added to that customer account in Mitel Administration. A Mitel Partner or an Account Admin can add Entra ID Sync integration to a customer account by using the following procedure:

  1. Navigate to the Account Information page of the customer account.
  2. In the Integrations section, click + Add new.


    A pop-up screen displays the Integrations panel.

    Note: A Mitel Partner cannot enable integrations in the Partner Account because integration with other applications is not supported for Partner Accounts. To integrate CloudLink with other applications, a Partner must create a customer account and enable integrations in that account. Mitel recommends that you disable any existing integrations in the Partner Account to avail the full functionality of CloudLink features. For more information about Partner Accounts, see Log in as a Mitel Partner.
  3. Click the 3rd party tab. A list of third-party applications supported by CloudLink is displayed. Click the Add button associated with Entra ID Sync (Azure AD sync), and click Done.


    The Entra ID Sync (Azure AD sync) integration is added to the customer account and is displayed in the Integrations section of the Account Information page.



Provisioning Users from Entra ID into CloudLink using SCIM

Provisioning users from the Entra ID to the CloudLink database using SCIM involves the following tasks:

  1. Creating a SCIM application in Entra ID — create a SCIM application to enable user provisioning.
  2. Adding users to the SCIM application — add users to the SCIM application.
  3. Configuring the SCIM application — configure the SCIM settings on the application side.
  4. Testing the Connection — verify that the configuration works.
  5. Managing the attribute mappings — review and customize the attribute mappings that will be synchronized with the CloudLink database during provisioning.
  6. Start Provisioning — start provisioning users to the CloudLink database.

Creating a SCIM application in Entra ID

To create a SCIM application:

  1. In the Azure portal, on the left navigation panel, click Micrsoft Entra ID. The Micrsoft Entra ID panel opens.

  2. In the Micrsoft Entra ID panel, select Enterprise applications. The All applications page opens, displaying a list of applications in your Entra ID tenant.


  3. Click New application. The Browse Microsoft Entra Gallery page opens.


  4. Click + create your own application.


  5. Type the name for your application (for example, Mitel CloudLink), and click Add.


    The application will be added, and will be displayed in the All applications page.

Adding users to the SCIM application

This section describes how to add users in the Microsoft Entra ID (Azure AD) to the SCIM application to be provisioned to CloudLink.

  1. Access the Users and groups page in the Azure portal, by doing the following:
    1. Navigate to Microsoft Entra ID (Azure AD) > Enterprise applications, and select your application from the list. The application’s Overview page opens.
    2. Under the Manage section, select Users and groups.


  2. In the Users and groups page that opens, click + Add user/group. The Add Assignment page opens.

  3. Click the Users and groups None Selected option. The Users and groups panel opens. From the list in the Users and groups panel, click the users you want to add to the SCIM application, and click Select to select these users. The selected users are listed under Selected items.


  4. Click Assign to add these users to the SCIM application.


    These users will be displayed in the Users and groups page.



Configuring the SCIM application

This section describes how to configure the SCIM application in Entra ID with the parameters supplied in Mitel Administration to establish connection between the SCIM application and the CloudLink Platform.

To configure the SCIM application, it is recommended that you open the Azure portal and Mitel Administration side-by-side as you will need to copy some values from Mitel Administration to the Azure portal.

  1. To access the Provisioning page in the Azure portal:
    1. Navigate to Microsoft Entra ID > Enterprise applications, and select your application from the list. The application’s Overview page opens.
    2. Under the Manage section, select Provisioning.


  2. In the Provisioning page, select Provisioning Mode as Automatic from the drop-down menu.


    The Admin Credentials section is displayed.



  3. Provide theTenant URL and the Secret Token. You can generate the URL and the token from the Mitel Administration:
    1. From the Integrations section, click the Complete setup button associated with Entra ID Sync. The Entra ID Sync (Azure AD sync) configuration dialog box opens.


    2. Click Generate keys. The Tenant URL and the Secret Token are generated. Click Copy and paste these values in the respective fields in the Entra ID portal.


      Note: Every time Generate keys is clicked, any URL and token from a previous synchronization becomes invalid and the SCIM application must be reconfigured with new ones.

Testing the Connection

This section describes how to verify whether the configuration works, and to check whether the connection between the SCIM application and CloudLink is successful.

  1. In the Provisioning page, within the Manage > Connectivity (Preview) section, click Test Connection. The SCIM application attempts to connect to CloudLink.

    If the connection is successful, the following message is displayed.



    If the connection fails, the following error message is displayed. Rectify the error and test the connection again.



  2. If the connection is successful, click Save to save the admin credentials for user provisioning. Clicking Discard will cancel the changes.

