How to provision users to Code42 from Microsoft Entra ID (formerly Azure AD)

Overview

This article explains how to provision users from Microsoft Entra ID (formerly Azure AD) to Code42. Once configured, Code42 automatically adds, updates, and removes users when Entra ID syncs to Code42.

This article assumes you are familiar with the concept of provisioning. To learn more, see our Introduction to SCIM provisioning.

The Code42 application in Entra ID is intended for single sign-on (SSO) as well as provisioning. This article describes only how to set up provisioning. To learn how to set up SSO, see Configure Azure for SSO in your Code42 environment.

Considerations

Azure AD rebranded as Entra ID
Microsoft renamed Azure AD to Entra ID. References to "Azure AD" throughout this article also apply to Entra ID.
  • To use this functionality, you must be assigned the Identity Management Administrator role. 
  • If you have been using Code42 User Directory Sync for provisioning and want to start using Azure AD for provisioning instead, contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.
  • Local users in Code42 cannot be created, updated, or deleted from Azure AD. These users can only be managed in the Code42 console.
  • Code42 service provider integration for user provisioning is supported in Azure's Gov cloud. You can provision users with Azure AD in the Code42 federal environment

Deactivate users

Deactivation delay

When Azure AD sends an update to deactivate a user, Code42 waits 15 minutes before deactivating that user. This delay applies only when you use provisioning to deactivate users. When you manually deactivate users in the Code42 console, there is no delay.

Backup agent only: The deactivation delay helps protect against moving users' backup archives into cold storage if users are accidentally deactivated in Azure AD. Although Code42 waits before deactivating users, Code42 immediately blocks users once they receive a deactivation update from Azure AD. Blocked users can no longer sign in to Code42, but their devices continue to back up. 

To learn more about user deactivation, see Deactivate and reactivate users and devices.

Users on legal hold cannot be deactivated

Backup agent only

If you place users on legal hold, Azure AD can't deactivate them. Their data is retained for the legal hold process. Users are blocked instead of deactivated. Once you release users from legal hold, they are automatically deactivated.

Supported attributes and features

Supported attributes

The following Azure AD SCIM user attributes are automatically updated in Code42. (To change user attribute mapping, see Step 4.)

Value in Azure AD Value in the Code42 User Profile
userPrincipalName Code42 username
userPrincipalName Email
manager Manager

The manager must also exist in Code42.
jobTitle Job title
givenName First name
surname Last name
city City
state State

usageLocation

Country

department Department
Supported SCIM attributes

The following SCIM attributes are not supported in Azure AD but are supported in Code42:
  • Division
  • EmployeeType
    Note: The UserType attribute in Azure AD is not equivalent to the EmployeeType SCIM attribute, and should not be used as the employee type attribute in Code42.

Supported user provisioning features

Supported 

The following user provisioning features are available in the Code42 Azure AD application:

  • Create users: New users created in Azure AD are also created in Code42.
  • Deactivate users: Deactivating a user in Azure AD deactivates the user in Code42.
  • Update user attributes: Azure AD updates users' attributes. These updates overwrite any changes made in Code42.

Not supported 

  • Import users from Code42 to Azure AD
  • Sync passwords
  • Map Azure AD roles to users provisioned in Code42 
    However, you can assign Code42 roles to provisioned users based on the group they belonged to in Azure AD. See Step 6 below.

Step 1: Create Code42 organizations

This step is only required if you choose to use the Single Organization or Custom SCIM mapping methods. The "c42OrgName" attribute and Custom attribute methods create Code42 organizations automatically. 

Create the Code42 organization to which users from Azure AD are added during provisioning. (You specify the organization that receives provisioned users in Step 2 below.)

Step 2: Add a provisioning provider in the Code42 console

Create the provisioning provider configuration that Azure AD uses to connect to Code42.

