Setting Up User and Group Provisioning for ThreatLocker Admins via SCIM in the Entra ID Portal

Important: Requires the ThreatLocker SCIM Integration for ThreatLocker Administrator Accounts.

Setting Up User and Group Provisioning in the Entra ID Portal

In the Entra ID portal, you will need to create a new Enterprise app to allow ThreatLocker to connect to Entra.

Navigate to Enterprise apps.

Select New Application.

1. Select 'Create your own application'. located at the top of the screen.
2. Provide a name for the application.
3. Select 'Integrate any other application you don't find in the gallery'.
4. Click 'Create'.

Once the app has finished creating, navigate down to 'Provisioning'.

In the Overview window, select 'Connect your application'.

In the New provisioning configuration window, leave the authentication method as Bearer authentication.

 Insert the Tenant URL and the Secret token from the ThreatLocker portal sidebar.

Select the 'Test Connection' button in Entra to verify the API Url and Token were inserted correctly. 

If the Enabled button was not toggled on in the ThreatLocker portal, the connection test will fail. Please ensure the Enabled button is toggled on.

Click the 'Create' button to create your Enterprise app.

Next, navigate to 'Attribute' mapping.

No adjustments are needed on the Groups. 

Select Provision Microsoft Entra ID Users to adjust the user attributes that will be sent to ThreatLocker.

Scroll down to the list of Attribute Mapping.

Here, you can remove all attributes that are not necessary for ThreatLocker user provisioning. Select the 'Delete' button next to all attributes except userName, name.givenName, and name.familyName. Any attributes received by ThreatLocker that are not one of the three listed above will be disregarded.

Once you have deleted the unnecessary attributes, click the 'Save' button in the top left.

Please note: The userName must be an email and it must be unique (meaning there are no other users in the ThreatLocker portal with an identical name).

Once the attribute mapping is complete, next you will assign users and groups to the application.

Navigate to Users and groups.

Select 'Add user/group'.

Select 'None Selected' to open the Users and groups list.

In the list that populates, select the check box next to the users and/or groups you wish to have provisioned from Entra to ThreatLocker. When selecting an entire group, all users contained in that group will be included in the provisioning.

Please Note: Selecting individual users will create the user with no permissions or roles applied in the ThreatLocker portal. It will be necessary to navigate to the Users page in the ThreatLocker portal and open the user sidebar to apply individual permissions. Roles are not able to be added to SCIM provisioned users. 

Once all selections have been made, click the blue 'Select' button.

Next, select the "Assign' button.

Select 'Provisioning'.

Slide the toggle to Provisioning Status 'On'. Then click Save at the top.

On the Overview page, scroll to the bottom step.

Click 'Start provisioning' to start the synchronization process.  This is what will populate groups in the Group Mapping dropdown in ThreatLocker.  This initial provisioning could take up to an hour.

All settings are now complete in Entra ID.  Users and Groups that are added in Entra will automatically be added in Threatlocker.

Removing Users and Groups

Once user provisioning has been established, users and/or groups that are removed in Entra will be disabled and removed from the ThreatLocker portal. 

Please Note: If a User is removed from a group in Entra, but not deleted in Entra, that user will have all roles in ThreatLocker removed that are mapped to the Entra group.