Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

How to provision users to Code42 from Azure AD

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

This article explains how to provision users from Azure AD to Code42. Once configured, Code42 automatically adds, updates, and removes users when Azure AD syncs to Code42.

This article assumes you are familiar with the concept of provisioning. To learn more, see our Introduction to SCIM provisioning.

The Code42 application in Azure AD is intended for single sign-on (SSO) as well as provisioning. This article describes only how to set up provisioning. To learn how to set up SSO, see Configure Azure for SSO in your Code42 environment.

Considerations

Local users in Code42 cannot be created, updated, or deleted from Azure AD. These users can only be managed in the Code42 console. 

Block, deauthorize, and deactivate users

There are a few special considerations when blocking, deauthorizing, and deactivating users. 

Glossary terms
  • Blocking is a non-destructive action that prevents access to Code42. A blocked user or device cannot sign in.
  • Deauthorizing is a non-destructive action that simply signs a user out of a specific device. Users can sign in again at any time.
  • Deactivating is a destructive action that removes a user from your Code42 environment. An active user can sign in again to a deactivated device, but a deactivated user cannot sign in. The user's archives on destinations are placed into cold storage for the configured cold storage period. Once the cold storage period has passed, the archive is permanently deleted.

Deactivation delay

When Azure AD sends an update to deactivate a user, Code42 waits 15 minutes before deactivating that user. This helps protect against moving users' backup archives into cold storage if users are accidentally deactivated in Azure AD. You can adjust the delay time in the Code42 console.

This delay applies only when you use provisioning to deactivate users. When you manually deactivate users in the Code42 console, there is no delay.

Although Code42 waits before deactivating users, Code42 immediately blocks users once they receive a deactivation update from Azure AD. Blocked users can no longer sign in to Code42, but their devices continue to back up. 

To learn more about user deactivation, see Deactivate and reactivate users and devices.

Users on legal hold cannot be deactivated

If you place users on legal hold, Azure AD can't deactivate them. Their data is retained for the legal hold process. Users are blocked instead of deactivated. Once you release users from legal hold, they are automatically deactivated.

Supported attributes and features

Supported attributes

The following Azure AD SCIM user attributes are automatically updated in Code42. (To change user attribute mapping, see Step 4.)

Value in Azure AD Value in the Code42 User Profile
userPrincipalName Code42 username
userPrincipalName Email
manager Manager

The manager must also exist in Code42.
jobTitle Job title
givenName First name
surname Last name
city City
state State

country

 

Only two-character country codes are honored. See Troubleshooting below.

Country

department Department
Supported SCIM attributes

The following SCIM attributes are not supported in Azure AD but are supported in Code42:
  • Division
  • EmployeeType
    Note: The UserType attribute in Azure AD is not equivalent to the EmployeeType SCIM attribute, and should not be used as the employee type attribute in Code42.

Supported user provisioning features

Supported 

The following user provisioning features are available in the Code42 Azure AD application:

  • Create users: New users created in Azure AD are also created in Code42.
  • Deactivate users: Deactivating a user in Azure AD deactivates the user in Code42.
    Note: For Code42, deactivating a user means removing the user's account and placing their data into cold storage. By default, there is a 15-minute delay before Code42 deactivates a user. 
  • Update user attributes: Azure AD updates users' attributes. These updates overwrite any changes made in Code42.

Not supported 

  • Import users from Code42 to Azure AD
  • Password sync
  • Azure AD roles mapping to Code42

Step 1: Create Code42 organizations

Create the Code42 organization to which users from Azure AD are added during provisioning. (You set the organization that receives provisioned users in Step 6 below.)

If you want to want to move users to other Code42 organizations after they've been provisioned to Code42, create those organizations, too.

  1. Sign in to the Code42 console
  2. Select Administration > Environment > Organizations from the navigation menu. 
  3. Click Add an organization Add an Organization button.
    Child organizations
    This method adds the organization under the default organization. To add a child organization, click the name of the organization to which you want to add a child organization. Then, from the action menu, select Add a Child Organization.
  4. Enter a descriptive name for the organization.
  5. Click Add to create the organization.
  6. Repeat until you have added all of your organizations.

Step 2: Add a provisioning provider in the Code42 console

Create the provisioning provider configuration that Azure AD uses to connect to Code42.

