How to provision users to CrashPlan from Microsoft Entra ID

This article applies to CrashPlan Enterprise and MSPs.png

Overview

This article explains how to provision users from Microsoft Entra ID (formerly Azure AD) to CrashPlan. Once configured, CrashPlan automatically adds, updates, and removes users when Entra ID syncs to CrashPlan.

This article assumes you are familiar with the concept of provisioning. To learn more, see our Introduction to SCIM provisioning .

The CrashPlan application in Entra ID is intended for single sign-on (SSO) as well as provisioning. This article describes only how to set up provisioning. To learn how to set up SSO, see Configure Entra ID for SSO in your CrashPlan environment .

Considerations

  • To use this functionality, you must be assigned the Identity Management Administrator role.

  • If you have been using CrashPlan User Directory Sync for provisioning and want to start using Entra ID for provisioning instead, contact your Customer Success Manager (CSM) to engage the CrashPlan Professional Services team. 
  • Local users in CrashPlan cannot be created, updated, or deleted from Entra ID. These users can only be managed in the CrashPlan console. 

Deactivate users

Deactivation delay

When Entra ID sends an update to deactivate a user, CrashPlan waits 15 minutes before deactivating that user. This delay applies only when you use provisioning to deactivate users. When you manually deactivate users in the CrashPlan console, there is no delay.

The deactivation delay helps protect against moving users' backup archives into cold storage if users are accidentally deactivated in Entra ID. Although CrashPlan waits before deactivating users, CrashPlan immediately blocks users once they receive a deactivation update from Entra ID. Blocked users can no longer sign in to CrashPlan, but their devices continue to back up. 

To learn more about user deactivation, see Deactivate and reactivate users and devices in CrashPlan.

Users on legal hold cannot be deactivated

If you place users on legal hold, Entra ID can't deactivate them. Their data is retained for the legal hold process. Users are blocked instead of deactivated. Once you release users from legal hold, they are automatically deactivated.

Supported attributes and features

Supported attributes

The following Entra ID SCIM user attributes are automatically updated in CrashPlan. (To change user attribute mapping, see Step 4.)

Value in Entra ID Value in CrashPlan
userPrincipalName CrashPlan username
userPrincipalName Email
manager Manager

The manager must also exist in CrashPlan.
jobTitle Job title
givenName First name
surname Last name
city City
state State

usageLocation

Country

department Department

Supported SCIM attributes


The following SCIM attributes are not supported in Entra ID but are supported in CrashPlan:
  • Division
  • EmployeeType
    Note: The UserType attribute in Entra ID is not equivalent to the EmployeeType SCIM attribute, and should not be used as the employee type attribute in CrashPlan.

Supported user provisioning features

Supported 

The following user provisioning features are available in the CrashPlan Entra ID application:

  • Create users: New users created in Entra ID are also created in CrashPlan.
  • Deactivate users: Deactivating a user in Entra ID deactivates the user in CrashPlan.
  • Update user attributes: Entra ID updates users' attributes. These updates overwrite any changes made in CrashPlan.

Not supported 

  • Import users from CrashPlan to Entra ID
  • Sync passwords
  • Map Entra ID roles to users provisioned in CrashPlan 
    However, you can assign CrashPlan roles to provisioned users based on the group they belonged to in Entra ID. See Step 5 below.

Step 1: Create CrashPlan organizations

This step is only required if you choose to use the Single Organization or Custom SCIM mapping methods. The "c42OrgName" attribute and Custom attribute methods create CrashPlan organizations automatically. 

Create the CrashPlan organization to which users from Entra ID are added during provisioning. (You specify the organization that receives provisioned users in Step 2 below.)

  1. Sign in to the CrashPlan console
  2. Click Administration > Environment > Organizations. 
    Active_Organizations_Cloud_8.7.png
  3. Select the Add an organization icon Add_User_Icon.png and enter a name. 
    This method adds the organization under the default organization.
  4. To add a child organization
    1. Select the organization. 
    2. Click the action menu action menu gear.png in the upper-right corner. 
    3. Choose Add a child organization
  5. Repeat until you have added all of your organizations.

