Skip to main content

Mapping Entra ID properties

Updated

Extended mode in Entra ID provisioning for Guardey

Entra ID Provisioning enables seamless synchronization of users and groups between Microsoft Entra ID and Guardey. While standard provisioning handles most common attributes, some organizations require more advanced control. For these use cases, Guardey supports extended provisioning mode, allowing you to map additional fields such as teams, organizations, leaders, and more.

In this guide, you’ll learn about:

- Supported default fields
- Extended fields and how to configure them
- Setting up custom mapping
- Enabling multi-organization mode
- Important considerations and best practices

Supported Guardey fields

1. Standard fields

Guardey syncs the following attributes automatically from Entra ID, without any additional configuration.

User fields

  • Entra field: userPrincipalName
    SCIM mapping: userName
    Guardey field: Email

  • Entra field: givenName
    SCIM mapping: name.givenName
    Guardey field: First name

  • Entra field: surname
    SCIM mapping: name.familyName
    Guardey field: Last name

  • Entra field: preferredLanguage
    SCIM mapping: preferredLanguage
    Guardey field: Default language

  • Entra field: mobile
    SCIM mapping: phoneNumbers[type eq "mobile"].value
    Guardey field: Phone number

  • Entra expression: (expression)
    SCIM mapping: active
    Guardey field: Active / Inactive status

Group fields

  • Entra field: displayName
    SCIM mapping: displayName
    Guardey field: Group name

2. Extended Guardey fields

If the standard fields are not enough, Guardey also supports several extended SCIM fields that you can manually map in Entra ID.

Supported extended user fields

  • Organization

    • Entra field (example): companyName or custom attribute

    • SCIM target: ...User:organizationName

    • Notes: Requires support activation

  • Team

    • Entra field: department

    • SCIM target: ...User:teamName

    • Notes: Works immediately

  • Team Leader

    • Entra field: manager

    • SCIM target: ...User:teamLeaderId

    • Notes: Works immediately

  • Permission (team statistics)

    • Entra field: employeeType

    • SCIM target: ...User:allowTeamStatistics

    • Notes: Works immediately

Extended group field

  • Organization (group level)

    • Entra field: displayName (parsed)

    • SCIM target: ...Group:organizationName

    • Notes: Requires support activationSetting up mapping

Setting up mapping

To configure extended provisioning, go to:

Entra portal → Enterprise applications → Your Guardey app → Provisioning → Attribute mapping

 

User mapping

You can use this attribute if you want to have organizations imported from Entra ID.

We are configuring the conversion of the source "companyName" attribute to the target "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:organizationName" attribute (Guardey API), because the Guardey API expects this attribute for the User object. If needed, you can use another source attribute here, but you must use the target attribute exactly as specified above.

Go to Provision Microsoft Entra ID Users, click “Show advanced options,” and then select “Edit attribute list for customappsso.”

Add new “urn:ietf:params:scim:schemas:extension:guardey:2.0:User:organizationName” attribute to Provisioning schema and save changes

Go back and click “Add New Mapping”

Add a new mapping rule for urn:ietf:params:scim:schemas:extension:guardey:2.0:User:organizationName attribute and save changes.

 

teamName Attribute

You can use this attribute to alternatively transfer user groups to the Guardey app. It is recommended to use this attribute in Provisioning if you do not include your Groups object in Entra ID Provisioning.

We are configuring the conversion of the source "department" attribute to the target "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:teamName" attribute (Guardey API) because the Guardey API expects this attribute for the User object. If needed, you can use another source attribute here, but you must use the target attribute exactly as specified above.

Go to Provision Microsoft Entra ID Users, click “Show advanced options,” and then click “Edit attribute list for customappsso.”

Add new "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:teamName" attribute to Provisioning schema and save changes

Go back and click “Add New Mapping”

Add a new mapping rule for "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:teamName" attribute and save changes.

 

teamLeaderId Attribute

You can use this attribute to transfer users’ team leaders to the Guardey app.

We are configuring the conversion of the source "manager" attribute to the target "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:teamLeaderId" attribute (Guardey API), because the Guardey API expects this attribute for the User object. If needed, you can use another source attribute here, but you must use the target attribute exactly as specified above.

