Overview
This article explains how to provision users from Microsoft Entra ID (formerly Azure AD) to CrashPlan. Once configured, CrashPlan automatically adds, updates, and removes users when Entra ID syncs to CrashPlan.
This article assumes you are familiar with the concept of provisioning. To learn more, see our Introduction to SCIM provisioning .
The CrashPlan application in Entra ID is intended for single sign-on (SSO) as well as provisioning. This article describes only how to set up provisioning. To learn how to set up SSO, see Configure Entra ID for SSO in your CrashPlan environment .
Considerations
-
To use this functionality, you must be assigned the Identity Management Administrator role.
- If you have been using CrashPlan User Directory Sync for provisioning and want to start using Entra ID for provisioning instead, contact your Customer Success Manager (CSM) to engage the CrashPlan Professional Services team.
- Local users in CrashPlan cannot be created, updated, or deleted from Entra ID. These users can only be managed in the CrashPlan console.
Deactivate users
Deactivation delay
When Entra ID sends an update to deactivate a user, CrashPlan waits 15 minutes before deactivating that user. This delay applies only when you use provisioning to deactivate users. When you manually deactivate users in the CrashPlan console, there is no delay.
The deactivation delay helps protect against moving users' backup archives into cold storage if users are accidentally deactivated in Entra ID. Although CrashPlan waits before deactivating users, CrashPlan immediately blocks users once they receive a deactivation update from Entra ID. Blocked users can no longer sign in to CrashPlan, but their devices continue to back up.
To learn more about user deactivation, see Deactivate and reactivate users and devices in CrashPlan.
Users on legal hold cannot be deactivated
If you place users on legal hold, Entra ID can't deactivate them. Their data is retained for the legal hold process. Users are blocked instead of deactivated. Once you release users from legal hold, they are automatically deactivated.
Supported attributes and features
Supported attributes
The following Entra ID SCIM user attributes are automatically updated in CrashPlan. (To change user attribute mapping, see Step 4.)
Value in Entra ID | Value in CrashPlan |
userPrincipalName | CrashPlan username |
userPrincipalName | |
manager | Manager The manager must also exist in CrashPlan. |
jobTitle | Job title |
givenName | First name |
surname | Last name |
city | City |
state | State |
usageLocation |
Country |
department | Department |
Supported SCIM attributes
The following SCIM attributes are not supported in Entra ID but are supported in CrashPlan:
- Division
- EmployeeType
Note: The UserType attribute in Entra ID is not equivalent to the EmployeeType SCIM attribute, and should not be used as the employee type attribute in CrashPlan.
Supported user provisioning features
Supported
The following user provisioning features are available in the CrashPlan Entra ID application:
- Create users: New users created in Entra ID are also created in CrashPlan.
- Deactivate users: Deactivating a user in Entra ID deactivates the user in CrashPlan.
- Update user attributes: Entra ID updates users' attributes. These updates overwrite any changes made in CrashPlan.
Not supported
- Import users from CrashPlan to Entra ID
- Sync passwords
- Map Entra ID roles to users provisioned in CrashPlan
However, you can assign CrashPlan roles to provisioned users based on the group they belonged to in Entra ID. See Step 5 below.
Step 1: Create CrashPlan organizations
This step is only required if you choose to use the Single Organization or Custom SCIM mapping methods. The "c42OrgName" attribute and Custom attribute methods create CrashPlan organizations automatically.
Create the CrashPlan organization to which users from Entra ID are added during provisioning. (You specify the organization that receives provisioned users in Step 2 below.)
- Sign in to the CrashPlan console.
- Click Administration > Environment > Organizations.
- Select the Add an organization icon and enter a name.
This method adds the organization under the default organization. - To add a child organization
- Select the organization.
- Click the action menu in the upper-right corner.
- Choose Add a child organization.
- Repeat until you have added all of your organizations.
Step 2: Add a provisioning provider in the CrashPlan console
Create the provisioning provider configuration that Entra ID uses to connect to CrashPlan.
- In the CrashPlan console, navigate to Administration > Integrations > Identity Management.
- Select the Provisioning tab.
- Click Add Provisioning Provider > Add SCIM Provider.
- Enter a display name and select OAuth token for the authentication credential type.
You must select OAuth token for use with Entra ID provisioning. - Click Next.
- The SCIM Provider Created message appears. Copy the Base URL and Token values to a safe location for use later. You'll need this information later in the provisioning provider setup.
If you lose this information, you can always click Regenerate credentials on the provisioning provider details page and copy the newly-generated token to the Secret token field in Entra (see Step 4).
