Automated user provisioning via SCIM API

Table of Contents


Introduction

With our Azure AD synctool, you need to host the sync client somewhere (for example on a VM) and keep the client up to date. This is why we proudly introduce the Azure SCIM client. SCIM stands for ‘System for Cross-domain Identity Manager’ and it's only compatible with Microsoft Entra ID (previously called Azure AD). With the Azure SCIM client user management API, you can automatically send users, user groups and group membership information straight from your Microsoft Entra ID to Workspace 365, without having to install anything.

It’s considered best practice to only sync selected users and/or groups from Microsoft Entra ID to Workspace. You want to grant access based on the principle of least privilege. Syncing all users and/or groups may result in poor performance of your Workspace 365 environment. Also note that groups that are synced through the SCIM API, must be deleted in Workspace manually afterwards if needed (see limitations).
If you encounter any problems during the setup or running SCIM, check our SCIM troubleshooting article.

 

How does SCIM work?

Each individual Workspace 365 environment is linked to a different Azure tenant. This is why you need to configure the SCIM API for each Workspace 365 environment. When you enable the SCIM API in Workspace, you generate a SCIM API token. This token is used for authentication between the SCIM endpoint (Workspace URL) and SCIM API client (Microsoft Entra ID Provisioning Service/Azure Enterprise Application).

It uses common REST API endpoints to create, update, and delete objects. For example, if you want to add a user from your Microsoft Entra ID to Workspace, the SCIM client makes a HTTP POST of a JSON object to the user (list) endpoint to create a new user entry. The SCIM consists of a pre-defined schema for common attributes like group name, UPN, first name, last name and email.

Also take note of the following:

  • With SCIM, the Workspace admin role is always managed from the workspace.
  • Microsoft Entra ID is leading for all user changes. Meaning, if you want to remove or add users (and/or groups), you need to do this in Microsoft Entra ID and not in Workspace 365. The only exception when you make manual user changes in Workspace, is to users (and/or groups) that were manually created in Workspace and do not exist in Microsoft Entra ID.
  • Azure automatically provisions and updates user accounts at a regularly scheduled time interval, typically every 40 minutes. It may take a longer or shorter time for the sync to complete, depending on your Microsoft Entra ID environment. We cannot influence the sync interval
  • If you manage multiple Workspace environments, you need to configure the SCIM API for each Workspace 365 environment.
  • If applicable, you need to disable the Azure AD synctool client if you want to use SCIM.
  • If you are switching over to SCIM from the Azure AD synctool, users that were already synced to the workspace using the synctool will stay there if they are included in the SCIM scope. Users not included in the SCIM scope will end up in the deleted user list (soft delete). If needed, these users can be restored via the deleted users list in the workspace.
  • If you are switching to SCIM from manually importing users, SCIM will connect the users in workspace to the corresponding users in Microsoft Entra ID.
  • If you permanently delete users from Microsoft Entra ID, these users will also be permanently deleted in Workspace as they won't appear in the deleted user list (hard delete).
  • To delete groups from the workspace with SCIM, you can either remove the group from the sync scope in Azure, or delete the group from Azure entirely.

SCIM.png

Back to top

 

Requirements

  • SCIM is only available to hosted partners and customers.
  • Microsoft Entra ID Premium (P1 or P2) license to set up the SCIM application.
  • Azure Global administrator to set up the SCIM application.
  • Users do not need to have a license for SCIM to sync them.
  • Users must have a first- and last name
  • Users must have a UPN.
  • Groups must have a unique "DisplayName" in Microsoft Entra ID.

Back to top

 

Limitations

  • A maximum of 100.000 users and 10.000 groups can be synced via automated user provisioning using SCIM per Workspace environment.
  • Members of nested groups will not be imported straight away. Click here for more information.
  • You cannot sync groups that don't have a unique "DisplayName" in Microsoft Entra ID.  

Back to top