Go to Provision Microsoft Entra ID Users, click “Show advanced options,” and then click “Edit attribute list for customappsso.”

Add new "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:teamLeaderId" attribute to Provisioning schema and save changes

Add a new mapping rule for "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:teamLeaderId" attribute and save changes.

 

allowTeamStatistics Attribute

You can use this attribute to transfer a user's permission to view their team statistics in the Guardey app.

We are configuring the conversion of the source "employeeType" attribute to the target "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:allowTeamStatistics" attribute (Guardey API), because the Guardey API expects this attribute for the User object. If needed, you can use another source attribute here, but you must use the target attribute exactly as specified above.

Go to Provision Microsoft Entra ID Users, click “Show advanced options,” and then click “Edit attribute list for customappsso.”

Add new "urn:ietf:params:scim:schemas:extension:guardey:2.0:User:allowTeamStatistics" attribute to Provisioning schema and save changes

Go back and click “Add New Mapping”

Add new mapping rule for "urn:ietf:params:scim:schemas:extension:guardey:2.0:Group:allowTeamStatistics”attribute.

We use the mapping type "Expression" to convert "employeeType" source attribute to “urn:ietf:params:scim:schemas:extension:guardey:2.0:Group:allowTeamStatistics”target attribute (Guardey API) because Guardey API expects this attribute for groups.

Expression:

IIF([employeeType]="manager", "true", "false")

This expression returns “true” if employee type equals “manager” or returns “false” in any other cases.

If you need to, you can use another source attribute here. But you need to use the target attribute like specified above.


Groups mapping

organizationName Attribute

You can use this attribute if you want to have organizations imported from Entra ID.

We use the group “displayName” field to parse it and extract the organization from it. The expected format of “displayName” in this example is:

“[organizationName] - [teamName]”

Go to Provision Microsoft Entra ID Groups, click “Show advanced options,” and then click “Edit attribute list for customappsso.”

Add new “urn:ietf:params:scim:schemas:extension:guardey:2.0:Group:organizationName” attribute to Provisioning schema and save changes

Go back and click “Add New Mapping”

Add new mapping rule for “urn:ietf:params:scim:schemas:extension:guardey:2.0:Group:organizationName”attribute.

We use the mapping type "Expression" to convert "displayName" source attribute to “urn:ietf:params:scim:schemas:extension:guardey:2.0:Group:organizationName”target attribute (Guardey API) because Guardey API expects this attribute for groups.

Expression:

IIF(Instr([displayName], " - ", , )>"0", Left([displayName], Instr([displayName], " - ", , )), "")

This expression selects the first part of the group name - before the first occurrence of the " - " separator.

If you need to, you can use another source attribute here. But you need to use the target attribute like specified above.


displayName Attribute

If you store the organization name in the group name (for example: "My organization - My Group"), then you may want to display shorter group names in the Guardey app (for example: "My Group"). To achieve this, you need to set up mapping for the "displayName" group attribute.

To do this, go back, find the “displayName” attribute in the list, and click the “Edit” button on the right.

Use mapping type “Expression” and use this expression to select second part of the group name - after to the first occurrence of the " - " separator:

IIF(Instr([displayName], " - ", , )>"0", Mid(Mid([displayName], Instr(Append([displayName], " - "), " - ", , ), 103), 3, 100), [displayName])

 

Enabling multiple organizations mode

If you use the organizationName attribute, contact Guardey Support to enable multiple organizations mode.

Important notes:

  • Organization names must match exactly
  • Do not rename child organizations in Guardey (Entra will recreate them)
  • To rename: disable provisioning, rename in both Entra ID + Guardey, then re-enable
  • Child organizations are never auto-deleted

Enabling provisioning

After completing all configuration steps, navigate to:

Provisioning → Start Provisioning

Entra ID will then begin synchronizing users and groups based on your configured mappings.

In Guardey, make sure the provisioning integration is enabled so that incoming user and group data can be processed correctly.

Related articles

Comments

0 comments

Article is closed for comments.