- Click Done.
The provisioning provider details appear. - Select the edit icon next to Organization Mapping.
- In the Edit organization mapping method dialog, ensure that Create new users in the organization below is selected, and select an organization to receive newly-provisioned users.
Do not map with SCIM groups yet
If you want to use the Map users to organizations using SCIM groups option, you can only do so after SCIM groups have been pushed during the first synchronization (see the end of Step 4). After the SCIM groups are pushed, in Step 5 you can then map users to organization using SCIM groups. -
Click Save.
Step 3: Add the Entra ID application for CrashPlan
- Sign in to your Entra portal.
- Go to Entra ID.
- Select Enterprise applications.
- Click New application.
- Add the CrashPlan application.
- In Add from the gallery, enter CrashPlan.
Note: Your experience searching for and selecting the CrashPlan application may vary if you view the gallery catalog in preview mode. - Select the CrashPlan application.
- (Optional) Give the application a unique name.
- Click Create.
The CrashPlan application is added to the list of enterprise applications.
- In Add from the gallery, enter CrashPlan.
Step 4: Configure Entra ID provisioning
Use the Entra portal to configure provisioning for the CrashPlan application. For general information about provisioning in Entra ID, see the Entra ID documentation. For more information about how to configure provisioning specifically for CrashPlan, see the Entra ID tutorial Configure CrashPlan for automatic user user provisioning.
- From Enterprise Applications, select the CrashPlan application you created in Step 3.
- Under Manage, select Provisioning.
- Click Get Started in the "Automate identity lifecycle management with Entra Active Directory" screen.
- For Provisioning mode, select Automatic.
- Under Admin Credentials, enter the information you copied from the CrashPlan console in Step 2:
- In Tenant URL, enter the base URL.
- In Secret Token, enter the token.
- In Notification Email, enter the email address of the person to receive notification emails and select Sent an email notification when a failure occurs.
- Click Test Connection to ensure that the connection to CrashPlan is working. If the test is successful, the following message is displayed: The supplied credentials are authorized to enable provisioning.
If the test is not successful, regenerate the credentials in the CrashPlan console and enter the new values in the Admin Credentials fields. - If desired, select Mappings to change how group and user attributes flow from Entra ID to CrashPlan. For information about how to configure provisioning mapping in Entra ID, see the Entra ID documentation.
User attribute mappings
The default mappings listed in the CrashPlan application may be different than what is shown below. To ensure provisioning occurs as expected, use the following mappings. You can modify each Entra or CrashPlan attribute by clicking the specific attribute. See the Entra ID documentation for directions on how to edit each attribute.- To change group mapping, select Provision Entra Active Directory Groups.
- To change user mapping, select Provision Entra Active Directory Users.
The following are the suggested user attribute mappings from Entra ID to CrashPlan. To change these mappings, click the Entra Active Directory attribute.
Entra Active Directory attribute CrashPlan attribute userPrincipalName
userName
userPrincipalName
emails[type eq "work"].value
manager
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
Not([IsSoftDeleted])
active
jobTitle
title
givenName
name.givenName
surname
name.familyName
city
addresses[type eq "work"].locality
state
addresses[type eq "work"].region
usageLocation
Use "usageLocation" instead of "country" for mapping. If you have any problems mapping country codes to CrashPlan, see Troubleshooting.addresses[type eq "work"].country objectId
externalId
department
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
- In Scope, select Sync only assigned users and groups. You can only provision users and groups that are assigned to the CrashPlan application in Entra ID.
- Click Save.
- Make any other settings changes your new application requires, and add users and groups to the new application.
See the Entra ID documentation for details on adding users to applications and performing other application setup tasks. - Start provisioning users to CrashPlan.
- Return to the Provisioning panel and set the Provisioning Status to On.
- Click Save to start provisioning. (If you have already run a sync, click Restart Sync.)
It may take up to 40 minutes before synchronization runs and users are provisioned to the mapped organization in CrashPlan. - (Optional): To provision users manually, use Provision on demand.
Users are provisioned into the CrashPlan organization you specified in Step 2. If you want to provision users into different organizations based on the group they belong to in Entra, proceed to the next step.
Step 5: Map users to organizations and roles using SCIM groups
When users are first provisioned into CrashPlan, they are provisioned to an organization that you specified in the Edit organization mapping method dialog in Step 2. If you prefer, you can map users to CrashPlan organizations based on the SCIM groups they belong to in Entra. You can also assign users roles in CrashPlan based on their SCIM groups.
