This process works as long as the Azure AD accounts have a primary email. In our testing, we achieved this by inviting existing Azure accounts to Azure AD.

Because of how Azure batches SCIM synchronization, new accounts may not be provisioned for up to 40 minutes. 

Cmd setup

Azure setup

How to provision users and groups

In the Cmd web app, go to global security settings and scroll down to the, 'SCIM' section.

Select enable SCIM, then save a copy of the Tenant URL and Secret token (or keep this page open). You will provide them to Azure later.

In the Azure Portal, navigate to 'Azure Active Directory', then 'Enterprise applications'.

Click + New application:

Select Non-gallery application, then name your new app (e.g. 'Cmd'), and click Add. 

In the overview for your new application, go to the Provisioning section. 

Enter the Tenant URL and Secret token you got from Cmd, and set the 'Provisioning Status' to On, then click Save: 

To add individual users to Cmd, follow Microsoft's instructions to add users to your Azure app.

Once you add a user to the Azure app, Cmd will provision their account.

To add groups of users to Cmd, follow Microsoft's instructions to add user groups to your Azure app.

Users added in this way will get Cmd accounts with server operator privileges. To grant them different privileges, edit their account in the Cmd web app.

They will also have a role associated with their Cmd accounts. The role comes directly from the "name" property of the Azure user group:

To assign a user multiple roles, just assign them to multiple Azure groups with the desired Cmd roles as their group names, and add all the groups to Cmd. 

Confirm that the new users appear on the Cmd web app in the 'Users & roles' settings page.