SCIM Provisioning with Azure

This article explains how to use the Azure SCIM app to automatically sync user and group information, and provision users and groups from Azure AD to your Cato account.

Capabilities Supported

  • Create and disable users in the Cato Management Application

  • Synchronize users and attributes from Azure AD to the Cato Management Application

  • Single Sign-On (SSO) to Azure

  • Users can authenticate with email or UPN depending on your Azure configuration. 


Make sure that these items are ready before you create the Azure SCIM app:

  • An Azure AD tenant

  • Azure AD permissions to configure user provisioning


  • Removing a user from the IdP application disables the user in the Cato Management Application (see below Removing Users or Groups from the SCIM App)

  • Nested groups provisioning are not supported

  • SCIM sync overrides existing LDAP groups with the same name. For more information, see How SCIM Sync Overrides Existing LDAP Groups

  • SCIM provisioned users are not identified with WMI-based User Awareness. User Awareness with SCIM is supported using Cato Identity Agent

Planning the User Sync

This section describes how to plan your Azure AD to sync users with your Cato account. For more about planning the user sync between Azure and Cato, see these Microsoft articles:

Defining Users and Groups for the User Sync

Azure AD lets you define the users that are included in the user sync with Cato according to one of these methods:

  • Assigning users to the Azure app

  • Filtering users based on the attributes for users or groups

As part of the process to plan the user sync with Cato, we recommend that you start with a small group of users. Depending on the method above, you can:

  • Assign a few users to the Azure app

  • Create an attribute based scoping filter that only matches a few users

Configuring Automatic User Sync to Cato with the Cato SCIM App

You can connect your Azure AD to your Cato account and sync users between them. Add the Cato SCIM app in the Azure gallery to your account and then configure the settings to connect to your Cato account. Azure initiates the automatic user sync every 40 minutes.

Then you can define the Azure AD groups and users that are synced and enable automatic provisioning.

The status of users in your Identity Provider (IdP) are automatically synced to your Cato account. For example, when you disable users in the IdP, they are synced to your Cato account as disabled.

Configuring the Cato SCIM App

Configure the settings for the Cato SCIM app from the Azure gallery and then set the app to automatically sync users to Cato.

In the Cato Management Application, enable SCIM Provisioning and copy the URL and token to the Admin Credentials section in the Cato SCIM app.

To connect Cato Management Application to the SCIM app:

  1. From the Azure portal, go to Enterprise Applications.

  2. Search for the Cato Networks Provisioning app and click Create.

  3. In the Cato Management Application, from the navigation menu select Access > Directory Services and click the SCIM tab.

  4. Select Enable SCIM Provisioning to set your account to connect to the SCIM app.

  5. Click Save.

  6. Copy and paste the SCIM URL and token to blank text file.

    1. In Base URL, click the copy icon copy.png to copy the SCIM URL to the clipboard and then paste it in the text file.

    2. In Bearer Token, click the copy icon copy.png to copy the unique account token to the clipboard and then paste it in the text file.

  7. In Azure, go to the Provisioning section for the SCIM app, and paste the SCIM URL and token.

    1. Paste the URL in Tenant URL.

    2. Paste the token in Secret Token.

    3. Click Save.

  8. In Azure, click Test Connection to make sure that Azure AD can connect to the Cato SCIM app.

  9. Enable automatic provisioning in the app.

    1. From the navigation menu, select Provisioning.

    2. In the Provisioning screen, click Get started.

    3. From the Provisioning Mode drop-down menu, select Automatic.

    4. Click Save.

  10. Assign groups and users to the app.

Provisioning Users to Your Cato Account

After the Cato SCIM app can connect to your account, enable automatic provisioning and select the users and groups that are synced.

To provision users to your Cato account:

  1. In the Cato SCIM app, go to the Provisioning section.

  2. In Provisioning Status, click Start provisioning.


    The initial synchronization between your Azure AD and Cato account starts.

Reviewing the SCIM Provisioning Attributes

After you configure the Cato SCIM app, you can review the mapping for the SCIM provisioning attributes between Azure AD and the Cato Management Application.

Azure AD Attribute

Cato User Attribute

Notes about User



User name for user

Coalesce([mail], [userPrincipalName])

emails[type eq "work"].value

Email address



First name



Last name


phoneNumbers[type eq "work"].value

Phone number (including prefix)



ID for user (used in events)

Switch([IsSoftDeleted], , "False", "True", "True", "False")


When a user is unassigned from the SCIM app, the user is soft deleted with the parameters: "False", "True", "True", "False"

Assigning SDP Licenses

In the IdP, define the groups and users that are synced to your Cato account. After the initial sync is completed, all users are then created in the Cato Management Application and visible on the Users Directory page .

You can then assign SDP licenses to users, for more information, see Assigning SDP Licenses to Users (EA).

Understanding Events for SCIM Provisioning

The Cato Management Application generates events whenever users and groups are blocked because they fail to meet the requirements of the Client Connectivity Policy.

Each hour, the Cato Management Application sends email alerts that summarize the SCIM provisioning actions (success or failure).

The following table explains the different events.

Event Type



SCIM Provisioning


The action to sync the users or groups to your account with the SCIM app succeeded.

SCIM Provisioning


The SCIM app failed to sync the IdP with your account. The event message explains the reason for the sync failure.

SCIM Provisioning


A disabled user in the IdP was successfully synced and disabled in your Cato account.

Was this article helpful?

0 out of 0 found this helpful


Add your comment