Hoxhunt Azure AD Gallery App is preconfigured Azure AD Enterprise application that you can add to your Azure AD.
Hoxhunt Azure AD Gallery App can be used to set up and manage:
- Automatic user provisioning with Azure Active Directory (SCIM)
- Azure AD Single sign-on (SSO)
This page tells the basic information and best practices how to manage the app.
Configuring automatic user provisioning for Hoxhunt (SCIM)
Configuring single sign-on for Hoxhunt (SSO)
Hoxhunt Azure AD Gallery App Guide
Enabling automatic user provisioning and managing gallery app
Contact Hoxhunt Support and configure Hoxhunt Azure AD Gallery App with help of this tutorial: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hoxhunt-provisioning-tutorial
When automatic user provisioning is turned on:
- Users are created automatically in Hoxhunt
- When user is in scope for provisioning in Azure AD, user will be created in Hoxunt or will be matched with the already existing Hoxhunt user account.
- User's data is updated automatically
- If any of user's provisioned attributes changes in Azure AD attribute is updated also in Hoxhunt.
- Soft and hard deletion
- If provisioned user is not in provisioning scope anymore (unassigned from the app or does not pass scoping filters) user is set as soft deleted in Hoxhunt.
- User will be permanently deleted after 90 days unless user re-assigned to SCIM applcation
- Training for soft deleted user will be paused.
- When user is permanently deleted in Azure AD, user will be permanently deleted from Hoxhunt without 90 days grace period.
General information about automatic user provisioning: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/configure-automatic-user-provisioning-portal
You can set the attribute mappings by going to Provisioning > Edit Provisioning > Mappings > Provision Azure Active Directory Users.
You can see the default attribute mappings in the picture below.
Mandatory Hoxhunt attributes are userName, emails[type eq "work"].value, active, name.givenName and name.familyName. If you don't want to provision department, country, site or language attributes, you can delete them from the attribute mappings list.
You can change the Azure Active Directory Attributes (source attributes) to attribute where you have the desired data. For example you may want to use Mail attribute instead userPrincipalName as source attribute for userName and emails[type eq "work"].value.
Change the source attribute by clicking the Azure Active Direcotry Attribute and selecting new Source Attribute from the menu. Changing any of the attributes will result all users to be resynchronized.
Do not change Hoxhunt Attributes (target attributes).
UPDATE 22/04/2021: Language and Site
preferredLanguage is currently missing from the list by default. If you want to map Azure AD preferredLanguage to Hoxhunt UI and simulation languages, you can add it by clicking Add New Mapping and set source and target attributes to preferredLanguage.
Required format for preferredLanguage needs to be in "en-US" or "en".
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division can be used to sync data to Hoxhunt "Site" attribute. Select the preferred source attribute.
If you are adding preferredLanguage or urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division to the attributes list and cannot find them, you might need to reset the mappings to defaults first:
"Provisioning" > "Edit provisioning " > Tick "Restore default mappings" and click "Save"
How to set language and region settings for Office 365: https://docs.microsoft.com/en-us/office365/troubleshoot/access-management/set-language-and-region
Assign users to the application or use scoping filters
You can select if you want to provision only users assigned to the Hoxhunt application or all users in the directory. If you don't plan to use user assignment you should use scoping filters to include or exclude users based on Azure AD attributes.
Preferred way is to create Azure AD group for Hoxhunt users. You should include only employee accounts who are participating in the training and exclude non-user accounts. You can use either static or dynamic AD group. Some good membership rules for dynamic AD group are to pick up only users with certain email domains, include only licensed users or users with attributes they can be recognized as employees.
Scoping filters can also be used together with user assignment. User needs to be assigned to application and also pass scoping filters to be in scope for provisioning.
NOTE: Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Nested group memberships and Microsoft 365 groups are not currently supported. (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal)
More information at Microsoft Docs:
Dynamic membership rules: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
Decide with Hoxhunt how new users should be enrolled
When automatic user provisioning is turned on and dynamic AD grroup or scoping filters are used, new users are created to Hoxhunt automatically. You can decide a plan how to activate new users with Hoxhunt. Hoxhunt can for example start the training or invite new users on weekly or monthly basis.
Removing non-provisioned users from Hoxhunt (optional)
If users have been added to Hoxhunt using user list updates prior enabling automatic user provisioning there might be a need to remove non-provisioned users from Hoxhunt. Hoxhunt might require list of users assigned to the enterprise application to perform the clean-up.
Contact Hoxhunt Support if notice any issues with SCIM provisioning. Below you can find links to articles that can help with troubleshooting.
On-demand provisioning to test provisioning with single user: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/provision-on-demand
Check the status of user provisioning: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user
Provisioning logs: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-provisioning-logs?context=/azure/active-directory/app-provisioning/context/app-provisioning-context