Skip to main content
All CollectionsUser managementAutomated user provisioning via SCIM API
Automated user provisioning via SCIM API
Automated user provisioning via SCIM API
Updated over a week ago

Introduction

SCIM (System for Cross-domain Identity Manager) is our latest user provisioning solution, to sync your users, groups and group memberships from Entra ID (previously Azure AD) to your workspace. It runs directly from Azure, so you no longer need a separate machine as is a requirement for the Azure AD synctool.

As each individual Workspace 365 environment is linked to a different Azure tenant, SCIM has to be configured for each environment individually. You generate an API key in your workspace environment for the authentication between the SCIM application and the workspace.

Requirements

  • SCIM is only available to hosted partners and customers.

  • Azure Global administrator with a Microsoft Entra ID Premium (P1 or P2) license to set up the SCIM application.

    • Users do not need to have a license for SCIM to sync them.

  • Users must have a First name and Last name in Entra ID.

  • Users must have a UPN.

  • Groups must have a unique “DisplayName” in Entra ID.

How does SCIM work?

The SCIM application uses common REST API endpoints to create, update and delete endpoints. If you add a user, for example, SCIM makes a HTTP POST of a JSON object to the user (list) endpoint to create a new user entry. The SCIM application consists of a pre-defined schema supplied by Workspace 365, using common attributes like group name, UPN, first name, last name and email.

To setup SCIM, refer to Azure SCIM client setup. If you encounter any issues, see Troubleshooting SCIM. When implementing SCIM, keep the following in mind:

  • With SCIM, the Workspace admin role is always managed from the workspace.

  • SCIM has a set interval of around 40 minutes between syncs. This interval cannot be changed.

  • Deleting users/groups:

    • Users removed from the SCIM scope will end up in the deleted users list (soft delete). These users can be restored if necessary.

    • Groups removed from the SCIM scope will be permanently deleted from the workspace (hard delete).

    • Users or groups that are permanently deleted in Entra ID will be permanently deleted from the workspace (hard delete).

  • If you are switching to SCIM from the Azure AD synctool, ensure that the SCIM scope contains all users and groups you want to keep in the workspace to make sure they stay in the workspace after the switch.

  • If you are switching to SCIM from manually importing users, SCIM will connect existing workspace users to the corresponding users in Entra ID.

  • The SCIM sync does not affect users’ profile pictures, these are loaded/changed once the user signs in.

  • For the Phone number in the workspace profile we look at the Mobile phone field in Entra ID.

SCIM.png

Limitations

  • A maximum of 100.000 users and 10.000 groups can be synced via automated user provisioning using SCIM per Workspace environment.

  • Members of nested groups will not be imported straight away. Click here for more information.

  • You cannot sync groups that don't have a unique "DisplayName" in Microsoft Entra ID.

Related Articles
Azure SCIM client setup
Login with alias or as guest user
Troubleshooting SCIM
Troubleshooting user management
Troubleshooting the Azure AD synctool
Did this answer your question?