My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. General

Installing and Configuring the Microsoft Entra ID

Published:
6 mins read

Microsoft Entra ID, formerly known as Azure Active Directory, is a cloud-based identity and access management service that enables organizations to manage permissions and secure access to sensitive resources. It supports user provisioning through the System for Cross-domain Identity Management (SCIM) 2.0 protocol, a standard for managing user identities across systems and applications.
This integration allows automatic email invitations to be sent to users in your Microsoft Entra ID, inviting them to join your BoldSign account.

Key features

  • Seamlessly synchronize users from Microsoft Entra ID into BoldSign using SCIM 2.0.
  • Automatically send invitation emails to users, inviting them to join BoldSign.
  • Assign roles to users during provisioning to manage access.
  • Maintain synchronized user attributes between Microsoft Entra ID and BoldSign.

Set up user provisioning with Microsoft Entra ID

After completing the initial setup, follow these steps to configure user provisioning with Microsoft Entra ID.

Add BoldSign from the Microsoft Entra Application Gallery

  • Log in to the Microsoft Entra Admin Portal.
  • Expand the Entra ID menu and choose Enterprise apps to navigate to the Enterprise application page.
  • Click the New application option.

Enterprise.png

  • Click the Create Your Own Application button.

Browse.png

  • Enter a name for the application.
  • Select the Integrate any other application you don’t find in the gallery (Non-gallery) option.
  • Click the Create button. Once the application is created, you will be redirected to the application’s home page.

Create button

Connect to your BoldSign account

  • On the Application page, select Provisioning in the left sidebar menu.
  • You will be taken to the Application Overview (preview) page. Choose the Provisioning option again

Provision.png

  • Choose the Automatic option from the Provisioning Mode menu.
  • Under the Admin Credentials section, enter your Tenant URL and Secret Token. The Secret Token is generated in the BoldSign web portal. For guidance on how to generate the secrete token, refer to our article on How to set up Microsoft Entra ID in BoldSign.

Admin credentials 1.png

  • Click Test Connection to verify that Microsoft Entra ID connects to BoldSign
  • Click Save to confirm the settings.

save.png

Attribute mapping

  • After testing the connection, expand the Mappings section, located below the Admin Credentials section.

Mappings.png

  • Choose the Provision Azure Active Directory Groups option, ensure the Enabled option is disabled, and click Save.

Enabled.png

  • Select Provision Azure Active Directory Users and ensure the Enabled option is turned on.
  • Choose the desired Target Object Actions (Create, Update, Delete).

Users.png

  • In the Attribute mappings section, add the user attributes. Remove all default attributes not included in this list.
Customappsso Attribute Microsoft Entra ID Attribute Matching Precedence Apply This Mapping Mapping header
userName userPrincipalName 1 Always Direct Mandatory
active Switch([IsSoftDeleted], , “False”, “True”, “True”, “False”) - Always Expression Mandatory
title jobTitle - Always Direct Mandatory
name.givenName givenName - Always Direct Mandatory
name.familyName surname - Always Direct Mandatory
phoneNumbers[type eq “mobile”].value mobile - Always Direct Mandatory
roles[primary eq “True”].value SingleAppRoleAssignment([appRoleAssignments]) - Always Expression Mandatory
urn:ietf:params:scim:schemas:extension:enterprise 2.0:User:department department - Always Direct Mandatory
externalId objectId - Always Direct Mandatory
emails[type eq “work”].value mail - Always Direct Mandatory

When a new user is added, the department attribute determines their team in BoldSign:

  • If a department is specified, the user is invited to the corresponding team.
  • If no department is provided, the user is added to the Organization Admin team.
  • If the specified department does not match an existing team, a new team is created with the department name, and the user is invited to join it.
  • These attributes are used to match the user accounts in BoldSign for update operations. Click Save to apply the attribute mappings.

user attributes

Provisioning settings

  • Expand the Settings menu below the Mapping section.

  • Enable Send an email notification when a failure occurs and enter the email address to receive the provisioning error notification.

  • In the settings section, use the Scope to specify which users should be provisioned for BoldSign.

    • Synchronize all users and groups: Synchronizes all users from Microsoft Entra ID to BoldSign with the default role set to Member. Role customization is not available with this option.
    • Synchronize only assigned users and groups: This option will synchronize only the users explicitly assigned to the enterprise application. To customize the role, you should create an app role.

Sync all Assigned Users and groups.png

  • Click Save button to update your changes.

How to start provisioning

  • On the application page, select Overview in the left sidebar menu.
  • Click Start provisioning.

image (6).png

Adding custom app roles in Microsoft Entra

To enable role-based access control for BoldSign user provisioning, follow the steps below to create custom app roles in Microsoft Entra:

  • In Microsoft Entra Admin Portal, select App registrations in the left panel and go to the All applications tab.

All applications.png

  • Select the application created for BoldSign user provisioning to navigate to the App Overview page.
  • In the left panel, select App roles and then click Create app role.

App Role.png

  • Configure the Role:

    • Display name: Enter Admin
    • Allowed member types: Select Users/Groups
    • Value: Enter Admin
    • Description: Provide a relevant description for the role
    • Enable role: Check the box to enable the app role

  • Click Apply to save the role

Details

  • Repeat the process to create the following roles: Admin, Member, and TeamAdmin. Ensure role names are case-sensitive and do not contain spaces.

Approle.png

Assigned users with a custom role to the application

  • On the application page, select Users and Groups in the left sidebar menu.
  • Select Add User/Group,

Users and Groups.png

  • In the User section, click None Selected.

Users and groups 2.png

  • Select the Users if you wish to synchronize only specific users.
  • Select the Groups if you wish to synchronize all users within the selected group.

image.png

During the assignment process, you must also select a role for each user or group. The available roles are Admin, Member, TeamAdmin.

image.png

  • Use the role selection panel to assign the appropriate role based on the user’s responsibilities.

If no role is explicitly selected during the assignment, the Member role is assigned by default.

  • Click the Assign button

Assign.png

  • The assigned users will appear in the list. Only these users are eligible for provisioning.

Display name.png

  • When a user is added or updated in Microsoft Entra ID, the user provisioning process is automatically triggered at a default interval of 40 minutes. This ensures the timely synchronization of user data between Microsoft Entra ID and BoldSign.

User provisioning

BoldSign sends an invitation link to users during provisioning. To complete setup and access the BoldSign application, users must confirm the invitation by signing in with their Microsoft account credentials.

User deprovisioning

  • If a user is deleted before accepting the invitation, the pending invitation is automatically cancelled.
  • When a user is deleted from Azure AD, the corresponding user account in BoldSign is deactivated rather than permanently deleted. This approach ensures that any documents associated with the user can be properly transferred to another active user. Document reassignment must be performed through the BoldSign web application. Once deactivated, the user will no longer have access to or be able to use the BoldSign application.
  • To permanently delete a user from BoldSign and transfer their documents, refer to this article: How to delete a user and transfer their documents to another user?.

Handling user invitation failures

As part of automatic user provisioning via Microsoft Entra ID, BoldSign attempts to invite users to your organization automatically. In some cases, these invitations may fail. When this happens, a send failure email is automatically sent to the organization admin with details about the failed invitation.

This failure may occur due to one of the following reasons:

  • User limit reached: Your BoldSign plan has reached the maximum number of allowed users.
  • Invalid secret token: The SCIM secret token configured in your identity provider is incorrect.
  • Connectivity issues: Temporary network or sync issues occurred during the provisioning process.
  • User conflict: The user already exists in your BoldSign account or is part of another organization.
Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Access denied
Access denied