  1. In the Code42 console, navigate to Administration > Integrations > Identity Management.
  2. Select the Provisioning tab.
    Provisioning provider empty state
  3. Click Add Provisioning Provider > Add SCIM Provider.
  4. Enter a display name and select OAuth token for the authentication credential type.
    You must select OAuth token for use with Azure AD provisioning.
  5. Click Next
  6. The SCIM Provider Created message appears. Copy the Base URL and Token values to a safe location for use later. You'll need this information later in the provisioning provider setup.
    If you lose this information, you can always click Regenerate credentials on the provisioning provider details page and copy the newly-generated token to the Secret token field in Azure (see Step 4).
    SCIM provider created.png
  7. Click Done.
    The provisioning provider details appear.
  8. Select the edit icon Edit icon next to Organization Mapping
    Org mapping
  9. In the Edit organization mapping method dialog, ensure that Create new users in the organization below is selected, and select an organization to receive newly-provisioned users.
    Do not map with SCIM groups yet 
    If you want to use the Map users to organizations using SCIM groups option, you can only do so after SCIM groups have been pushed during the first synchronization (see Step 5). After the SCIM groups are pushed, in Step 6 you can then map users to organization using SCIM groups.
    Default mapping method
  10. Click Save.

Step 3: Add the Azure AD application for Code42

  1. Sign in to your Azure portal
  2. Go to Azure Active Directory.
  3. Select Enterprise applications.
  4. Click New application.
    Add new application in Azure
  5. Add the Code42 application.
    1. In Add from the gallery, enter Code42.
      Note: Your experience searching for and selecting the Code42 application may vary if you view the gallery catalog in preview mode. 
    2. Select the Code42 application.
    3. (Optional) Give the application a unique name.
    4. Click Create.
      The Code42 application is added to the list of enterprise applications.

Step 4: Configure Azure AD provisioning 

Use the Azure portal to configure provisioning for the Code42 application. For general information about provisioning in Azure AD, see the Azure AD documentation. For more information about how to configure provisioning specifically for Code42, see the Azure AD tutorial Configure Code42 for automatic user user provisioning.

  1. From Enterprise Applications, select the Code42 application you created in Step 3.
  2. Under Manage, select Users and Groups to add users and groups to the application. 
  3. Under Manage, select Provisioning.
  4. Click Get Started in the "Automate identity lifecycle management with Azure Active Directory" screen.
  5. For Provisioning mode, select Automatic.
  6. Under Admin Credentials, enter the information you copied from the Code42 console in Step 2:
    1. In Tenant URL, enter the base URL.
    2. In Secret Token, enter the token.
    3. In Notification Email, enter the email address of the person to receive notification emails and select Sent an email notification when a failure occurs.
      Azure provisioning admin credentials
  7. Click Test Connection to ensure that the connection to Code42 is working. If the test is successful, the following message is displayed: The supplied credentials are authorized to enable provisioning.
    If the test is not successful, regenerate the credentials in the Code42 console and enter the new values in the Admin Credentials fields.
  8. If desired, select Mappings to change how group and user attributes flow from Azure AD to Code42. For information about how to configure provisioning mapping in Azure AD, see the Azure AD documentation.
    User attribute mappings
    The default mappings listed in the Code42 application may be different than what is shown below. To ensure provisioning occurs as expected, use the following mappings. You can modify each Azure or Code42 attribute by clicking the specific attribute. See the Azure AD documentation for directions on how to edit each attribute.
    1. To change group mapping, select Provision Azure Active Directory Groups
    2. To change user mapping, select Provision Azure Active Directory Users
      The following are the suggested user attribute mappings from Azure AD to Code42. To change these mappings, click the Azure Active Directory attribute.
  9. In Scope, select Sync only assigned users and groups. You can only provision users and groups that are assigned to the Code42 application in Azure AD.
  10. Click Save
  11. Make any other settings changes your new application requires, and add users and groups to the new application. 
    See the Azure AD documentation for details on adding users to applications and performing other application setup tasks.
  12. Start provisioning users to Code42.
    1. Return to the Provisioning panel and set the Provisioning Status to On. 
    2. Click Save to start provisioning. (If you have already run a sync, click Restart Sync.) 
      It may take up to 40 minutes before synchronization runs and users are provisioned to the mapped organization in Code42. 
    3. (Optional): To provision users manually, use Provision on demand.

