Netskope Global Technical Success (GTS)
Replacing SCIM Integration with Netskope REST APIv2 for Microsoft Entra ID
Netskope Cloud Version - 125
Objective
This article aims to explain how to replace the soon to be deprecated “SCIM Integration” with Netskope APIv2 for users/groups provisioning on Microsoft Entra ID.
For further information, please visit to the following articles:
Netskope Product EOL Announcements
SCIM Settings for User Provisioning
Note: EoL is targeted for 21st of March, 2025
Context
SCIM integration between Netskope and Microsoft Entra ID for the users and groups provisioning uses an OAuth token to access provisioning service in the cloud via URL: “addon-*.goskope.com/SCIM/v2”, this will be deprecated in March next year, and customers must take actions prior to its deprecation.
SCIM integration
Path: Netskope Tenant UI >>> Settings >>> Tools >>> Directory Tools >>> SCIM Integration as shown below:
Procedure
| ℹ️ If your tenant has been already migrated to RBACv3 please define the Service Account with the needed API v2 endpoint as explained here: https://docs.netskope.com/en/scim-user-provisioning-with-rbacv3 |
Step 1 - Create a new token as follow
Path: Netskope Tenant UI >>> Settings >>> Tools >>> REST API V2
After that you click “SAVE”, please ensure you save the API V2 token by clicking the “COPY TOKEN” as shown below:
| ⚠️#1. Ensure that the Rest Api v2 feature is turned on ⚠️#2. Every REST API V2 token has an expiration |
Step 2. On Microsoft Entra ID, under the Enterprise Applications section, locate the “Netskope User Provision” application (*App name may change)
Step 3. Under Manage >>> Provisioning menu change the URL and the Token as shown below:
| Current value | New Value | |
| URL | https://addon-<tenantname>[.region].goskope.com/SCIM/v2 | https://<tenantname>[.region].goskope.com/api/v2/scim |
| Token | Old token got from the “Settings >>> Tools >>> Directory Tools >>> SCIM Integration” | New token got at Step #1 |
Step 4. Test the connection to ensure its connection, if successful then save the configuration:
| ⚠️ As mentioned on the Netskope Product EOL Announcements, If your Netskope tenant is hardened using IP Allowlist (Settings >>> Administration >>> IP Allowlist - see screenshot below), then you must ensure you add the respective source IP addresses of your integrated REST API V2 services to the Custom IP list. Important: Microsoft provides its IP ranges in the article below. |
| ℹ️ To ensure that the users sync activities based on REST API V2 are working fine, check the Audit log on the Setting >>> Administration >>> Audit log page, the admin user have to match with the API V2 token name defined at the Step#1 |
Step 5. After some days of monitoring, please proceed to remove the old token under Settings >>> Tools >>> Directory Tools >>> SCIM Integration page as shown below
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
