Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

How to provision users to Code42 from Azure AD

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

This article explains how to provision users from Azure AD to Code42. Once configured, Code42 automatically adds, updates, and removes users when Azure AD syncs to Code42.

This article assumes you are familiar with the concept of provisioning. To learn more, see our Introduction to SCIM provisioning.

The Code42 application in Azure AD is intended for single sign-on (SSO) as well as provisioning. This article describes only how to set up provisioning. To learn how to set up SSO, see Configure Azure for SSO in your Code42 environment.

Considerations

Local users in Code42 cannot be created, updated, or deleted from Azure AD. These users can only be managed in the Code42 console. 

Block, deauthorize, and deactivate users

There are a few special considerations when blocking, deauthorizing, and deactivating users. 

Glossary terms
  • Blocking is a non-destructive action that prevents access to Code42. A blocked user or device cannot sign in.
  • Deauthorizing is a non-destructive action that simply signs a user out of a specific device. Users can sign in again at any time.
  • Deactivating is a destructive action that removes a user from your Code42 environment. An active user can sign in again to a deactivated device, but a deactivated user cannot sign in. The user's archives on destinations are placed into cold storage for the configured cold storage period. Once the cold storage period has passed, the archive is permanently deleted.

Deactivation delay

When Azure AD sends an update to deactivate a user, Code42 waits 15 minutes before deactivating that user. This helps protect against moving users' backup archives into cold storage if users are accidentally deactivated in Azure AD. You can adjust the delay time in the Code42 console.

This delay applies only when you use provisioning to deactivate users. When you manually deactivate users in the Code42 console, there is no delay.

Although Code42 waits before deactivating users, Code42 immediately blocks users once they receive a deactivation update from from Azure AD. Blocked users can no longer sign in to Code42, but their devices continue to back up. 

To learn more about user deactivation, see Deactivate and reactivate users and devices.

Users on legal hold cannot be deactivated

If you place users on legal hold, Azure AD can't deactivate them. Their data is retained for the legal hold process. Users are blocked instead of deactivated. Once you release users from legal hold, they are automatically deactivated.

Supported attributes and features

Supported attributes

The following Azure AD SCIM user attributes are automatically updated in Code42. (To change user attribute mapping, see Step 4.)

Value in Azure AD Value in the Code42 User Profile
userPrincipalName Code42 username
userPrincipalName Email
manager Manager

The manager must also exist in Code42.
jobTitle Job title
givenName First name
surname Last name
city City
state State
country Country
department Department
Supported SCIM attributes

The following SCIM attributes are not supported in Azure AD but are supported in Code42:
  • Division
  • EmployeeType
    Note: The UserType attribute in Azure AD is not equivalent to the EmployeeType SCIM attribute, and should not be used as the employee type attribute in Code42.

Supported user provisioning features

Supported 

The following user provisioning features are available in the Code42 Azure AD application:

  • Create users: New users created in Azure AD are also created in Code42.
  • Deactivate users: Deactivating a user in Azure AD deactivates the user in Code42.
    Note: For Code42, deactivating a user means removing the user's account and placing their data into cold storage. By default, there is a 15-minute delay before Code42 deactivates a user. 
  • Update user attributes: Azure AD updates users' attributes. These updates overwrite any changes made in Code42.

Not supported 

  • Import users from Code42 to Azure AD
  • Password sync
  • Azure AD roles mapping to Code42

Step 1: Create Code42 organizations

Create the Code42 organization to which users from Azure AD are added during provisioning. (You set the organization that receives provisioned users in Step 6 below.)

If you want to want to move users to other Code42 organizations after they've been provisioned to Code42, create those organizations, too.

  1. Sign in to the Code42 console
  2. Select Administration > Organizations > Active from the navigation menu. 
  3. Click Add an organization Add an Organization button.
    Child organizations
    This method adds the organization under the default organization. To add a child organization, click the name of the organization to which you want to add a child organization. Then, from the action menu, select Add a Child Organization.
  4. Enter a descriptive name for the organization.
  5. Click Add to create the organization.
  6. Repeat until you have added all of your organizations.

Step 2: Add a provisioning provider in the Code42 console

Create the provisioning provider configuration that Azure AD uses to connect to Code42.