  1. In the Code42 console, navigate to Administration > Integrations > Identity Management.
  2. Select the Provisioning tab.
    Provisioning provider
  3. Click Add Provisioning Provider > Add SCIM Provider.
  4. Enter a display name and select OAuth token for the authentication credential type.
    You must select OAuth token for use with Azure AD provisioning.
  5. Click Next
  6. The SCIM Provider Created message appears. Copy the Base URL and Token values to a safe location for use later. You'll need this information for Step 4 in the provisioning provider setup.
    After you have saved the information displayed here, click Done.
    SCIM Provider Created

Step 3: Add the Azure AD application for Code42

  1. Sign in to your Azure portal
  2. Go to Azure Active Directory.
  3. Select Enterprise applications.
  4. Click New application.
    Add new application in Azure
  5. Add the Code42 application.
    1. In Add from the gallery, enter Code42.
      Note: Your experience searching for and selecting the Code42 application may vary if you view the gallery catalog in preview mode. 
    2. Select the Code42 application.
    3. (Optional) Give the application a unique name.
    4. Click Create.
      The Code42 application is added to the list of enterprise applications.

Step 4: Configure Azure AD provisioning 

Use the Azure portal to configure provisioning for the Code42 application. For general information about provisioning in Azure AD, see the Azure AD documentation. For more information about how to configure provisioning specifically for Code42, see the Azure AD tutorial Configure Code42 for automatic user user provisioning.

  1. From Enterprise Applications, select the Code42 application you created in Step 3.
  2. Under Manage, select Provisioning.
  3. Click Get Started in the "Automate identity lifecycle management with Azure Active Directory" screen.
  4. For Provisioning mode, select Automatic
  5. Under Admin Credentials, enter the information you copied from the Code42 console in Step 2:
    1. In Tenant URL, enter the base URL.
    2. In Secret Token, enter the token.
    3. In Notification Email, enter the email address of the person to receive notification emails and select Sent an email notification when a failure occurs.
      Azure AD provisioning admin credentials
  6. Click Test Connection to ensure that the connection to Code42 is working. If the test is successful, the following message is displayed: The supplied credentials are authorized to enable provisioning.
    If the test is not successful, regenerate the credentials in the Code42 console and enter the new values in the Admin Credentials fields.
  7. If desired, select Mappings to change how group and user attributes flow from Azure AD to Code42. For information about how to configure provisioning mapping in Azure AD, see the Azure AD documentation.
    1. To change group mapping, select Provision Azure Active Directory Groups
    2. To change user mapping, select Provision Azure Active Directory Users
      The following are the suggested user attribute mappings from Azure AD to Code42. To change these mappings, click the Azure Active Directory attribute.
User attribute mappings
The default mappings listed in the Code42 application may be different than what is shown below. To ensure provisioning occurs as expected, use the following mappings. 
Azure Active Directory attribute Code42 attribute

userPrincipalName

userName

userPrincipalName

emails[type eq "work"].value

manager

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

Not([IsSoftDeleted])

active

jobTitle

title

givenName

name.givenName

surname

name.familyName

city

addresses[type eq "work"].locality

state

addresses[type eq "work"].region

country

 

Only two-character country codes are honored. See Troubleshooting below.

addresses[type eq "work"].country

objectId

externalId

department

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

  1. In Scope, select Sync only assigned users and groups. We recommend this setting until you have tested provisioning.  
  2. Click Save
  3. Make any other settings changes your new application requires, and add users and groups to the new application. 
    See the Azure AD documentation for details on adding users to applications and performing other application setup tasks.
  4. When you are ready to start provisioning, edit the provisioning settings for the Code42 application to set the Provisioning Status to On. When you click Save, provisioning starts at the default interval set for the application.
Apply changes after mapping SCIM groups

If you want to map SCIM groups to Code42 organizations in Step 6 or roles in Step 7, you must first push or provision SCIM groups and their users to Code42 so they are available in the Code42 console. 

However, this means that initially the users are provisioned in the default organization and are assigned default roles rather than the ones you want to map them to. To move these users to the desired organizations and roles, ensure that you map SCIM groups to organizations (Step 6) and roles (Step 7) and then apply the mappings using the Apply Org and Role Settings action.  

