We recently enabled Azure AD SSO for our labor management module in hm-2022.2, but new users created in Azure AD aren’t automatically provisioning to Honeywell MES. The SCIM connector appears configured, but users remain stuck in pending status. I’ve verified the Azure AD enterprise application settings and the attribute mapping looks correct (employeeID → UserID, mail → Email). However, when checking the cloud connector logs, I see authentication errors:
ERROR: SCIM provisioning failed - 401 Unauthorized
Endpoint: /api/v1/labor/users/provision
Timestamp: 2025-03-14 14:32:18
This is blocking our onboarding process for 15+ shop floor workers. Has anyone successfully configured Azure AD SCIM with the labor management module in a cloud deployment?
Raj nailed the root cause. Here’s the complete solution addressing all three critical areas:
Azure AD SCIM Setup:
In your Azure AD enterprise application, navigate to Provisioning → Admin Credentials. The Tenant URL should be: https://your-instance.honeywell-mes.cloud/api/scim/v2 (without /Users suffix). For the Secret Token, you must use the Honeywell MES service account API key, NOT an Azure Graph token.
Attribute Mapping Configuration:
Under Provisioning → Mappings → Provision Azure AD Users, add these custom mappings:
externalId → userName (required)
mail → emails[type eq "work"].value
extension_laborCategory → urn:honeywell:params:scim:schemas:LaborUser:category
extension_shiftCode → urn:honeywell:params:scim:schemas:LaborUser:shift
You’ll need to create these extension attributes in Azure AD first using Graph API or PowerShell.
Cloud Connector Permissions:
- In Honeywell MES, go to Administration → Security → Service Accounts
- Create service account: Name=‘azure_scim_connector’, Type=‘API Integration’
- Assign roles: ‘Labor Administrator’, ‘Cloud Connector Service’, ‘User Provisioning’
- Generate API Key → copy this 64-character key
- Paste this key into Azure AD’s Secret Token field
- Under Administration → Cloud Services → Connector Settings, enable ‘SCIM User Provisioning’ and set sync interval to 15 minutes
- Verify the connector service account in the ‘Authentication’ tab matches your created service account
Validation Steps:
After configuration, test with a single user first. In Azure AD, go to Provisioning → Provision on demand, select a test user, and click Provision. Check the provisioning logs for detailed success/failure messages. Common issues:
- Missing required attributes (employeeID is mandatory)
- Labor category codes that don’t exist in Honeywell MES
- Time zone mismatches in shift assignments
Once successful, enable automatic provisioning. Initial sync takes 20-40 minutes depending on user count. Monitor the first few hours via Administration → Audit Logs → User Provisioning Events.
The key mistake most make is using Azure tokens instead of Honeywell service account keys. The SCIM endpoint authenticates against Honeywell MES, not Azure, so it needs MES credentials. Also ensure your cloud connector service has outbound firewall rules allowing Azure IP ranges (documented in Microsoft’s Azure AD IP list).
Check your Azure AD app registration permissions first. The SCIM connector needs Microsoft Graph API permissions for User.ReadWrite.All. Also verify the secret token hasn’t expired - Azure tokens typically expire after 12 months. You can regenerate it under the provisioning section of your enterprise app.
Adding to Lisa’s point - the attribute mapping needs custom schema extensions for Honeywell MES labor fields. Standard SCIM attributes won’t map to shift assignments or labor categories. You need to extend your Azure AD schema with custom attributes like ‘extension_laborCategory’ and ‘extension_defaultShift’, then map those in the provisioning configuration. Without these, users provision but lack required labor management attributes, which can cause silent failures.
Thanks Steve. I verified the Graph API permissions are set correctly and the token is still valid (created 2 months ago). The 401 error persists. I’m wondering if there’s a specific IAM role or cloud connector configuration I’m missing on the Honeywell MES side?
The service account isn’t created automatically - you need to set it up manually. Go to Administration → Security → Service Accounts, create a new account specifically for Azure SCIM integration (e.g., ‘azure_scim_svc’), then assign it both ‘Labor Administrator’ and ‘Cloud Connector Service’ roles. This is documented in the hm-2022.2 Cloud Integration Guide section 7.3 but easy to miss. After creating the service account, you’ll generate an API key that goes into Azure AD’s provisioning secret token field - NOT the Graph API token. That’s a common confusion point.
I encountered this exact issue last quarter. The problem isn’t usually the Azure side - it’s the cloud connector service account permissions in Honeywell MES. Navigate to Administration → Cloud Services → Connector Configuration and verify the service account has the ‘Labor Administrator’ role assigned. Also check that the SCIM endpoint URL in Azure matches exactly: https://your-instance.honeywell-mes.cloud/api/scim/v2/Users (note the v2). We had a typo in our endpoint that caused identical 401 errors.
Good catch on the endpoint URL - I was using /api/v1/ instead of /api/scim/v2/. However, even after correcting that, I’m still getting authentication failures. Lisa, when you mention the ‘Labor Administrator’ role, where exactly do I assign that? I’m in the Cloud Services section but don’t see a specific service account configuration for the SCIM connector.