Skip to main content

Microsoft Entra ID

User Provisioning via SCIM (Entra ID)

1. Introduction

This section covers how to set up Entra ID for provisioning user accounts to an external IdP compliant with the SCIM 2.0 protocol.

Reference documentation:

  1. Overview of SCIM sync: https://learn.microsoft.com/en-us/entra/architecture/sync-scim
  2. Develop and plan SCIM provisioning with Entra ID: Tutorial - Develop a SCIM endpoint for user provisioning to apps from Microsoft Entra ID
  3. Integrate SCIM endpoint with Entra ID: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#integrate-your-scim-endpoint-with-the-azure-ad-provisioning-service
  4. Testing SCIM integration with Entra ID: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/scim-validator-tutorial
  5. EntraID SCIM integration testing service: https://scimvalidator.microsoft.com/

2. Setting up Visual Passcodes

Before setting up the SCIM synchronization service in EntraID, it is necessary to set up an access API key and gather SCIM endpoint information from the Visual Passcodes tenant. Both will be needed in EntraID.

2.1 Create SCIM access token

The API uses Bearer Token authentication. An API token must be created and included in the Authorization header of every request.

To create the API token:

  1. Go to the Profile.

  2. Click on Create New API Key.

    Create New API Key

  3. Specify:

    1. Key Name

    2. Scope: SCIM2 — to allow EntraID to make changes in the identity provider.

    3. Tenant: choose from the dropdown the Tenant where the API key applies to.

      API Key scope and tenant selection

    4. Click on Create API Key.

  4. Copy the API Key value using the Copy icon.

    Copy API Key value

    It is important to keep this value in a secure place until used when configuring the EntraID SCIM synchronization service, since the value cannot be retrieved again once the window is closed.

2.2 Identify SCIM Endpoint

To identify the SCIM endpoint:

  1. Select Tenant Config in the main menu.

  2. Select SCIM2 Configuration in the submenu.

  3. Copy the SCIM2 Base URL using the copy icon. Keep it for the Entra ID configuration.

    SCIM2 Base URL

3. Setting up Entra ID

Based on reference 3.

3.1 Create Application

  1. Sign in to the Microsoft Entra admin center as at least an Application Administrator.

  2. Browse to Entra ID > Enterprise apps.

  3. A list of all configured apps is shown, including apps that were added from the gallery.

  4. Select + New application.

    New application button

  5. In the new window, select Create your own application.

    Create your own application

  6. In the Create your own application panel, enter a name for your application, choose the option "integrate any other application you don't find in the gallery", and select Add. The new app is added to the list of enterprise applications and opens to its app management screen.

3.2 Configure Application

  1. In the app management screen of the newly created application, select Provisioning in the left panel.

    Provisioning menu option

  2. Select + New configuration.

    New configuration button

  3. In the New provisioning configuration page:

    1. Select authentication method as Bearer authentication.

    Bearer authentication selection 2. Specify as the Tenant URL the Base URL of the Visual Passcodes Tenant SCIM endpoint (see section 2.2 Identify SCIM Endpoint). 3. Specify as the Secret token the API Key value generated in the Visual Passcodes Tenant (see section 2.1 Create SCIM access token). 4. Select Test Connection to have Microsoft Entra ID attempt to connect to the SCIM endpoint. If the attempt fails, error information is displayed.

    Test Connection

  4. If the test is successful, the Create button is enabled. Click on it.

    Create button enabled

3.3 Configure Sync Data

By default, no user/group data is in sync. You need to specify them:

  1. Select the Users and groups option from the menu. By default no users/groups are listed.

  2. Click on Add user/group to add them.

    Add user/group

  3. In the Add Assignment screen, click on None Selected to add users and groups.

    None Selected

  4. In the users and groups page, select the users or groups you want to sync (use the search function to facilitate it) and click Select.

    Select users or groups

  5. In the Add Assignment page, select Assign.

    Assign button

  6. If you want to limit the user or group information synced with Visual Passcodes, you can select which fields are synced in the Attribute mapping menu option.

    1. There you can select Entra ID Groups or Entra ID Users attributes.

    Attribute mapping options 2. When selecting any option, you will see the list of attributes and choose which ones to sync by removing the unwanted ones. Changes are not applied until Save is selected. Discard allows you to leave without applying changes.

    Attribute list

  7. For testing if sync is working, select Provision on-demand in the left panel. Search for a user that is in scope for provisioning and provision them on-demand. Repeat with other users that you would like to test provisioning with.

    Provision on-demand

  8. Once your configuration is complete, select Overview in the left panel.

    1. Select Properties.
    2. Click the pencil icon to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletions prevention. Click Apply to save the changes.

    Properties configuration

  9. Select Start provisioning to start the Microsoft Entra provisioning service.

    Start provisioning

  10. Once the initial cycle has started, you can select Provisioning logs in the left panel to monitor progress, which shows all actions done by the provisioning service on your app.