Step 2: Add a provisioning provider in the CrashPlan console

Create the provisioning provider configuration that Entra ID uses to connect to CrashPlan.

  1. In the CrashPlan console, navigate to Administration > Integrations > Identity Management.
  2. Select the Provisioning tab.
    SCIM provisioning.png
  3. Click Add Provisioning Provider > Add SCIM Provider.
  4. Enter a display name and select OAuth token for the authentication credential type.
    You must select OAuth token for use with Entra ID provisioning.
  5. Click Next
  6. The SCIM Provider Created message appears. Copy the Base URL and Token values to a safe location for use later. You'll need this information later in the provisioning provider setup.
    If you lose this information, you can always click Regenerate credentials on the provisioning provider details page and copy the newly-generated token to the Secret token field in Entra (see Step 4).
    scim_provider_created_850_sept_16_2020.png
  7. Click Done.
    The provisioning provider details appear.
  8. Select the edit icon 7.0_console_edit_icon.pngnext to Organization Mapping
    organization mapping edit.png
  9. In the Edit organization mapping method dialog, ensure that Create new users in the organization below is selected, and select an organization to receive newly-provisioned users.
    Do not map with SCIM groups yet 
    If you want to use the Map users to organizations using SCIM groups option, you can only do so after SCIM groups have been pushed during the first synchronization (see the end of Step 4). After the SCIM groups are pushed, in Step 5 you can then map users to organization using SCIM groups.
    edit organization mapping methods.png
  10. Click Save.

Step 3: Add the Entra ID application for CrashPlan

  1. Sign in to your Entra portal. 
  2. Go to Entra ID.
  3. Select Enterprise applications.
  4. Click New application.
    Entra Portal CrashPlan Setup.png
  5. Add the CrashPlan application.
    1. In Add from the gallery, enter CrashPlan.
      Note: Your experience searching for and selecting the CrashPlan application may vary if you view the gallery catalog in preview mode. 
    2. Select the CrashPlan application.
    3. (Optional) Give the application a unique name.
    4. Click Create.
      The CrashPlan application is added to the list of enterprise applications.

Step 4: Configure Entra ID provisioning 

Use the Entra portal to configure provisioning for the CrashPlan application. For general information about provisioning in Entra ID, see the Entra ID documentation. For more information about how to configure provisioning specifically for CrashPlan, see the Entra ID tutorial Configure CrashPlan for automatic user user provisioning.

  1. From Enterprise Applications, select the CrashPlan application you created in Step 3.
  2. Under Manage, select Provisioning.
  3. Click Get Started in the "Automate identity lifecycle management with Entra Active Directory" screen.
  4. For Provisioning mode, select Automatic.
  5. Under Admin Credentials, enter the information you copied from the CrashPlan console in Step 2:
    1. In Tenant URL, enter the base URL.
    2. In Secret Token, enter the token.
    3. In Notification Email, enter the email address of the person to receive notification emails and select Sent an email notification when a failure occurs.
      Entra provisioning admin credentials.png
  6. Click Test Connection to ensure that the connection to CrashPlan is working. If the test is successful, the following message is displayed: The supplied credentials are authorized to enable provisioning.
    If the test is not successful, regenerate the credentials in the CrashPlan console and enter the new values in the Admin Credentials fields.
  7. If desired, select Mappings to change how group and user attributes flow from Entra ID to CrashPlan. For information about how to configure provisioning mapping in Entra ID, see the Entra ID documentation.
    User attribute mappings
    The default mappings listed in the CrashPlan application may be different than what is shown below. To ensure provisioning occurs as expected, use the following mappings. You can modify each Entra or CrashPlan attribute by clicking the specific attribute. See the Entra ID documentation for directions on how to edit each attribute.
    1. To change group mapping, select Provision Entra Active Directory Groups
    2. To change user mapping, select Provision Entra Active Directory Users
      The following are the suggested user attribute mappings from Entra ID to CrashPlan. To change these mappings, click the Entra Active Directory attribute.

