Configure SCIM Provisioning with Entra ID

Starting in Strategy One (September 2025), you can integrate Library SCIM with Entra ID provisioning.

Prerequisite

Before configuring SCIM in Entra ID, Library SCIM 2.0 service must be enabled and configured in Workstation. For more information, see Configure the Library Server as SCIM 2.0 Service Provider.

Configure Entry on Entra ID and Enable SCIM Provisioning

1. Login to Microsoft Azure and go to Enterprise applications.

2. You can enable user provisioning on an existing enterprise application, such as one configured with SAML SSO, or you can create a new application specifically for user import and sync. To create a new application for user import and sync:

   1. In the Azure left navigation, go to All Applications under Manage.

   2. Click New Application and Create your own application.

   3. Type a name for your app.

   4. In What are you looking to do with your application?, select Integrate any other application you don't find in the gallery (Non-gallery).

   5. Click Create.

3. Open your enterprise application and in the left navigation, go to Provisioning under Manage.

4. Click New configuration.

5. In Admin credentials, enter the Base URL from your Workstation configuration in Tenant URL.

6. Enter the Bearer Token from your Workstation configuration in Secret token.

7. Click Test Connection.

8. Click Create.

   If your New provisioning configuration dialog has an Authentication Method option, choose Bearer Authentication.

9. In the left navigation, go to Attribute mapping (Preview) under Manage.

10. Click Provision Microsoft Entra ID Users.

11. Toggle Enabled to Yes.

12. Select the check box next to all Target Object Actions (Create, Update, and Delete).

13. In Attribute Mappings, click Add New Mapping and add the following attribute mappings:

    • userName

    • active

    • displayName

    • emails[type eq"work"].value

14. Click Save.

15. Click Provision Microsoft Entra ID Groups.

16. Toggle Enabled to Yes.

17. Select the check box next to all Target Object Actions (Create, Update, and Delete).

18. In Attribute Mappings, click Add New Mapping and add the following attribute mappings:

    • displayName

    • members

19. Click Save.

    After configuring your users and groups, the Users and groups page of your application is provisioned to the Library server with SCIM API requests and updates to the page will be synced to the Library server.

20. In the left navigation, click Overview (Preview) and click Start provisioning.

    Entra ID will synchronize user/group changes to Library in 40 minute intervals.

Troubleshooting

When the administrator manually edits user and group information from Workstation, it can cause inconsistency between Entra ID and the Intelligence server. This is a common issue for SCIM connectors. To reduce network traffic, SCIM connectors, such as Entra ID, only perform full user and group sync during the first configuration. Subsequent synchronizations are incremental and are only triggered by changes to Entra ID. To solve this issue and trigger full synchronization, click Restart provisioning in the Overview dialog.

Related Topics

See the following Microsoft topics on SCIM configuration in Entra IS:

• SCIM synchronization with Microsoft Entra ID

• Known issues and resolutions with SCIM 2.0 protocol compliance of the Microsoft Entra user provisioning service