Follow the steps in the sections below:
- Map users to organizations using SCIM groups
- Map users to roles using SCIM groups
- Apply organization and role mappings
Map users to organizations using SCIM groups
- In the CrashPlan console, navigate to Administration > Integrations > Identity Management.
- Select the Provisioning tab.
- Select the provisioning provider you set up in Step 2.
- Click the edit icon to the right of Organization mapping.
The Edit Organization Mapping Method dialog is displayed.
- Select Map users to organizations using SCIM groups.
Do not select Map users to organizations based on the provider's "c42OrgName" attribute. Entra ID does not support this method. - Choose an organization to which unmapped users will be assigned. Unmapped users are users who either do not belong to a group or their group is not mapped.
- Click Save.
The Add organization mapping dialog appears. - In Select a SCIM group, select one or more groups.
Groups appear only after a provisioning synchronization from Entra ID has completed. - From Select a CrashPlan organization, choose an organization from the menu.
- Click Save.
The mapping appears on the Provisioning Provider details page. - Click Add mapping and repeat the process until all of your SCIM groups have been mapped to CrashPlan organizations.
Once all available SCIM groups have been mapped, the message All SCIM groups are mapped appears.
- (Optional) Adjust the priority of each mapping. This is useful for users who belong to more than one SCIM group.
If you want to assign roles to users provisioned to CrashPlan, proceed with the steps below in Map users to roles using SCIM groups. Otherwise, apply the mapping as described in Apply organization and role mappings.
Map users to roles using SCIM groups
Role mapping allows you to automatically assign CrashPlan roles and permissions to provisioned users based on their SCIM group. Users who are not mapped inherit the default roles for their organization.
- In the provisioning provider details page, click the edit icon to the right of Role mapping.
The Edit role mapping dialog appears. - Select Map SCIM groups to CrashPlan roles.
Only select Manually if you want to assign roles manually in CrashPlan.
- Click Save.
An Add mapping button appears under Role mapping. - Click Add mapping.
The Add Role Mapping dialog appears.
- In Select a SCIM group, select one or more groups.
Only groups that have not been mapped appear in the dropdown. - In Select a CrashPlan role, select one or more roles from the list to apply to this SCIM group.
Include the Desktop User and PROe User roles for all users who are backing up their computers to CrashPlan. These roles allow users to sign in to the CrashPlan app and CrashPlan console. If you are giving external groups access to your CrashPlan environment (for example, outside legal council) they do not need these roles.
- Click Add.
The role mapping appears under the provisioning provider detail. - Click Add mapping and repeat the process until all of your SCIM groups have been mapped to CrashPlan roles.
The message All SCIM groups are mapped appears.
When you are done mapping roles, apply the mapping as described below in Apply organization and role mappings.
Apply organization and role mappings
After you have completed the organization mapping and role mapping as described in the preceding sections, you must apply the mappings.
In the provisioning provider details page, select Actions > Apply org and role settings.
- In the Apply organization and role settings dialog, click Apply.
Provisioned users are moved to the mapped organizations and are assigned the mapped roles.
If you change organization or role mapping in the future, apply the mappings as described here using Actions > Apply org and role settings.
(Optional) Step 6: Edit deactivation delay
In the CrashPlan console, view the provisioning provider details and select Deactivation Delay.
The deactivation delay determines how long CrashPlan waits to deactivate a user after syncing with the provisioning provider. To learn more about user deactivation, see Deactivate and reactivate users and devices in CrashPlan.
Although CrashPlan may be configured to wait, CrashPlan does immediately block a user once they receive deactivation update from the provisioning provider. Blocking a user means they can no longer sign in to the CrashPlan app, but their devices continue to back up. The delay helps prevent accidentally deactivating a user and removing their backup archive.
Troubleshooting
Users are not provisioned to CrashPlan
To troubleshoot why users or attributes aren't being sent to CrashPlan from Entra ID, see the Entra ID documentation to review provisioning errors.
If everything is configured properly in Entra ID but users aren't being provisioned to CrashPlan, assign an empty group to the CrashPlan application in Entra ID, then add users to that group. This initiates new provisioning calls for those users.
There are no SCIM groups available
This message appears if SCIM groups have not been provisioned. You must first provision groups to CrashPlan from Entra ID before you can map organizations and roles based on SCIM group.
Syncing
- To view information about provisioning in CrashPlan, see the Sync Log in the CrashPlan console. It contains details of all of the users that have been created, updated, or deleted in CrashPlan due to provisioning.