    Entra Active Directory attribute CrashPlan attribute

    userPrincipalName

    userName

    userPrincipalName

    emails[type eq "work"].value

    manager

    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

    Not([IsSoftDeleted])

    active

    jobTitle

    title

    givenName

    name.givenName

    surname

    name.familyName

    city

    addresses[type eq "work"].locality

    state

    addresses[type eq "work"].region

    usageLocation

    Use "usageLocation" instead of "country" for mapping. If you have any problems mapping country codes to CrashPlan, see Troubleshooting.

    addresses[type eq "work"].country

    objectId

    externalId

    department

    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

  8. In Scope, select Sync only assigned users and groups. You can only provision users and groups that are assigned to the CrashPlan application in Entra ID.
  9. Click Save
  10. Make any other settings changes your new application requires, and add users and groups to the new application. 
    See the Entra ID documentation for details on adding users to applications and performing other application setup tasks.
  11. Start provisioning users to CrashPlan.
    1. Return to the Provisioning panel and set the Provisioning Status to On. 
    2. Click Save to start provisioning. (If you have already run a sync, click Restart Sync.) 
      It may take up to 40 minutes before synchronization runs and users are provisioned to the mapped organization in CrashPlan. 
    3. (Optional): To provision users manually, use Provision on demand.

Users are provisioned into the CrashPlan organization you specified in Step 2. If you want to provision users into different organizations based on the group they belong to in Entra, proceed to the next step. 

Step 5: Map users to organizations and roles using SCIM groups

When users are first provisioned into CrashPlan, they are provisioned to an organization that you specified in the Edit organization mapping method dialog in Step 2. If you prefer, you can map users to CrashPlan organizations based on the SCIM groups they belong to in Entra. You can also assign users roles in CrashPlan based on their SCIM groups.

Follow the steps in the sections below:

You must first provision groups to CrashPlan from Entra ID before you can map users to organizations and roles based on SCIM group. 

Map users to organizations using SCIM groups

  1. In the CrashPlan console, navigate to Administration > Integrations > Identity Management.
  2. Select the Provisioning tab.
  3. Select the provisioning provider you set up in Step 2.
  4. Click the edit icon 7.0_console_edit_icon.png to the right of Organization mapping.
    organization mapping edit.pngThe Edit Organization Mapping Method dialog is displayed.
    edit organization mapping methods.png
  5. Select Map users to organizations using SCIM groups. 
    Do not select Map users to organizations based on the provider's "c42OrgName" attribute. Entra ID does not support this method. 
  6. Choose an organization to which unmapped users will be assigned. Unmapped users are users who either do not belong to a group or their group is not mapped. 
  7. Click Save
    The Add organization mapping dialog appears. 
  8. In Select a SCIM group, select one or more groups.
    Groups appear only after a provisioning synchronization from Entra ID has completed.
  9. From Select a CrashPlan organization, choose an organization from the menu. 
    add organization mapping.png
  10. Click Save
    The mapping appears on the Provisioning Provider details page. 
  11. Click Add mapping and repeat the process until all of your SCIM groups have been mapped to CrashPlan organizations. 
    Once all available SCIM groups have been mapped, the message All SCIM groups are mapped appears.
    SCIM organization mapping.png
  12. (Optional) Adjust the priority of each mapping. This is useful for users who belong to more than one SCIM group. 

If you want to assign roles to users provisioned to CrashPlan, proceed with the steps below in Map users to roles using SCIM groups. Otherwise, apply the mapping as described in Apply organization and role mappings.

Map users to roles using SCIM groups

Role mapping allows you to automatically assign CrashPlan roles and permissions to provisioned users based on their SCIM group. Users who are not mapped inherit the default roles for their organization. 

