Setting up automatic user provisioning

2025-05-30Last updated

To have your Microsoft Entra ID automatically provision your users to Security Center SaaS, you must prepare some information about your organizations Microsoft Entra ID setup and initiate a call with Genetec™ Technical Support.

Before you begin

You must have administrator access to your Microsoft Entra ID tenant to:
  • Consent to a new Enterprise application.
  • Create a new Enterprise application and configure user provisioning.
You must also have Microsoft Entra ID with a minimum of a P1 plan. Only one System for Cross-domain Identity Management (SCIM) connection per Security Center SaaS system is supported.
Note:
The automatic user provisioning feature is only available in the Security Center SaaS Premium Plan.

What you should know

Genetec™ end users can request for their Microsoft Entra ID to be integrated with Security Center SaaS. The integration can be requested for single sign-on (SSO) only, or for SSO and automatic user provisioning using SCIM 2.0 protocols.
Automatic user provisioning optimizes the onboarding and offboarding of users with Security Center SaaS:
  • Users added to one or more selected Microsoft Entra ID user groups are automatically onboarded to Security Center SaaS.
  • Users removed from Microsoft Entra ID are automatically removed from Security Center SaaS.
Note:
Invitation emails aren’t sent to automatically provisioned users.

Procedure

  1. To prepare for the call with Genetec, send the following information at least one day in advance:
    • Email contact for the Microsoft Entra ID administrator with sufficient privileges and expertise to set up an application integration for their identity provider.
    • Domains used by the users during login. For example, for users who log in with myuser@company.com, the domain is company.com.
      Note:
      The domains are only needed for authentication, but not for automatic user provisioning.
    • Security Center SaaS system name.
    • Security Center SaaS system ID. This ID can be found in the License section of the About page in Genetec™ Configuration desktop.Microsoft Entra ID Tenant ID.
    • Groups to be included in the synchronization scope.
      Note:
      Only direct-group membership is supported. Group nesting and indirect user membership aren’t supported. Automatic provisioning of guest or external Entra ID users isn’t supported.
  2. In GTAC, open a support ticket for SSO or SCIM, and include the information prepared earlier.
    1. The integrator typically initiates this ticket.
    2. Genetec verifies the information included in the ticket.
    3. Genetec schedules a call with the IT administrator to configure the Microsoft Entra ID automatic user provisioning together.
  3. Attend the setup call with Genetec to configure automatic user provisioning.
    Genetec provides help during the setup call to configure Provisioning settings in a new Microsoft Entra ID Enterprise application. The following parameters will be configured:
    • SCIM connection information.
    • Users and Groups attributes mapping required by Security Center SaaS.
  4. Define the scope of the automatic user provisioning by adding the required user groups to your Microsoft Entra ID Enterprise application.
    Best Practice:
    Only place user groups in the scope. Group nesting isn’t supported.
  5. After Microsoft Entra ID has completed initial provisioning of your groups, go to securitycentersaas.genetec.cloud and use the Configuration application to assign roles to your groups.
    Tip:
    Microsoft Entra ID pushes users and groups data to Security Center SaaS periodically, which might cause a delay in reflecting changes. Use the Provision on demand function to trigger an immediate data update if needed.

After you finish

Assign roles to groups imported from Microsoft Entra ID.