SCIM Setup in Entra ID

This page offers information on how to set up and configure SCIM in your Entra ID environment for seamless identity management.

Step 1: Retrieve the Bearer Token

For general guidance on configuring SCIM and retrieving short-term and long-term bearer tokens, see Steps to set up SCIM. After completing those steps, proceed to the next section, which provides detailed instructions for configuring your Entra ID environment for provisioning

Step 2: Configure Provisioning in Entra ID

1. Set Provisioning Mode to Automatic and under Admin Credentials add the following Tenant URL: https://<CustomerDomain>.leanix.net/services/mtm/v1/scim/v2 and Secret Token would be your Long-lived bearer token

2. Ensure that the provisioning of AD Groups is disabled.

3. Update attribute mapping to include only userPrincipalName, mail, Switch, givenName, surname, and department and delete all the others.

To make Entra ID completely compatible with the SCIM implementation, the predefined email attribute must be configured as a matching attribute with matching precedence 2.

To learn more about matching attributes in Microsoft Entra ID, please refer to their documentation here. To learn more about how to build a SCIM endpoint and integrate it with the Microsoft Entra provisioning service, please refer to their documentation here.

4. Test the provisioning by selecting Provision on demand and provisioning a test user.

5. Once the test user is provisioned successfully, click Start provisioning.

Step 3: Configure Externally Managed Roles

For customers who are managing their roles in Entra ID, a new attribute will have to be created and mapped for the role property.

1. Check the box to Show Advanced Options on the Attribute Mapping page and then Edit attribute list.
   
2. Enter the shown information for role.

3. Now, you will add a new mapping with the following expression: