Skip to main content

Configure Microsoft Entra ID User Provisioning with Group Attribute and PIN Support Using a Custom Application

Access to the VMC Entra ID (Azure AD) integration is required.

Updated over a week ago

This guide walks through the steps you must complete in both VMC and Microsoft Entra ID to configure automatic user provisioning using a Custom Application in the Azure portal.

When this is configured, users and groups will be automatically provisioned (created, updated, and removed) in VMC using the Azure AD Provisioning service.

What this configuration enables

  • Automatically create users in VMC.

  • Automatically remove users who no longer require access.

  • Keep user attributes synchronized between Microsoft Entra ID and VMC.

  • Set synced users’ notifications based on default settings.

  • Support single sign-on (SSO) to VMC (recommended).

Before You Begin

  • You must have administrator access to Microsoft Entra ID.

  • You must have administrator access to VMC.

  • This setup uses Microsoft Entra ID’s automatic provisioning service to sync users and groups into VMC.

  • If you do not need group attributes or PIN support, please follow this guide instead.

Steps

1. Sign in to Azure Portal

2. Create a Custom Enterprise Application

  • Go to Enterprise applications.

  • Click + New application

  • Enter a name for the app.

  • Select Integrate any other application you don’t find in the gallery (Non-gallery).

  • Click Create.

3. Configure Provisioning

  • In the application’s Manage section, select Provisioning.

  • Click + New configuration.

4. Retrieve VMC Credentials

  • Open a new browser tab and go to the VMC Integrations page.

  • Click Enable or Configure for Microsoft Entra ID (Azure AD).

  • Under Credentials, copy the Secret Token and Tenant URL.

5. Enter Credentials in Azure

  • Paste the Secret Token and Tenant URL into the provisioning configuration form in Azure.

  • Click Test Connection to verify the connection works.

  • If successful, click Create to save the configuration.

6. Update User Attribute Mappings

  • Follow the steps to map user attributes; you may skip if it is not required.

  • VMC implements the urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber data as the user PIN field - map the field to your Microsoft Entra ID attribute if required. The PIN field allows users to check in quickly on the tablet kiosk.

  • Click Manage -> Provisioning -> Mappings to see options to configure Users and Groups.

  • Click on Provision Microsoft Entra ID Users

  • You may change the mapping or add new mappings as required.

    Review the user attributes that are synchronized from Microsoft Entra ID to VMC in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the user accounts in VMC for update operations.

  • The following attributes are supported:

Attribute

Type

Supported for filtering

userName

String

active

Boolean

displayName

String

title

String

emails[type eq "work"].value

String

name.givenName

String

name.familyName

String

addresses[type eq "work"].streetAddress

String

addresses[type eq "work"].locality

String

addresses[type eq "work"].region

String

phoneNumbers[type eq "mobile"].value

String

externalId

String

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

String

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

String

Important Notes: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber is the PIN field on VMC.

7. Update Group Mappings

  • Follow the steps to map group attributes; you may skip if it is not required.

  • Make sure Enabled is Yes.

  • Click on Provision Microsoft Entra ID Groups

  • Change Enabled to Yes, Save, and return to the previous screen.

  • Go to Users and groups and assign the necessary users and groups to the application.

9. Update Settings in VMC

  • Return to VMC and update the Azure integration configuration.

  • Map the relevant Groups or Users as needed.

⚠️ Notes:

  • Sync all users, will assign users to all kiosks.

  • Sync and assign users to locations and kiosks as host will apply mappings where configured. If no mapping is found for a particular user, they will be synced without mapping.

  • Assign default groups means all synced users belong to those groups.

10. Start Provisioning

  • Click Start provisioning or Provision on demand.

11. Monitor Provisioning

Once provisioning starts:

  1. Check the provisioning logs to see which users are synchronized successfully.

  2. Use the progress bar to see the current provisioning cycle status.

  3. If provisioning becomes unhealthy, the application may go into quarantine.

Related Articles
Microsoft Azure AD / Entra ID
Did this answer your question?