  1. In the Code42 console, navigate to Administration > Settings > Identity Management.
  2. Select the Provisioning tab.
    Provisioning provider
  3. Click Add Provisioning Provider > Add SCIM Provider.
  4. Enter a display name and select OAuth token for the authentication credential type.
    You must select OAuth token for use with Azure AD provisioning.
  5. Click Next
  6. The SCIM Provider Created message appears. Copy the Base URL and Token values to a safe location for use later. You'll need this information for Step 4 in the provisioning provider setup.
    After you have saved the information displayed here, click Done.
    SCIM Provider Created

Step 3: Add the Azure AD application for Code42

  1. Sign in to your Azure portal
  2. Go to Azure Active Directory.
  3. Select Enterprise applications.
  4. Click New application.
    Add new application in Azure
  5. Add the Code42 application.
    1. In Add from the gallery, enter Code42.
      Note: Your experience searching for and selecting the Code42 application may vary if you view the gallery catalog in preview mode. 
    2. Select the Code42 application.
    3. (Optional) Give the application a unique name.
    4. Click Create.
      The Code42 application is added to the list of enterprise applications.

Step 4: Configure Azure AD provisioning 

Use the Azure portal to configure provisioning for the Code42 application. For general information about provisioning in Azure AD, see the Azure AD documentation. For more information about how to configure provisioning specifically for Code42, see the Azure AD tutorial Configure Code42 for automatic user user provisioning.

  1. From Enterprise Applications, select the Code42 application you created in Step 3.
  2. Under Manage, select Provisioning.
  3. Click Get Started in the "Automate identity lifecycle management with Azure Active Directory" screen.
  4. For Provisioning mode, select Automatic
  5. Under Admin Credentials, enter the information you copied from the Code42 console in Step 2:
    1. In Tenant URL, enter the base URL.
    2. In Secret Token, enter the token.
    3. In Notification Email, enter the email address of the person to receive notification emails and select Sent an email notification when a failure occurs.
      Azure AD provisioning admin credentials
  6. Click Test Connection to ensure that the connection to Code42 is working. If the test is successful, the following message is displayed: The supplied credentials are authorized to enable provisioning.
    If the test is not successful, regenerate the credentials in the Code42 console and enter the new values in the Admin Credentials fields.
  7. If desired, select Mappings to change how group and user attributes flow from Azure AD to Code42. For information about how to configure provisioning mapping in Azure AD, see the Azure AD documentation.
    1. To change group mapping, select Provision Azure Active Directory Groups
    2. To change user mapping, select Provision Azure Active Directory Users
      Following are the default user mappings from Azure AD to Code42. To ensure proper mapping, use the defaults shown. To change mapping, click the Azure Active Directory attribute.
      Azure Active Directory attribute Code42 attribute

      userPrincipalName

      userName

      userPrincipalName

      emails[type eq "work"].value

      manager

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

      Not([IsSoftDeleted])

      active

      jobTitle

      title

      givenName

      name.givenName

      surname

      name.familyName

      city

      addresses[type eq "work"].locality

      state

      addresses[type eq "work"].region

      country

      addresses[type eq "work"].country

      objectId

      externalId

      department

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

  8. In Scope, select Sync only assigned users and groups. We recommend this setting until you have tested provisioning.  
  9. Click Save
  10. Make any other settings changes your new application requires, and add users and groups to the new application. 
    See the Azure AD documentation for details on adding users to applications and performing other application setup tasks.
  11. When you are ready to start provisioning, edit the provisioning settings for the Code42 application to set the Provisioning Status to On. When you click Save, provisioning starts at the default interval set for the application.

(Optional) Step 5: Edit deactivation delay

In the Code42 console, view the provisioning provider details and select Deactivation Delay

The deactivation delay determines how long Code42 waits to deactivate a user after syncing with the provisioning provider. Although Code42 may be configured to wait, Code42 does immediately block a user once they receive deactivation update from from the provisioning provider. Blocking a user means they can no longer sign in to the Code42 app, but their devices continue to back up. The delay helps prevent accidently deactivating a user and removing their backup archive.

To learn more about user deactivation, see Deactivate and reactivate users and devices.

Step 6: Choose an organization mapping method

The mapping method determines how Code42 assigns users to organizations. Organizations are used to set backup policies and permissions for users in your Code42 environment. To change the method, go to Organization Mapping, and click Add Organization Mapping or the edit icon. 

Organization mapping

The Edit Organization Mapping Method dialog is displayed.
Edit organization mapping

In the Edit Organization Mapping Method dialog, choose one of the following mapping methods.

Do not select Map users to organizations based on the provider's "c42OrgName" attribute. Azure AD does not support this method. 

Create new users in an organization

Assigns all users to the same Code42 organization.