Users are provisioned into the Code42 organization you specified in Step 2. If you want to provision users into different organizations based on the group they belong to in Azure, proceed to the next step. 

Step 5: Push SCIM groups from Azure to Code42

SCIM groups pushed to Code42 are used to map users to organizations, roles, and watchlists. If you are not using groups, continue to the next step.

To push SCIM groups from Azure:

  1. Ensure that you have added users to groups. (See the Azure documentation.)
  2. In Mappings, ensure that you have enabled Provision Azure Active Directory Groups.  
  3. Provision users and groups to Code42 by setting the Provisioning Status to On and clicking Save, or if you have already run a sync, by clicking Restart Sync.
Apply changes after mapping SCIM groups

If you want to map SCIM groups to Code42 organizations in Step 6, you must first push or provision SCIM groups and their users to Code42 so they are available in the Code42 console. 

However, this means that initially the users are provisioned in the default organization and are assigned default roles rather than the ones you want to map them to. To move these users to the desired organizations and roles, ensure that you map SCIM groups to organizations and roles (Step 6) and then apply the mappings using the Apply Org and Role Settings action. 

Step 6: Map users to organizations and roles using SCIM groups

When users are first provisioned into Code42, they are provisioned to an organization that you specified in the Edit organization mapping method dialog in Step 2. If you prefer, you can map users to Code42 organizations based on the SCIM groups they belong to in Azure. You can also assign users roles in Code42 based on their SCIM groups.

Follow the steps in the sections below:

You must first provision groups to Code42 from Azure AD before you can map users to organizations and roles based on SCIM group. 

Map users to organizations using SCIM groups

  1. In the Code42 console, navigate to Administration > Integrations > Identity Management.
  2. Select the Provisioning tab.
  3. Select the provisioning provider you set up in Step 2.
  4. Click the edit icon Edit icon to the right of Organization mapping.
    Org mappingThe Edit Organization Mapping Method dialog is displayed.
    Default mapping method
  5. Select Map users to organizations using SCIM groups. 
    Do not select Map users to organizations based on the provider's "c42OrgName" attribute. Azure AD does not support this method. 
  6. Choose an organization to which unmapped users will be assigned. Unmapped users are users who either do not belong to a group or their group is not mapped. 
  7. Click Save
    The Add organization mapping dialog appears. 
  8. In Select a SCIM group, select one or more groups.
    Groups appear only after a provisioning synchronization from Azure AD has completed.
  9. From Select a Code42 organization, choose an organization from the menu. 
    Add mapping
  10. Click Save
    The mapping appears on the Provisioning Provider details page. 
  11. Click Add mapping and repeat the process until all of your SCIM groups have been mapped to Code42 organizations. 
    Once all available SCIM groups have been mapped, the message All SCIM groups are mapped appears.
    All SCIM groups are mapped
  12. (Optional) Adjust the priority of each mapping. This is useful for users who belong to more than one SCIM group. 

If you want to assign roles to users provisioned to Code42, proceed with the steps below in Map users to roles using SCIM groups. Otherwise, apply the mapping as described in Apply organization and role mappings.

Map users to roles using SCIM groups

Role mapping allows you to automatically assign Code42 roles and permissions to provisioned users based on their SCIM group. Users who are not mapped inherit the default roles for their organization. 

  1. In the provisioning provider details page, click the edit icon Edit icon to the right of Role mapping.
    The Edit role mapping dialog appears.
  2. Select Map SCIM groups to Code42 roles.
    Only select Manually if you want to assign roles manually in Code42
    Edit role mapping
  3. Click Save.
    An Add mapping button appears under Role mapping.
  4. Click Add mapping
    The Add Role Mapping dialog appears.
    Add role mapping
  5. In Select a SCIM group, select one or more groups.  
    Only groups that have not been mapped appear in the dropdown.
  6. In Select a Code42 role, select one or more roles from the list to apply to this SCIM group. 
Basic roles
  • If the insider risk agent is deployed to users in this group, include the Agent User role.
  • If the backup agent is deployed to users in this group, include the Desktop User and PROe User roles. These roles allow users to sign in to the Code42 agent and Code42 console to manage their backups and restore their files. If you are giving external groups access to your Code42 environment (for example, outside legal council) they do not need these roles.
  1. Click Add
    The role mapping appears under the provisioning provider detail. 
  2. Click Add mapping and repeat the process until all of your SCIM groups have been mapped to Code42 roles. 
    The message All SCIM groups are mapped appears. 

When you are done mapping roles, apply the mapping as described below in Apply organization and role mappings.

Apply organization and role mappings

After you have completed the organization mapping and role mapping as described in the preceding sections, you must apply the mappings. 

  1. In the provisioning provider details page, select Actions > Apply org and role settings.
    Apply org and role settings
  2. In the Apply organization and role settings dialog, click Apply.
    Provisioned users are moved to the mapped organizations and are assigned the mapped roles. 
    Apply org and role settings

If you change organization or role mapping in the future, apply the mappings as described here using Actions > Apply org and role settings

(Optional) Step 7: Edit deactivation delay

In the Code42 console, view the provisioning provider details and select Deactivation Delay

The deactivation delay determines how long Code42 waits to deactivate a user after syncing with the provisioning provider. To learn more about user deactivation, see Deactivate and reactivate users and devices.

Backup agent only: Although Code42 may be configured to wait, Code42 does immediately block a user once they receive a deactivation update from the provisioning provider. Blocking a user means they can no longer sign in to Code42 agents, but their devices continue to back up. The delay helps prevent accidentally deactivating a user and removing their backup archive. If you need to cancel a pending user deactivation during the delay period, unblock the user.

Troubleshooting

Users are not provisioned to Code42

To troubleshoot why users or attributes aren't being sent to Code42 from Azure AD, see the Azure AD documentation to review provisioning errors. 

If everything is configured properly in Azure AD but users aren't being provisioned to Code42, assign an empty group to the Code42 application in Azure AD, then add users to that group. This initiates new provisioning calls for those users.

There are no SCIM groups available

This message appears if SCIM groups have not been provisioned. You must first provision groups to Code42 from Azure AD before you can map organizations and roles based on SCIM group

Syncing

  • To view information about provisioning in Code42, see the Sync Log in the Code42 console. It contains details of all of the users that have been created, updated, or deleted in Code42 due to provisioning. 
  • Once provisioning is configured in the Code42 application in Azure AD, make all user changes in Azure AD. Code42 does not sync changes back to Azure AD, so any changes you make to user values on the Code42 side causes the two apps to become out-of-sync. 
  • Updating the Code42 console does not start a sync between Azure AD and Code42. Only adding or removing a user from a group in Azure AD starts a sync. 
Need more help?
Contact our Technical Support Engineers​ for Code42 for Enterprise support

The country value is incorrect in Code42

If the value of the country code is incorrect in Code42, it could be because the default mapping in Azure does not contain the correct country value.

The default country value in Code42 is mapped to the usageLocation Azure AD attribute. While this value will always conform to the SCIM spec that requires a two-character country code, it may represent the region in which the user accesses Microsoft products, not necessarily where they are located. If you use Azure AD Connect, this value is typically populated by the msExchUsageLocation attribute in your on-premises Azure AD by default.

Should you want to use a different mapping, you have a few options:

Option 1: Build an expression

Reconfigure the user attribute mapping to use the country attribute in Azure AD. Then create a mapping expression that looks up appropriate ISO 3166 country codes for long-form country names.