(Optional) Step 5: Edit deactivation delay

In the Code42 console, view the provisioning provider details and select Deactivation Delay

The deactivation delay determines how long Code42 waits to deactivate a user after syncing with the provisioning provider. Although Code42 may be configured to wait, Code42 does immediately block a user once they receive deactivation update from the provisioning provider. Blocking a user means they can no longer sign in to the Code42 app, but their devices continue to back up. The delay helps prevent accidently deactivating a user and removing their backup archive.

To learn more about user deactivation, see Deactivate and reactivate users and devices.

Step 6: Choose an organization mapping method

The mapping method determines how Code42 assigns users to organizations. Organizations are used to set backup policies and permissions for users in your Code42 environment. To change the method, go to Organization Mapping, and click Add Organization Mapping or the edit icon. 

Organization mapping

The Edit Organization Mapping Method dialog is displayed.
Edit organization mapping

In the Edit Organization Mapping Method dialog, choose one of the following mapping methods:

Do not select Map users to organizations based on the provider's "c42OrgName" attribute. Azure AD does not support this method. 

Create new users in an organization

Assigns all users to the same Code42 organization.

  1. In Edit Organization Mapping Method, choose Create new users in the organization below
  2. Select an existing organization to map all users to. 

Map users to organizations using SCIM groups

Assigns users to Code42 organizations based on their SCIM group. You can also choose the priority of which organization a user is mapped to if they belong to two or more groups.

  1. In Edit Organization Mapping Method, choose Map users to organizations using SCIM groups. 
  2. Choose an organization to which unmapped users are assigned. Unmapped users are users who either do not belong to a group or their group is not mapped. 
  3. Click Save
    The group mapping appears. 
  4. Click Add Mapping.
    The Add Mapping button only appears after groups have already been provisioned to Code42 from Azure AD.
  5. Select one or more SCIM groups.
    Add organization mapping
  6. From Select a Code42 organization, choose an organization from the menu. 
  7. Click Save
    The mapping appears on the Provisioning Provider details page. 
  8. Repeat until all of your SCIM groups have been mapped to Code42 organizations. 
    The message All SCIM groups are mapped appears.
    All SCIM groups are mapped
  9. (Optional) Adjust the priority of each mapping. This is useful for users who belong to more than one SCIM group. 

Step 7: Configure role mapping

Role mapping allows you to automatically assign Code42 roles and permissions to provisioned users based on their SCIM group. Learn more about Code42 roles and permissions. Users who are not mapped inherit the default roles for their organization. 

SCIM Groups
Role Mapping is only available if you are using SCIM groups
  1. Click Edit Edit icon to the right of Role Mapping
    The Edit Role Mapping dialog appears.
    Edit Role Mapping dialog
  2. To map SCIM groups, select Map SCIM groups to Code42 roles.
    If you do not want to manage roles with SCIM groups, select Manually to manage roles in Code42.
  3. Click Save.
    An Add Mapping button appears under Role Mapping.
  4. Click Add Mapping
    The Add Role Mapping dialog appears.
    Add role mapping
  5. Select a SCIM group from the dropdown. 
    Only groups that have not been mapped appear in the dropdown.
  6. Choose one or more roles from the list to apply to this SCIM group. Learn more about Code42 roles and permissions.
    Basic Code42 Roles 
    We recommend including the roles Desktop User and PROe User for all users who are backing up their computers to Code42. These roles allow users to sign in to Code42. If you are giving external groups access to your Code42 environment (for example, outside legal council) they do not need these roles. 
  7. Click Add
    The role mapping appears under the provisioning provider detail. 
  8. Repeat until all of your SCIM groups have been mapped to Code42 organizations. 
    The message All SCIM groups are mapped appears. 

Troubleshooting

Users are not provisioned to Code42

To troubleshoot why users or attributes aren't being sent to Code42 from Azure AD, see the Azure AD documentation to review provisioning errors. 

If everything is configured properly in Azure AD but users aren't being provisioned to Code42, assign an empty group to the Code42 application in Azure AD, then add users to that group. This initiates new provisioning calls for those users.