  1. In Edit Organization Mapping Method, choose Create new users in the organization below
  2. Select an existing organization to map all users to. 

Map users to organizations using SCIM groups

Assigns users to Code42 organizations based on their SCIM group. You can also choose the priority of which organization a user is mapped to if they belong to two or more groups.

  1. In Edit Organization Mapping Method, choose Map users to organizations using SCIM groups. 
  2. Choose an organization to which unmapped users are assigned. Unmapped users are users who either do not belong to a group or their group is not mapped. 
  3. Click Save
    The group mapping appears. 
  4. Click Add Mapping.
    The Add Mapping button only appears after groups have already been provisioned to Code42 from Azure AD.
  5. Select one or more SCIM groups.
    Add organization mapping
  6. From Select a Code42 organization, choose an organization from the menu. 
  7. Click Save
    The mapping appears on the Provisioning Provider details page. 
  8. Repeat until all of your SCIM groups have been mapped to Code42 organizations. 
    The message All SCIM groups are mapped appears.
    All SCIM groups are mapped
  9. (Optional) Adjust the priority of each mapping. This is useful for users who belong to more than one SCIM group. 

Step 7: Configure role mapping

Role mapping allows you to automatically assign Code42 roles and permissions to provisioned users based on their SCIM group. Learn more about Code42 roles and permissions. Users who are not mapped inherit the default roles for their organization. 

SCIM Groups
Role Mapping is only available if you are using SCIM groups
  1. Click Edit Edit icon to the right of Role Mapping
    The Edit Role Mapping dialog appears.
    Edit Role Mapping dialog
  2. To map SCIM groups, select Map SCIM groups to Code42 roles.
    If you do not want to manage roles with SCIM groups, select Manually to manage roles in Code42.
  3. Click Save.
    An Add Mapping button appears under Role Mapping.
  4. Click Add Mapping
    The Add Role Mapping dialog appears.
    Add role mapping
  5. Select a SCIM group from the dropdown. 
    Only groups that have not been mapped appear in the dropdown.
  6. Choose one or more roles from the list to apply to this SCIM group. Learn more about Code42 roles and permissions.
    Basic Code42 Roles 
    We recommend including the roles Desktop User and PROe User for all users who are backing up their computers to Code42. These roles allow users to sign in to Code42. If you are giving external groups access to your Code42 environment (for example, outside legal council) they do not need these roles. 
  7. Click Add
    The role mapping appears under the provisioning provider detail. 
  8. Repeat until all of your SCIM groups have been mapped to Code42 organizations. 
    The message All SCIM groups are mapped appears. 

Troubleshooting

  • To troubleshoot why users or attributes aren't being sent to Code42 from Azure AD, see the Azure AD documentation to review provisioning errors. 
  • If everything is configured properly in Azure AD but users aren't being provisioned to Code42, assign an empty group to the Code42 application in Azure AD, then add users to that group. This initiates new provisioning calls for those users.

There are no SCIM groups available

This message appears if SCIM groups have not been provisioned. Provision groups to Code42 from Azure AD to begin organization mapping based on SCIM group

Assign users to the Code42 application in Azure AD after organization mapping is set up
If you assign people to the Code42 application in Azure AD before you configure mapping in the Code42 console, the users are not automatically mapped to Code42 organizations and roles. We recommend you assign users to the Code42 application in Azure AD after organization mapping is set up in the Code42 console. 

Syncing

  • To view information about provisioning in Code42, see the Sync Log in the Code42 console. It contains details of all of the users that have been created, updated, or deleted in Code42 due to provisioning. 
  • Once provisioning is configured in the Code42 application in Azure AD, make all user changes in Azure AD. Code42 does not sync changes back to Azure AD, so any changes you make to user values on the Code42 side causes the two apps to become out-of-sync. 
  • Updating the Code42 console does not start a sync between Azure AD and Code42. Only adding or removing a user from a group in Azure AD starts a sync. 
  • Code42 recommends configuring the organization and role settings for a provisioning provider before initially pushing users via that provisioning provider. Doing so ensures that these settings are applied to all users as they are provisioned. Configuring the organization and role settings after users have been initially provisioned into Code42 requires users to be re-provisioned to apply the new settings to those users. Should you need to change these settings and want them to be applied to all provisioned users in Code42 immediately, use the Apply Org and Role Settings action in the target provisioning provider.

Need more help?
Contact our Customer Champions​ for Code42 for Enterprise support

Related topics

  • Was this article helpful?