  1. In the Attribute Mapping dialog, click usageLocation.
  2. In the Edit Attribute dialog, click the Mapping type field and select Expression.
  3. In the Expression field enter the following switch expression:
IIF(IsNull([country]), "", Switch(ToLower([country], ), , "afghanistan", "AF", "albania", "AL", "algeria", "DZ", "american samoa", "AS", "andorra", "AD", "angola", "AO", "anguilla", "AI", "antarctica", "AQ", "antigua", "AG", "barbuda", "AG", "argentina", "AR", "armenia", "AM", "aruba", "AW", "australia", "AU", "austria", "AT", "azerbaijan", "AZ", "bahamas", "BS", "bahrain", "BH", "bangladesh", "BD", "barbados", "BB", "belarus", "BY", "belgium", "BE", "belize", "BZ", "benin", "BJ", "bermuda", "BM", "bhutan", "BT", "bolivia", "BO", "bosnia", "BA", "herzegovina", "BA", "botswana", "BW", "bouvet island", "BV", "brazil", "BR", "british indian ocean territory", "IO", "brunei darussalam", "BN", "bulgaria", "BG", "burkina faso", "BF", "burundi", "BI", "cambodia", "KH", "cameroon", "CM", "canada", "CA", "cape verde", "CV", "cayman islands", "KY", "central african republic", "CF", "chad", "TD", "chile", "CL", "china", "CN", "christmas island", "CX", "cocos islands", "CC", "colombia", "CO", "comoros", "KM", "congo", "CG", "democratic republic of the congo", "CD", "cook islands", "CK", "costa rica", "CR", "croatia", "HR", "cuba", "CU", "curaçao", "CW", "cyprus", "CY", "czech republic", "CZ", "denmark", "DK", "djibouti", "DJ", "dominica", "DM", "dominican republic", "DO", "ecuador", "EC", "egypt", "EG", "el salvador", "SV", "equatorial guinea", "GQ", "eritrea", "ER", "estonia", "EE", "ethiopia", "ET", "falkland islands", "FK", "faroe islands", "FO", "fiji", "FJ", "finland", "FI", "france", "FR", "french guiana", "GF", "french polynesia", "PF", "french southern territories", "TF", "gabon", "GA", "gambia", "GM", "georgia", "GE", "germany", "DE", "ghana", "GH", "gibraltar", "GI", "greece", "GR", "greenland", "GL", "grenada", "GD", "guadeloupe", "GP", "guam", "GU", "guatemala", "GT", "guernsey", "GG", "guinea", "GN", "guinea-bissau", "GW", "guyana", "GY", "haiti", "HT", "holy see", "VA", "honduras", "HN", "hong kong", "HK", "hungary", "HU", "iceland", "IS", "india", "IN", "indonesia", "ID", "iran", "IR", "iraq", "IQ", "ireland", "IE", "isle of man", "IM", "israel", "IL", "italy", "IT", "jamaica", "JM", "japan", "JP", "jersey", "JE", "jordan", "JO", "kazakhstan", "KZ", "kenya", "KE", "kiribati", "KI", "democratic people's republic of korea", "KP", "south korea", "KR", "korea", "KR", "kuwait", "KW", "kyrgyzstan", "KG", "lao", "LA", "latvia", "LV", "lebanon", "LB", "lesotho", "LS", "liberia", "LR", "libya", "LY", "liechtenstein", "LI", "lithuania", "LT", "luxembourg", "LU", "macao", "MO", "macedonia", "MK", "madagascar", "MG", "malawi", "MW", "malaysia", "MY", "maldives", "MV", "mali", "ML", "malta", "MT", "marshall islands", "MH", "martinique", "MQ", "mauritania", "MR", "mauritius", "MU", "mayotte", "YT", "mexico", "MX", "federated states of micronesia", "FM", "micronesia", "FM", "republic of moldova", "MD", "moldova", "MD", "monaco", "MC", "mongolia", "MN", "montenegro", "ME", "montserrat", "MS", "morocco", "MA", "mozambique", "MZ", "myanmar", "MM", "namibia", "NA", "nauru", "NR", "nepal", "NP", "netherlands", "NL", "new caledonia", "NC", "new zealand", "NZ", "nicaragua", "NI", "niger", "NE", "nigeria", "NG", "niue", "NU", "norfolk