There are no SCIM groups available

This message appears if SCIM groups have not been provisioned. Provision groups to Code42 from Azure AD to begin organization mapping based on SCIM group

Syncing

  • To view information about provisioning in Code42, see the Sync Log in the Code42 console. It contains details of all of the users that have been created, updated, or deleted in Code42 due to provisioning. 
  • Once provisioning is configured in the Code42 application in Azure AD, make all user changes in Azure AD. Code42 does not sync changes back to Azure AD, so any changes you make to user values on the Code42 side causes the two apps to become out-of-sync. 
  • Updating the Code42 console does not start a sync between Azure AD and Code42. Only adding or removing a user from a group in Azure AD starts a sync. 
Need more help?
Contact our Customer Champions​ for Code42 for Enterprise support

The country value does not appear in Code42

If the value of the country field in Azure AD does not appear in Code42, it could be because it is longer than two characters. While Azure AD honors entries longer than two characters in the country field, the SCIM standard used by Code42 only honors two-letter ISO 3166 country codes. This is a known issue in Azure.

To resolve the issue, use only two-letter country codes in the country field in Azure, or use one of the following options:

Option 1: Build an expression

Edit the user attribute mapping for the country attribute to use an expression that matches long-form country names to the ISO 3166 country code.

  1. In the Attribute Mapping dialog, click country.
  2. In the Edit Attribute dialog, click the Mapping type field and select Expression.
  3. In the Expression field enter the following switch expression:
Copied!
IIF(IsNull([country]), "", Switch(ToLower([country], ), , "afghanistan", "AF", "albania", "AL", "algeria", "DZ", "american samoa", "AS", "andorra", "AD", "angola", "AO", "anguilla", "AI", "antarctica", "AQ", "antigua", "AG", "barbuda", "AG", "argentina", "AR", "armenia", "AM", "aruba", "AW", "australia", "AU", "austria", "AT", "azerbaijan", "AZ", "bahamas", "BS", "bahrain", "BH", "bangladesh", "BD", "barbados", "BB", "belarus", "BY", "belgium", "BE", "belize", "BZ", "benin", "BJ", "bermuda", "BM", "bhutan", "BT", "bolivia", "BO", "bosnia", "BA", "herzegovina", "BA", "botswana", "BW", "bouvet island", "BV", "brazil", "BR", "british indian ocean territory", "IO", "brunei darussalam", "BN", "bulgaria", "BG", "burkina faso", "BF", "burundi", "BI", "cambodia", "KH", "cameroon", "CM", "canada", "CA", "cape verde", "CV", "cayman islands", "KY", "central african republic", "CF", "chad", "TD", "chile", "CL", "china", "CN", "christmas island", "CX", "cocos islands", "CC", "colombia", "CO", "comoros", "KM", "congo", "CG", "democratic republic of the congo", "CD", "cook islands", "CK", "costa rica", "CR", "croatia", "HR", "cuba", "CU", "curaçao", "CW", "cyprus", "CY", "czech republic", "CZ", "denmark", "DK", "djibouti", "DJ", "dominica", "DM", "dominican republic", "DO", "ecuador", "EC", "egypt", "EG", "el salvador", "SV", "equatorial guinea", "GQ", "eritrea", "ER", "estonia", "EE", "ethiopia", "ET", "falkland islands", "FK", "faroe islands", "FO", "fiji", "FJ", "finland", "FI", "france", "FR", "french guiana", "GF", "french polynesia", "PF", "french southern territories", "TF", "gabon", "GA", "gambia", "GM", "georgia", "GE", "germany", "DE", "ghana", "GH", "gibraltar", "GI", "greece", "GR", "greenland", "GL", "grenada", "GD", "guadeloupe", "GP", "guam", "GU", "guatemala", "GT", "guernsey", "GG", "guinea", "GN", "guinea-bissau", "GW", "guyana", "GY", "haiti", "HT", "holy see", "VA", "honduras", "HN", "hong kong", "HK", "hungary", "HU", "iceland", "IS", "india", "IN", "indonesia", "ID", "iran", "IR", "iraq", "IQ", "ireland", "IE", "isle of man", "IM", "israel", "IL", "italy", "IT", "jamaica", "JM", "japan", "JP", "jersey", "JE", "jordan", "JO", "kazakhstan", "KZ", "kenya", "KE", "kiribati", "KI", "democratic people's republic of korea", "KP", "south