  1. In the provisioning provider details page, click the edit icon 7.0_console_edit_icon.png to the right of Role mapping.
    The Edit role mapping dialog appears.
  2. Select Map SCIM groups to CrashPlan roles.
    Only select Manually if you want to assign roles manually in CrashPlan
    edit role mapping.png
  3. Click Save.
    An Add mapping button appears under Role mapping.
  4. Click Add mapping
    The Add Role Mapping dialog appears.
    SCIM add role mapping.png
  5. In Select a SCIM group, select one or more groups.  
    Only groups that have not been mapped appear in the dropdown.
  6. In Select a CrashPlan role, select one or more roles from the list to apply to this SCIM group. 
Basic roles

Include the Desktop User and PROe User roles for all users who are backing up their computers to CrashPlan. These roles allow users to sign in to the CrashPlan app and CrashPlan console. If you are giving external groups access to your CrashPlan environment (for example, outside legal council) they do not need these roles.

  1. Click Add
    The role mapping appears under the provisioning provider detail. 
  2. Click Add mapping and repeat the process until all of your SCIM groups have been mapped to CrashPlan roles. 
    The message All SCIM groups are mapped appears. 

When you are done mapping roles, apply the mapping as described below in Apply organization and role mappings.

Apply organization and role mappings

After you have completed the organization mapping and role mapping as described in the preceding sections, you must apply the mappings. 

In the provisioning provider details page, select Actions > Apply org and role settings.
SCIM action button.png
SCIM edit provider.png

  1. In the Apply organization and role settings dialog, click Apply.
    Provisioned users are moved to the mapped organizations and are assigned the mapped roles. 
    apply_org_and_role_settings_sept_22_2020.png

If you change organization or role mapping in the future, apply the mappings as described here using Actions > Apply org and role settings

(Optional) Step 6: Edit deactivation delay

In the CrashPlan console, view the provisioning provider details and select Deactivation Delay.

The deactivation delay determines how long CrashPlan waits to deactivate a user after syncing with the provisioning provider. To learn more about user deactivation, see Deactivate and reactivate users and devices in CrashPlan.

Although CrashPlan may be configured to wait, CrashPlan does immediately block a user once they receive deactivation update from the provisioning provider. Blocking a user means they can no longer sign in to the CrashPlan app, but their devices continue to back up. The delay helps prevent accidentally deactivating a user and removing their backup archive.

Troubleshooting

Users are not provisioned to CrashPlan

To troubleshoot why users or attributes aren't being sent to CrashPlan from Entra ID, see the Entra ID documentation to review provisioning errors. 

If everything is configured properly in Entra ID but users aren't being provisioned to CrashPlan, assign an empty group to the CrashPlan application in Entra ID, then add users to that group. This initiates new provisioning calls for those users.

There are no SCIM groups available

This message appears if SCIM groups have not been provisioned. You must first provision groups to CrashPlan from Entra ID before you can map organizations and roles based on SCIM group

Syncing

  • To view information about provisioning in CrashPlan, see the Sync Log in the CrashPlan console. It contains details of all of the users that have been created, updated, or deleted in CrashPlan due to provisioning. 
  • Once provisioning is configured in the CrashPlan application in Entra ID, make all user changes in Entra ID. CrashPlan does not sync changes back to Entra ID, so any changes you make to user values on the CrashPlan side causes the two apps to become out-of-sync. 
  • Updating the CrashPlan console does not start a sync between Entra ID and CrashPlan. Only adding or removing a user from a group in Entra ID starts a sync. 
Need more help?
Contact our technical support engineers for CrashPlan support

The country value is incorrect in CrashPlan

If the value of the country code is incorrect in CrashPlan, it could be because the default mapping in Entra does not contain the correct country value.

The default country value in CrashPlan is mapped to the usageLocation Entra ID attribute. While this value will always conform to the SCIM spec that requires a two-character country code, it may represent the region in which the user accesses Microsoft products, not necessarily where they are located. If you use Entra ID Connect, this value is typically populated by the msExchUsageLocation attribute in your on-premises Entra ID by default.

Should you want to use a different mapping, you have a few options:

Option 1: Build an expression

Reconfigure the user attribute mapping to use the country attribute in Entra ID. Then create a mapping expression that looks up appropriate ISO 3166 country codes for long-form country names.

