Articles in this section

How to set up SCIM with Microsoft Entra ID

This article provides instructions on how to set up SCIM within the Microsoft Entra ID SAML2 and OpenID Connect single sign-on applications.

  Prerequisites

  • OpenID Connect or SAML2 application configured.
  • Global Admin rights to the Azure tenant.
  • Public API module enabled.
  • Admin/owner access to the Templafy tenant.

Step-by-step instructions

Generate the SCIM (Secret) Token

  1. Ensure the Public API module has been enabled in the Templafy Admin Center.
  2. Navigate to the Account section.
  3. In the API Keys tab, click Create key.
  4. Provide a name to the key and click Next.
  5. Click Add scope and select scim.
  6. Click Create.
  7. Click Copy key for use in step 2 below.

  Note

  • The keys are unique and non-recoverable. If you lose the key, you will have to regenerate a new one.
  • The name of a key cannot be edited after its creation.

Configure SCIM in Microsoft Entra ID

  1. Open the Templafy OpenID Connect or SAML2 enterprise application in Microsoft Entra ID.
  2. Navigate to the Provisioning tab.
  3. Select Automatic in the Provisioning Mode dropdown.
  4. Under the Admin Credentials section, fill in the Tenant URL and Secret token:
  5. Click Test connection.
  6. Once the connection has been established, Save the configuration.
  7. Return to the main application screen

Assign User or User Groups to the SCIM application

  1. Navigate to the Users and groups tab.
  2. Click Add user/group on the top ribbon.
  3. Select the necessary users/groups and click Assign.

Verify the Attribute Mappings within the SCIM Configuration (SAML2 Only)

  Important

If end-user userprincipalname and emailaddress differ, change the userName source attribute mapping to mail. Ensure the same update is applied to the Single sign-on claim mappings.

  Note

If using SAML2 SSO, the attribute mappings in SCIM should be the same as the attributes mapped in single sign-on. This may include additional claims configured in single sign-on (such as custom claims), or mappings that were changed (such as nameIdentifier mentioned above). 

  1. Navigate to the Provisioning tab.
  2. Click Edit attribute mappings.
  3. Scroll down to the Mappings section.
  4. Click on Provision Microsoft Entra ID Users.
  5. Click on the attribute to re-map and Save the changes. 

Test SCIM using Provision on demand

It is important to test SCIM with a user prior to running the initial synchronization to ensure the user is successfully created in Templafy with accurate AD claim data.

In order to use the Provision on demand feature, the user must already be assigned to the application. This feature does not support provisioning of groups, only users.

  1. In the Provisioning tab., click Provision on demand on the top ribbon.
  2. Search for and select the desired user.
  3. Click Provision.

After the user is provisioned, export details are shown along with other useful information about the provision including scoping, matching, and action details.

Enable SCIM

  1. In the Provisioning tab, click Start provisioning.

When you start provisioning, all users or groups who are assigned to the application will then be synced into your Templafy tenant. Once the initial sync is finished, you are able to check the Provisioning logs to check the status of the sync (who was synced and who was not synced).

Troubleshooting

If SCIM is not functioning as expected, complete the steps below:

  1. Check the Provisioning logs to see if updates were skipped or failed.
  2. Click Restart provisioning to see if updates start to flow into Templafy.

  Note

  • "Microsoft's Entra ID currently can't provision null attributes. If an attribute is null on the user object, it will be skipped."
    • In practical terms, this means that if a particular Microsoft Entra ID user attribute is set to null or has no value when provisioning a new user account or updating an existing one, Microsoft will not handle it as expected; instead, it will ignore that attribute. This limitation is specific to Microsoft Entra ID SCIM and does not affect the authentication flow.
  • Data changes to capitalization are not treated as new values by SCIM. In order to change capitalization: change the data value to something else, have it populate in Templafy, and then change the value back with the updated capitalization.
setup SCIM Microsoft Entra ID
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.