korea", "KR", "korea", "KR", "kuwait", "KW", "kyrgyzstan", "KG", "lao", "LA", "latvia", "LV", "lebanon", "LB", "lesotho", "LS", "liberia", "LR", "libya", "LY", "liechtenstein", "LI", "lithuania", "LT", "luxembourg", "LU", "macao", "MO", "macedonia", "MK", "madagascar", "MG", "malawi", "MW", "malaysia", "MY", "maldives", "MV", "mali", "ML", "malta", "MT", "marshall islands", "MH", "martinique", "MQ", "mauritania", "MR", "mauritius", "MU", "mayotte", "YT", "mexico", "MX", "federated states of micronesia", "FM", "micronesia", "FM", "republic of moldova", "MD", "moldova", "MD", "monaco", "MC", "mongolia", "MN", "montenegro", "ME", "montserrat", "MS", "morocco", "MA", "mozambique", "MZ", "myanmar", "MM", "namibia", "NA", "nauru", "NR", "nepal", "NP", "netherlands", "NL", "new caledonia", "NC", "new zealand", "NZ", "nicaragua", "NI", "niger", "NE", "nigeria", "NG", "niue", "NU", "norfolk island", "NF", "northern mariana islands", "MP", "norway", "NO", "oman", "OM", "pakistan", "PK", "palau", "PW", "palestine", "PS", "state of palestine", "PS", "panama", "PA", "papua new guinea", "PG", "paraguay", "PY", "peru", "PE", "philippines", "PH", "pitcairn", "PN", "poland", "PL", "portugal", "PT", "puerto rico", "PR", "qatar", "QA", "réunion", "RE", "romania", "RO", "russian federation", "RU", "russia", "RU", "rwanda", "RW", "saint barthélemy", "BL", "saint helena, ascension and tristan da cunha", "SH", "saint helena", "SH", "saint kitts", "KN", "saint kitts and nevis", "KN", "saint lucia", "LC", "saint martin", "MF", "saint pierre and miquelon", "PM", "saint vincent and the grenadines", "VC", "samoa", "WS", "san marino", "SM", "sao tome", "ST", "sao tome and principe", "ST", "saudi arabia", "SA", "senegal", "SN", "serbia", "RS", "seychelles", "SC", "sierra leone", "SL", "singapore", "SG", "sint maarten", "SX", "slovakia", "SK", "slovenia", "SI", "solomon islands", "SB", "somalia", "SO", "south africa", "ZA", "south sudan", "SS", "spain", "ES", "sri lanka", "LK", "sudan", "SD", "suriname", "SR", "svalbard and jan mayen", "SJ", "swaziland", "SZ", "sweden", "SE", "switzerland", "CH", "syrian arab republic", "SY", "taiwan", "TW", "taiwan, republic of china", "TW", "tajikistan", "TJ", "united republic of tanzania", "TZ", "tanzania", "TZ", "thailand", "TH", "timor-leste", "TL", "togo", "TG", "tokelau", "TK", "tonga", "TO", "trinidad and tobago", "TT", "tunisia", "TN", "turkey", "TR", "turkmenistan", "TM", "turks and caicos islands", "TC", "tuvalu", "TV", "uganda", "UG", "ukraine", "UA", "united arab emirates", "AE", "united kingdom", "GB", "united states", "US", "united states minor outlying islands", "UM", "uruguay", "UY", "uzbekistan", "UZ", "vanuatu", "VU", "bolivarian republic of venezuela", "VE", "venezuela", "VE", "viet nam", "VN", "vietnam", "VN", "british virgin islands", "VG", "us virgin islands", "VI", "wallis and futuna", "WF", "western sahara", "EH", "yemen", "YE", "zambia", "ZM", "zimbabwe", "ZW"))
  1. Click OK to save the attribute mapping.

Option 2: Use an alternative country identifier

Update the Azure AD country attribute to use usageLocation as the source attribute instead. This source attribute may serve as a good proxy for the user's location because it always returns an ISO 3611 compliant two-character country code. If you use Azure AD Connect, this value is populated by the msExchUsageLocation attribute in your on-premises AD by default.

Option 3: Delete the country attribute mapping

Delete the mapping for the country user attribute outright. Although the country attribute would not appear in Code42, this approach avoids the country mapping problem altogether.

Option 4: Change the mapping between on-premises Active Directory and Azure AD

If you use Azure AD Connect, change the mapping between on-premises Active Directory and Azure AD.

On-premises Active Directory has various attributes that represent a user's country. If the "c" attribute is populated in AD with the two-character country code, then modify your Azure AD Connect mapping to populate Azure AD's country attribute with the "c" attribute from your on-premises AD.

Related topics

  • Was this article helpful?