  1. In the Attribute Mapping dialog, click usageLocation.
  2. In the Edit Attribute dialog, click the Mapping type field and select Expression.
  3. In the Expression field enter the following switch expression:
IIF(IsNull([country]), "", Switch(ToLower([country], ), , "afghanistan", "AF", "albania", "AL", "algeria", "DZ", "american samoa", "AS", "andorra", "AD", "angola", "AO", "anguilla", "AI", "antarctica", "AQ", "antigua", "AG", "barbuda", "AG", "argentina", "AR", "armenia", "AM", "aruba", "AW", "australia", "AU", "austria", "AT", "azerbaijan", "AZ", "bahamas", "BS", "bahrain", "BH", "bangladesh", "BD", "barbados", "BB", "belarus", "BY", "belgium", "BE", "belize", "BZ", "benin", "BJ", "bermuda", "BM", "bhutan", "BT", "bolivia", "BO", "bosnia", "BA", "herzegovina", "BA", "botswana", "BW", "bouvet island", "BV", "brazil", "BR", "british indian ocean territory", "IO", "brunei darussalam", "BN", "bulgaria", "BG", "burkina faso", "BF", "burundi", "BI", "cambodia", "KH", "cameroon", "CM", "canada", "CA", "cape verde", "CV", "cayman islands", "KY", "central african republic", "CF", "chad", "TD", "chile", "CL", "china", "CN", "christmas island", "CX", "cocos islands", "CC", "colombia", "CO", "comoros", "KM", "congo", "CG", "democratic republic of the congo", "CD", "cook islands", "CK", "costa rica", "CR", "croatia", "HR", "cuba", "CU", "curaçao", "CW", "cyprus", "CY", "czech republic", "CZ", "denmark", "DK", "djibouti", "DJ", "dominica", "DM", "dominican republic", "DO", "ecuador", "EC", "egypt", "EG", "el salvador", "SV", "equatorial guinea", "GQ", "eritrea", "ER", "estonia", "EE", "ethiopia", "ET", "falkland islands", "FK", "faroe islands", "FO", "fiji", "FJ", "finland", "FI", "france", "FR", "french guiana", "GF", "french polynesia", "PF", "french southern territories", "TF", "gabon", "GA", "gambia", "GM", "georgia", "GE", "germany", "DE", "ghana", "GH", "gibraltar", "GI", "greece", "GR", "greenland", "GL", "grenada", "GD", "guadeloupe", "GP", "guam", "GU", "guatemala", "GT", "guernsey", "GG", "guinea", "GN", "guinea-bissau", "GW", "guyana", "GY", "haiti", "HT", "holy see", "VA", "honduras", "HN", "hong kong", "HK", "hungary", "HU", "iceland", "IS", "india", "IN", "indonesia", "ID", "iran", "IR", "iraq", "IQ", "ireland", "IE", "isle of man", "IM", "israel", "IL", "italy", "IT", "jamaica", "JM", "japan", "JP", "jersey", "JE", "jordan", "JO", "kazakhstan", "KZ", "kenya", "KE", "kiribati", "KI", "democratic people's republic of korea", "KP", "south korea", "KR", "korea", "KR", "kuwait", "KW", "kyrgyzstan", "KG", "lao", "LA", "latvia", "LV", "lebanon", "LB", "lesotho", "LS", "liberia", "LR", "libya", "LY", "liechtenstein", "LI", "lithuania", "LT", "luxembourg", "LU", "macao", "MO", "macedonia", "MK", "madagascar", "MG", "malawi", "MW", "malaysia", "MY", "maldives", "MV", "mali", "ML", "malta", "MT", "marshall islands", "MH", "martinique", "MQ", "mauritania", "MR", "mauritius", "MU", "mayotte", "YT", "mexico", "MX", "federated states of micronesia", "FM", "micronesia", "FM", "republic of moldova", "MD", "moldova", "MD", "monaco", "MC", "mongolia", "MN", "montenegro", "ME", "montserrat", "MS", "morocco", "MA", "mozambique", "MZ", "myanmar", "MM", "namibia", "NA", "nauru", "NR", "nepal", "NP", "netherlands", "NL", "new caledonia", "NC", "new zealand", "NZ", "nicaragua", "NI", "niger", "NE", "nigeria", "NG", "niue", "NU", "norfolk