- Once provisioning is configured in the CrashPlan application in Entra ID, make all user changes in Entra ID. CrashPlan does not sync changes back to Entra ID, so any changes you make to user values on the CrashPlan side causes the two apps to become out-of-sync.
- Updating the CrashPlan console does not start a sync between Entra ID and CrashPlan. Only adding or removing a user from a group in Entra ID starts a sync.
The country value is incorrect in CrashPlan
If the value of the country code is incorrect in CrashPlan, it could be because the default mapping in Entra does not contain the correct country value.
The default country value in CrashPlan is mapped to the usageLocation Entra ID attribute. While this value will always conform to the SCIM spec that requires a two-character country code, it may represent the region in which the user accesses Microsoft products, not necessarily where they are located. If you use Entra ID Connect, this value is typically populated by the msExchUsageLocation attribute in your on-premises Entra ID by default.
Should you want to use a different mapping, you have a few options:
Option 1: Build an expression
Reconfigure the user attribute mapping to use the country attribute in Entra ID. Then create a mapping expression that looks up appropriate ISO 3166 country codes for long-form country names.
- In the Attribute Mapping dialog, click usageLocation.
- In the Edit Attribute dialog, click the Mapping type field and select Expression.
- In the Expression field enter the following switch expression:
IIF(IsNull([country]), "", Switch(ToLower([country], ), , "afghanistan", "AF", "albania", "AL", "algeria", "DZ", "american samoa", "AS", "andorra", "AD", "angola", "AO", "anguilla", "AI", "antarctica", "AQ", "antigua", "AG", "barbuda", "AG", "argentina", "AR", "armenia", "AM", "aruba", "AW", "australia", "AU", "austria", "AT", "azerbaijan", "AZ", "bahamas", "BS", "bahrain", "BH", "bangladesh", "BD", "barbados", "BB", "belarus", "BY", "belgium", "BE", "belize", "BZ", "benin", "BJ", "bermuda", "BM", "bhutan", "BT", "bolivia", "BO", "bosnia", "BA", "herzegovina", "BA", "botswana", "BW", "bouvet island", "BV", "brazil", "BR", "british indian ocean territory", "IO", "brunei darussalam", "BN", "bulgaria", "BG", "burkina faso", "BF", "burundi", "BI", "cambodia", "KH", "cameroon", "CM", "canada", "CA", "cape verde", "CV", "cayman islands", "KY", "central african republic", "CF", "chad", "TD", "chile", "CL", "china", "CN", "christmas island", "CX", "cocos islands", "CC", "colombia", "CO", "comoros", "KM", "congo", "CG", "democratic republic of the congo", "CD", "cook islands", "CK", "costa rica", "CR", "croatia", "HR", "cuba", "CU", "curaçao", "CW", "cyprus", "CY", "czech republic", "CZ", "denmark", "DK", "djibouti", "DJ", "dominica", "DM", "dominican republic", "DO", "ecuador", "EC", "egypt", "EG", "el salvador", "SV", "equatorial guinea", "GQ", "eritrea", "ER", "estonia", "EE", "ethiopia", "ET", "falkland islands", "FK", "faroe islands", "FO", "fiji", "FJ", "finland", "FI", "france", "FR", "french guiana", "GF", "french polynesia", "PF", "french southern territories", "TF", "gabon", "GA", "gambia", "GM", "georgia", "GE", "germany", "DE", "ghana", "GH", "gibraltar", "GI", "greece", "GR", "greenland", "GL", "grenada", "GD", "guadeloupe", "GP", "guam", "GU", "guatemala", "GT", "guernsey", "GG", "guinea", "GN", "guinea-bissau", "GW", "guyana", "GY", "haiti", "HT", "holy see", "VA", "honduras", "HN", "hong kong", "HK", "hungary", "HU", "iceland", "IS", "india", "IN", "indonesia", "ID", "iran", "IR", "iraq", "IQ", "ireland", "IE", "isle of man", "IM", "israel", "IL", "italy", "IT", "jamaica", "JM", "japan", "JP", "jersey", "JE", "jordan", "JO", "kazakhstan", "KZ", "kenya", "KE", "kiribati", "KI", "democratic people's republic of korea", "KP", "south korea", "KR", "korea", "KR", "kuwait", "KW", "kyrgyzstan", "KG", "lao", "LA", "latvia", "LV", "lebanon", "LB", "lesotho", "LS", "liberia", "LR", "libya", "LY", "liechtenstein", "LI", "lithuania", "LT", "luxembourg", "LU", "macao", "MO", "macedonia", "MK", "madagascar", "MG", "malawi", "MW", "malaysia", "MY", "maldives", "MV", "mali", "ML", "malta", "MT", "marshall