island", "NF", "northern mariana islands", "MP", "norway", "NO", "oman", "OM", "pakistan", "PK", "palau", "PW", "palestine", "PS", "state of palestine", "PS", "panama", "PA", "papua new guinea", "PG", "paraguay", "PY", "peru", "PE", "philippines", "PH", "pitcairn", "PN", "poland", "PL", "portugal", "PT", "puerto rico", "PR", "qatar", "QA", "réunion", "RE", "romania", "RO", "russian federation", "RU", "russia", "RU", "rwanda", "RW", "saint barthélemy", "BL", "saint helena, ascension and tristan da cunha", "SH", "saint helena", "SH", "saint kitts", "KN", "saint kitts and nevis", "KN", "saint lucia", "LC", "saint martin", "MF", "saint pierre and miquelon", "PM", "saint vincent and the grenadines", "VC", "samoa", "WS", "san marino", "SM", "sao tome", "ST", "sao tome and principe", "ST", "saudi arabia", "SA", "senegal", "SN", "serbia", "RS", "seychelles", "SC", "sierra leone", "SL", "singapore", "SG", "sint maarten", "SX", "slovakia", "SK", "slovenia", "SI", "solomon islands", "SB", "somalia", "SO", "south africa", "ZA", "south sudan", "SS", "spain", "ES", "sri lanka", "LK", "sudan", "SD", "suriname", "SR", "svalbard and jan mayen", "SJ", "swaziland", "SZ", "sweden", "SE", "switzerland", "CH", "syrian arab republic", "SY", "taiwan", "TW", "taiwan, republic of china", "TW", "tajikistan", "TJ", "united republic of tanzania", "TZ", "tanzania", "TZ", "thailand", "TH", "timor-leste", "TL", "togo", "TG", "tokelau", "TK", "tonga", "TO", "trinidad and tobago", "TT", "tunisia", "TN", "turkey", "TR", "turkmenistan", "TM", "turks and caicos islands", "TC", "tuvalu", "TV", "uganda", "UG", "ukraine", "UA", "united arab emirates", "AE", "united kingdom", "GB", "united states", "US", "united states minor outlying islands", "UM", "uruguay", "UY", "uzbekistan", "UZ", "vanuatu", "VU", "bolivarian republic of venezuela", "VE", "venezuela", "VE", "viet nam", "VN", "vietnam", "VN", "british virgin islands", "VG", "us virgin islands", "VI", "wallis and futuna", "WF", "western sahara", "EH", "yemen", "YE", "zambia", "ZM", "zimbabwe", "ZW"))
  1. Click OK to save the attribute mapping.

Option 2: Change the mapping between on-premises Active Directory and Azure AD

If you use Azure AD Connect, change the mapping between on-premises Active Directory and Azure AD.

On-premises Active Directory has various attributes that represent a user's country. For example, the "c" attribute is typically populated in Active Directory with the two-character country code. Choose the appropriate attribute in your on-premises directory, then update your Azure AD Connect mapping to associate the chosen attribute to Azure AD's country attribute.

Once the Azure AD Connect mapping has been updated, perform the following steps to use the new mapping:

  1. In the Attribute Mapping dialog, click usageLocation.
  2. In the Edit Attribute dialog, click the Source Attribute field.
  3. Select country.
  4. Select OK to save the configuration.

Option 3: Delete the usageLocation attribute mapping

If the country information isn't being provisioned  to Code42 as expected, simply delete the mapping for the usageLocation user attribute outright. Although the country information would not appear in Code42 as a result, this approach avoids causing failures or errors with your Azure provisioning application altogether.