island", "NF", "northern mariana islands", "MP", "norway", "NO", "oman", "OM", "pakistan", "PK", "palau", "PW", "palestine", "PS", "state of palestine", "PS", "panama", "PA", "papua new guinea", "PG", "paraguay", "PY", "peru", "PE", "philippines", "PH", "pitcairn", "PN", "poland", "PL", "portugal", "PT", "puerto rico", "PR", "qatar", "QA", "réunion", "RE", "romania", "RO", "russian federation", "RU", "russia", "RU", "rwanda", "RW", "saint barthélemy", "BL", "saint helena, ascension and tristan da cunha", "SH", "saint helena", "SH", "saint kitts", "KN", "saint kitts and nevis", "KN", "saint lucia", "LC", "saint martin", "MF", "saint pierre and miquelon", "PM", "saint vincent and the grenadines", "VC", "samoa", "WS", "san marino", "SM", "sao tome", "ST", "sao tome and principe", "ST", "saudi arabia", "SA", "senegal", "SN", "serbia", "RS", "seychelles", "SC", "sierra leone", "SL", "singapore", "SG", "sint maarten", "SX", "slovakia", "SK", "slovenia", "SI", "solomon islands", "SB", "somalia", "SO", "south africa", "ZA", "south sudan", "SS", "spain", "ES", "sri lanka", "LK", "sudan", "SD", "suriname", "SR", "svalbard and jan mayen", "SJ", "swaziland", "SZ", "sweden", "SE", "switzerland", "CH", "syrian arab republic", "SY", "taiwan", "TW", "taiwan, republic of china", "TW", "tajikistan", "TJ", "united republic of tanzania", "TZ", "tanzania", "TZ", "thailand", "TH", "timor-leste", "TL", "togo", "TG", "tokelau", "TK", "tonga", "TO", "trinidad and tobago", "TT", "tunisia", "TN", "turkey", "TR", "turkmenistan", "TM", "turks and caicos islands", "TC", "tuvalu", "TV", "uganda", "UG", "ukraine", "UA", "united arab emirates", "AE", "united kingdom", "GB", "united states", "US", "united states minor outlying islands", "UM", "uruguay", "UY", "uzbekistan", "UZ", "vanuatu", "VU", "bolivarian republic of venezuela", "VE", "venezuela", "VE", "viet nam", "VN", "vietnam", "VN", "british virgin islands", "VG", "us virgin islands", "VI", "wallis and futuna", "WF", "western sahara", "EH", "yemen", "YE", "zambia", "ZM", "zimbabwe", "ZW"))
  1. Click OK to save the attribute mapping.

Option 2: Change the mapping between on-premises Active Directory and Entra ID

If you use Entra ID Connect, change the mapping between on-premises Active Directory and Entra AD.

On-premises Active Directory has various attributes that represent a user's country. For example, the "c" attribute is typically populated in Active Directory with the two-character country code. Choose the appropriate attribute in your on-premises directory, then update your Entra ID Connect mapping to associate the chosen attribute to Entra ID's country attribute.

Once the Entra ID Connect mapping has been updated, perform the following steps to use the new mapping:

  1. In the Attribute Mapping dialog, click usageLocation.
  2. In the Edit Attribute dialog, click the Source Attribute field.
  3. Select country.
  4. Select OK to save the configuration.

Option 3: Delete the usageLocation attribute mapping

If the country information isn't being provisioned  to CrashPlan as expected, simply delete the mapping for the usageLocation user attribute outright. Although the country information would not appear in CrashPlan as a result, this approach avoids causing failures or errors with your Entra provisioning application altogether.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section