Skip to main content

SCIM with Entra

V
Written by Vy-Vy Nguyen
Updated over a month ago

SCIM (the system for cross-domain identity management) allows your application to synchronize its users data based on recurring communication with your identity provider (IDP).

Your app will periodically query your identity provider (IDP) for updates about which users should have access to your application. You can use this information to provision or deprovision users — or simply update data about a user (e.g., a first name).

The SCIM Setup helps you use SCIM without integrating your product directly with Entra. You will instead integrate with the SCIM Setup, which will communicate with Entra on your behalf.

Connecting the SCIM Setup to your Entra implementation requires that you share two pieces of information with Entra. You will find both of these in the SCIM Setup:

  1. A base url that Entra will perform operations on (e.g. via HTTP PATCH)

  2. A bearer token that Entra will include with its requests

When Entra has both of those pieces of information, the connection between The SCIM Setup and Entra is complete. No additional configuration within the SCIM Setup will be necessary. With that said, configuration within Entra can be somewhat involved.

This guide therefore starts by focusing briefly on the SCIM Setup and subsequently focuses on Entra configuration.

Configuring the SCIM Setup

To create a SCIM Directory within the SCIM Setup, you’ll first need to create an Environment and an Organization. SCIM Directories belong to Organizations. You can create a SCIM Directory for an Organization by navigating to the Organization in the SCIM Setup and selecting Create SCIM directory.

Creating a SCIM Directory in SCIM Setup

From there, you can find the base URL and generate the bearer token that you need.

The SCIM Setup does not store bearer tokens. You will not be able to access the bearer token in SCIM Setup again. You may at any time, however, replace the existing bearer token with a new one. When you create a new bearer token, you simultaneously invalidate the previous bearer token.

Before you continue, ensure that you have set the SCIM directory primary field to Yes - you can make this change by clicking on the Edit button.

Capturing the base URL and bearer token from SCIM Setup

Setting SCIM directory to Primary

Once you have created a SCIM Directory in the SCIM Setup and taken note of both the base URL and the bearer token, you have finished with SCIM Setup configuration.

Configuring Entra

Once there’s a SCIM Directory in the SCIM Setup, you can connect that SCIM Directory to your Entra instance.

Start at the Entra home page. Navigate to enterprise applications in the navigation bar.

Visiting enterprise applications in Entra

You’ll now see a list of applications. In this case, we have just one: test_application. Click the blue text to see more details about the application.

Note: These steps apply if you’re provisioning SCIM within the same application used for SSO. If you prefer to create a separate application specifically for SCIM, please create the new application first, then return here and follow the steps below.

Visiting enterprise applications in Entra

You’ll see an Overview page. Click on the menu item labeled Provisioning on the left.

Navigating to Provisioning in Entra

This will take you to a new menu. Look toward the top/centre of the page for a button with a plus icon labeled New configuration. Click this.

Selecting New configuration in Entra

You’ll land on a page with a few data input options. Start with the field labeled Tenant URL. This is what the SCIM Setup calls a Base URL. It’s just the location where Entra will send its SCIM communications. Copy this value from the SCIM Setup and paste it here.

It should look something like the below:

Pasting SCIM Setup's Base URL as the Tenant URL in Entra

Next, look at the field labeled Secret token directly below the Tenant URL. This is the other value that the SCIM Setup provides: the bearer token. Paste this value from the SCIM Setup into Entra as the Secret token.

The Secret token is sensitive. Please treat it like a password. Do not share it.

Pasting the Secret token in Entra

In Entra, you need to click Test connection to move on. Click this button and wait a moment.

Clicking Test connection in Entra

Once it’s clickable, hit Create in the lower left.

Pressing the Create button in Entra

You’ll land on a new page showing an overview of the Entra application. Find the Users and groups button in the left navbar and click it.

Visiting Users and groups in Entra

We need to assign users and/or groups to the application. Start by clicking the Add user/group button toward the top/centrr of the page. It’s marked with a plus icon.

Hitting Add user/group in Entra

Exactly what you’ll see might vary here, but you’ll see a searchable list of users and/or groups. Decide which users should have access to the application, select each, and then press Select in the lower left.

Selecting users and/or groups to add to the application

You’ll see another menu. If you’re content with your selection, press the Assign button in the lower left. Entra will now consider those users and/or groups to be assigned to the application.

Assigning a selection of users and/or groups to the application

Entra will not yet have begun SCIM provisioning. To get Entra to begin SCIM provisioning, press the Overview button in the left navbar.

Returning to the application's Overview for the application

Press the Start provisioning button. It has a play button icon — kind of like you’d see on a remote control.

Within a few moments, you’ll see a pop-up in the top right. It will say Provisioning is scheduled to start.

This means that Entra has successfully begun its communications with the SCIM Setup. Configuration is complete.

Visiting enterprise applications in Entra

Related Articles
SCIM Integration
Setting up SSO
SAML with Entra
SCIM with Okta
Did this answer your question?