Managing the attribute mappings

This section describes how to customize the default attribute mappings in the SCIM application that define which user properties are provisioned from Entra ID to the CloudLink database. You can change or delete the current attribute-mappings, or create new attribute-mappings. To do this:

  1. In the Provisioning page, Mapping section.

    • Disable Groups mapping: You must disable the provisioning of group objects between the Entra ID and the CloudLink database. This is required because CloudLink database does not support provisioning group objects. To do this:
      1. Click Provision Microsoft Entra ID Groups.

      2. In the Attribute Mapping page that opens, disable the Enabled option by clicking No. Click Save to save the changes.
        Note: By default, the Enabled option will be set to Yes.
    • Customize attributes : You must customize the attributes to be provisioned between Entra ID and the CloudLink database. To do this:
      1. Click Provision Microsoft Entra ID Users.

        The Attribute Mapping page opens, displaying the list of default attributes in Entra ID.

      2. You can choose to retain the default attribute mappings to be provisioned to the CloudLink database. You can also add new attribute mappings by clicking Add New Mapping. To delete a default attribute mapping, click the Delete option associated with the attribute.

        You must ensure that the following conditions are met when you review the attributes to be provisioned between Entra ID and the CloudLink database.

        • The following attributes listed under customappsso Attribute are mandatory and must not be deleted.
          • userName
          • one among displayName, name.givenName, or name.familyName
          • emails[type eq "work"].value
        • CloudLink requires valid users to have an email address. To facilitate this requirement during provisioning, you must make sure that the attribute type emails[type eq "work"].value under customappsso Attribute is mapped to the attribute type under Microsoft Entra ID that contains the user’s email address in Azure directory.
        • In addition to the mandatory attributes mentioned above, CloudLink supports the following attributes listed under customappsso Attribute. You must select only the following attributes.
          • active
          • externalId
          • emails[type eq "other"].value
          • phoneNumbers[type eq "mobile"].value
          • phoneNumbers[type eq "work"].value
          • phoneNumbers[type eq "other"].value
          • roles[primary eq "True"].value
          • addresses[type eq "work"].streetAddress
          • addresses[type eq "work"].locality
          • addresses[type eq "work"].region
          • addresses[type eq "work"].postalCode
          • addresses[type eq "work"].country
            Note: Only "work" address attributes listed above are supported for use in MiCollab. These address fields are not displayed in Mitel Administration.
          Note:
          • In Entra ID, if you clear or leave blank any of the user details fields that is mapped to an attribute, the field will not be provisioned because Entra ID provisioning service does not support provisioning null values. For more information about attribute mapping properties, see Azure documentation.
          • If you remove any attribute mapping in the Entra ID after you start provisioning, the modification will not be updated in the CloudLink database automatically.

          • The Phone numbers must be in E164 format.

      3. After you customize the necessary attribute mappings, click Save to save the changes. Clicking Discard will cancel the changes.

Start Provisioning

After you define the attributes, you must initiate the provisioning. To do this:

  1. Access the Provisioning page in the Azure portal:
    1. Navigate to Micrsoft Entra ID > Enterprise applications, and select your application from the list. The application’s Overview page opens.
    2. Select Provisioning.

  2. Click Start provisioning.


    The Entra ID provisioning service runs an initial provisioning cycle. After the cycle is complete, the status of the cycle will be displayed as shown in the following screenshot.



    The Current cycle status shows the completion status. This section also displays the number of users provisioned.

    The initial provisioning cycle is followed by periodic incremental cycles. The incremental cycles happen every 40 minutes. For more information about provisioning cycles, see the Azure documentation.

    Note: If errors occur during a provisioning cycle, the synchronization is retried in the next cycle. If the errors continue to occur, then the retries will occur at a reduced frequency, that is, the frequency of scheduled provisioning will decrease. For more information, see the Azure documentation.

After the initial cycle is completed, you have the following options to manage the provisioning:

  • Stop provisioning: Click this option to stop the provisioning process.
  • Restart provisioning: Click this option to trigger the provisioning run manually without waiting for the next scheduled run.
  • Edit provisioning: Click this option to edit the current configuration or to customize the attribute mappings.
  • Provision on demand: Click this option to provision any changes to a single user. This is done manually. You can also use this option to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized with the CloudLink database.

Deleting a User with Phone Conflict

This feature allows administrators to search for users with phone number conflicts and delete them, including both active and inactive users.

  1. Navigate to the Users page.
    Note: For accounts with AD Sync integration, a link—'Click here if you have an AD Sync phone number conflict'—appears at the top of the Users page.


  2. Select the Click here if you have an AD Sync phone number conflict link.

    The Phone Number Conflict Search dialog box appears.



  3. Enter the phone number in the search box.
  4. Click Search.

    The user appears at the bottom of the search box.



  5. Verify the user.
  6. Click Delete to remove the user.
Parent topic: Integrating Third Party Applications with Mitel Administration