islands", "MH", "martinique", "MQ", "mauritania", "MR", "mauritius", "MU", "mayotte", "YT", "mexico", "MX", "federated states of micronesia", "FM", "micronesia", "FM", "republic of moldova", "MD", "moldova", "MD", "monaco", "MC", "mongolia", "MN", "montenegro", "ME", "montserrat", "MS", "morocco", "MA", "mozambique", "MZ", "myanmar", "MM", "namibia", "NA", "nauru", "NR", "nepal", "NP", "netherlands", "NL", "new caledonia", "NC", "new zealand", "NZ", "nicaragua", "NI", "niger", "NE", "nigeria", "NG", "niue", "NU", "norfolk island", "NF", "northern mariana islands", "MP", "norway", "NO", "oman", "OM", "pakistan", "PK", "palau", "PW", "palestine", "PS", "state of palestine", "PS", "panama", "PA", "papua new guinea", "PG", "paraguay", "PY", "peru", "PE", "philippines", "PH", "pitcairn", "PN", "poland", "PL", "portugal", "PT", "puerto rico", "PR", "qatar", "QA", "réunion", "RE", "romania", "RO", "russian federation", "RU", "russia", "RU", "rwanda", "RW", "saint barthélemy", "BL", "saint helena, ascension and tristan da cunha", "SH", "saint helena", "SH", "saint kitts", "KN", "saint kitts and nevis", "KN", "saint lucia", "LC", "saint martin", "MF", "saint pierre and miquelon", "PM", "saint vincent and the grenadines", "VC", "samoa", "WS", "san marino", "SM", "sao tome", "ST", "sao tome and principe", "ST", "saudi arabia", "SA", "senegal", "SN", "serbia", "RS", "seychelles", "SC", "sierra leone", "SL", "singapore", "SG", "sint maarten", "SX", "slovakia", "SK", "slovenia", "SI", "solomon islands", "SB", "somalia", "SO", "south africa", "ZA", "south sudan", "SS", "spain", "ES", "sri lanka", "LK", "sudan", "SD", "suriname", "SR", "svalbard and jan mayen", "SJ", "swaziland", "SZ", "sweden", "SE", "switzerland", "CH", "syrian arab republic", "SY", "taiwan", "TW", "taiwan, republic of china", "TW", "tajikistan", "TJ", "united republic of tanzania", "TZ", "tanzania", "TZ", "thailand", "TH", "timor-leste", "TL", "togo", "TG", "tokelau", "TK", "tonga", "TO", "trinidad and tobago", "TT", "tunisia", "TN", "turkey", "TR", "turkmenistan", "TM", "turks and caicos islands", "TC", "tuvalu", "TV", "uganda", "UG", "ukraine", "UA", "united arab emirates", "AE", "united kingdom", "GB", "united states", "US", "united states minor outlying islands", "UM", "uruguay", "UY", "uzbekistan", "UZ", "vanuatu", "VU", "bolivarian republic of venezuela", "VE", "venezuela", "VE", "viet nam", "VN", "vietnam", "VN", "british virgin islands", "VG", "us virgin islands", "VI", "wallis and futuna", "WF", "western sahara", "EH", "yemen", "YE", "zambia", "ZM", "zimbabwe", "ZW"))
- Click OK to save the attribute mapping.
Option 2: Change the mapping between on-premises Active Directory and Entra ID
If you use Entra ID Connect, change the mapping between on-premises Active Directory and Entra AD.
On-premises Active Directory has various attributes that represent a user's country. For example, the "c" attribute is typically populated in Active Directory with the two-character country code. Choose the appropriate attribute in your on-premises directory, then update your Entra ID Connect mapping to associate the chosen attribute to Entra ID's country attribute.
Once the Entra ID Connect mapping has been updated, perform the following steps to use the new mapping:
- In the Attribute Mapping dialog, click usageLocation.
- In the Edit Attribute dialog, click the Source Attribute field.
- Select country.
- Select OK to save the configuration.
Option 3: Delete the usageLocation attribute mapping
If the country information isn't being provisioned to CrashPlan as expected, simply delete the mapping for the usageLocation user attribute outright. Although the country information would not appear in CrashPlan as a result, this approach avoids causing failures or errors with your Entra provisioning application altogether.
External resources
- Entra ID
- SCIM: Core schema