Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

CONNECT

TABLE OF CONTENTS

Import users from Microsoft Entra ID

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedAug 21, 2025
  • 4 minute read

If your organization uses Microsoft Entra ID to manage users and groups they can be imported directly to CONNECT.

To import users and groups from Microsoft Entra ID:

  1. Sign in to the Microsoft Entra admin center portal.

  2. From the navigation rail expand Identity, followed by Applications.

  3. Select Enterprise applications.

  4. Select + New application, followed by + Create your own application.

  5. Enter a name for your application, e.g. CONNECT.

  6. Select Integrate any other application you don't find in the gallery (Non-gallery) and select Create to create an app object.

    The new app is added to the list of enterprise applications and its app management screen opens.

  7. From the App management window for your new app, select Provisioning from the left panel.

  8. Select + New configuration

  9. In the Tenant URL box, enter the CONNECT SCIM endpoint URL (https://services.connect.aveva.com/scim/v2).

  10. In the Secret Token box, paste your SCIM Import account access token. See Create access tokens for information on creating access tokens.

  11. Select Test Connection to attempt to connect to the SCIM endpoint.

  12. After a successful attempt, select Create to create the provisioning job.

  13. Select Attribute mappings in the left panel, update the mappings to match the following for users objects:

    User mappings in Microsoft Entra ID. The mapping details are repeated in the table that follows.

    customappsso Attribute

    Microsoft Entra ID Attribute

    userName

    userPrincipalName

    active

    Switch([IsSoftDeleted], ,"False", "True", "True", "False")

    name.formatted

    Join(" ",[givenName], [surname])

    externalId

    mailNickname

  14. Ensure the group object attribute mappings match the following:

    Group mappings in Microsoft Entra ID. The mapping details are repeated in the table that follows.

    customappsso Attribute

    Microsoft Entra ID Attribute

    displayName

    displayName

    externalId

    objectId

    members

    members

  15. Navigate to the Overview page in the left panel, and select the Properties tab.

  16. Select the pencil icon and ensure the Scope field is set to Sync only assigned users and groups (recommended) to only sync users and groups assigned in the Users and Groups tab.

  17. (Optional) Enable a Notification email to receive quarantine emails and enable Prevent accidental deletions. Select Apply to save.

  18. Select Users and groups in the left panel.

  19. Select + Add user/group and add the groups and users you wish to synchronize, then select Assign.

    Note: If a user exists in a group, they will be synchronized by adding the group.

  20. To test provisioning, select Provision on-demand in the left panel and search for an in scope user and provision them on-demand.

  21. Select Overview, followed by Start provisioning to start the Microsoft Entra ID provisioning service.

Nested Groups

Microsoft Entra ID does not support automatic provisioning with nested groups. It is only able to read and provision users that are immediate members of the explicitly assigned group. As a workaround, you should explicitly assign the groups that contain the users who need to be provisioned.

For example, consider the group structure below:

A diagram where Group 1 has two children titled Group 2 and Group 3. Group 3 has an additional child group titled Group 4.

In order for this structure to be imported to CONNECT correctly, all four groups must be explicitly synchronized (steps 12 - 14 above):

Four groups named Group 1, Group 2, Group 3, and Group 4 in the Azure AD interface.

By doing this, all users will be provisioned and assigned to the relevant groups, e.g. Malcolm Knox will be a member of Group 1, Group 3 and Group 4 within CONNECT.

Microsoft Entra ID documentation regarding nested groups: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works#assignment-based-scoping

Note: Groups created via SCIM syncing are not modifiable through CONNECT. For example, it is not possible to add users through CONNECT to the group that was synced by the method described above. The Add users button is disabled in this situation.

Known limitation

Modifications to the User Principal Name (UPN) in Microsoft Entra ID not replicated to AVEVA Connect.

The User Principal Name (UPN) attribute is an immutable attribute in CONNECT and cannot be modified via the SCIM 2.0 protocol. As a workaround, the user can be deleted from CONNECT and then be recreated with the updated UPN.

In special circumstances the modification can be done automatically, but this will require a thorough analysis. Please speak to your Account Manager if you would like to learn more.

In This Topic
Related Links
TitleResults for “How to create a CRG?”Also Available in