Configure Microsoft Azure to automatically provision users/groups to Cloud SWG

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Below are the steps the steps to be performed in Cloud SWG and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Cloud SWG.
Cloud SWG and Azure Portal paths are validated as of 20 March 2023.

Environment

Cloud SWG.

Azure Active Directory (Azure AD).

SCIM User provisioning on Azure.

SAML IDP server on Azure.

Resolution

Setup Cloud SWG for provisioning:

Before configuring Cloud SWG for automatic user provisioning with Azure AD, you will need to enable SCIM provisioning Cloud SWG Portal.

1. Sign in to your Cloud SWG Portal at https://portal.threatpulse.com/
2. Navigate to Identity -> SAML Authentication
3. Select "SCIM Third-Party Users & Groups Sync"
4. Click on "Generate Integration Token" and click "Save" on the following screen

Add Symantec Web Security Service (WSS) from the gallery:

To configure Cloud SWG for automatic user provisioning with Azure AD, you need to add Symantec Web Security Service (WSS) from the Azure AD application gallery to your list of managed Enterprise applications.

1. In the Azure portal, in the left navigation panel, select Azure Active Directory
2. Go to Enterprise applications, and click on "New Application"
3. In the search box, enter "Symantec", select "Symantec Web Security Service (WSS)" in the results panel, and then click the "Create" button to add the application

Configuring automatic user provisioning to Cloud SWG:

This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Cloud SWG based on user and/or group assignments in Azure AD.

You may also choose to enable SAML-based single sign-on for Cloud SWG, following the instructions provided in the Cloud SWG Single sign-on tutorial.
Single sign-on can be configured independently of automatic user provisioning, though these two features complement each other.

1. Sign in to the Azure portal. Select "Azure Active Directory", then go to "Enterprise Applications", then click on previousely created "Symantec Web Security Service (WSS)" application
2. Select the "Provisioning tab"
3. Set the Provisioning Mode to "Automatic"
4. Under Admin Credentials section, input the SCIM URL and Token values generated earlier in WSS Portal
5. Click "Test Connection" to ensure Azure AD can connect to Cloud SWG.
6. Under the Mappings section, Enable "Provision Azure Active Directory Groups" and "Provision Azure Active Directory Users"
7. Under Settings section, make sure you select either "Sync only assigned users and groups" or "Sync all users and groups" as per your preference
8. To enable the Azure AD provisioning service for Cloud SWG, change the Provisioning Status to "On"
9. When you are ready to provision, click "Save"

Note, if you have choosen to "Sync only assigned users and groups" you have to use "Assign users and groups" optins to add Users/Groups to your "Symantec Web Security Service" (WSS)Enterprise Application:

1. Sign in to the Azure portal. Select "Azure Active Directory", then go to "Enterprise Applications", then click on previously created "Symantec Web Security Service (WSS)" application
2. Click on "Assign users and groups" followed by "Add user/group"
3. Click on "None Selected" at the left, select users your want to add to your application at the right side and click the button "Select"

Note, the provisioning interval is fixed and is 40minutes.
You can use "Provision on demand" if you want to provision your new users/groups quicker.