Automated user provisioning via SCIM API

Table of Contents


Introduction

SCIM (System for Cross-domain Identity Manager) is our latest user provisioning solution, to sync your users, groups and group memberships from Entra ID (previously Azure AD) to your workspace. It runs directly from Azure, so you no longer need a separate machine as is a requirement for the Azure AD synctool.

As each individual Workspace 365 environment is linked to a different Azure tenant, SCIM has to be configured for each environment individually. You generate an API key in your workspace environment for the authentication between the SCIM application and the workspace.

 

Requirements

  • SCIM is only available to hosted partners and customers.
  • Azure Global administrator with a Microsoft Entra ID Premium (P1 or P2) license to set up the SCIM application.
    • Users do not need to have a license for SCIM to sync them.
  • Users must have a First name and Last name in Entra ID.
  • Users must have a UPN.
  • Groups must have a unique “DisplayName” in Entra ID.

Back to top

 

How does SCIM work?

The SCIM application uses common REST API endpoints to create, update and delete endpoints. If you add a user, for example, SCIM makes a HTTP POST of a JSON object to the user (list) endpoint to create a new user entry. The SCIM application consists of a pre-defined schema supplied by Workspace 365, using common attributes like group name, UPN, first name, last name and email.

To setup SCIM, refer to Azure SCIM client setup. If you encounter any issues, see Troubleshooting SCIM. When implementing SCIM, keep the following in mind:

  • With SCIM, the Workspace admin role is always managed from the workspace.
  • See About billing and invoicing for details how to set users active/inactive.
  • SCIM has a set interval of around 40 minutes between syncs. This interval cannot be changed.
  • Deleting users/groups:
    • Users removed from the SCIM scope will end up in the deleted users list (soft delete). These users can be restored if necessary.
    • Groups removed from the SCIM scope will be permanently deleted from the workspace (hard delete).
    • Users or groups that are permanently deleted in Entra ID will be permanently deleted from the workspace (hard delete).
  • If you are switching to SCIM from the Azure AD synctool, ensure that the SCIM scope contains all users and groups you want to keep in the workspace to make sure they stay in the workspace after the switch.
  • If you are switching to SCIM from manually importing users, SCIM will connect existing workspace users to the corresponding users in Entra ID.
  • The SCIM sync does not affect users’ profile pictures, these are loaded/changed once the user signs in.
  • For the Phone number in the workspace profile we look at the Mobile phone field in Entra ID.

SCIM.png

Back to top

 

Limitations

  • A maximum of 100.000 users and 10.000 groups can be synced via automated user provisioning using SCIM per Workspace environment.
  • Members of nested groups will not be imported straight away. Click here for more information.
  • You cannot sync groups that don't have a unique "DisplayName" in Microsoft Entra ID.  

Back to top