(Beta) User Provisioning (SCIM) with Entra ID (Azure AD)

info

Beta Feature: SCIM provisioning is in public beta. It has been thoroughly tested with various Identity Providers. We're now collecting feedback from real-world usage to fine-tune the experience. Share your feedback here.

Introduction

Each Identity Provider requires specific information to configure a SCIM integration. The following guide will walk you through how you can connect ConfigCat with Entra ID via SCIM.

1. Create an Entra ID Enterprise Application

info

If you already configured your organization to use Entra ID as a SAML provider, you can use the existing Entra ID Enterprise application and skip to the next step.

• Log in to the Azure Portal, go to the Entra ID resource, select Enterprise applications, and click on New application.

  

• Click on Create your own application.

  

• Enter a descriptive App name, select the Integrate any other application you don't find in the gallery (Non-gallery) option, then click Create.

  

The next step will guide you on how to setup Entra ID to synchronize your Identity Provider users and Identity Provider groups to ConfigCat.

2. Configure Provisioning (SCIM) for the Azure Enterprise Application

• On the Manage section of the application, select Provisioning, then click on New Configuration.

  

• Gather the SCIM URL and the Token from the Authentication & Provisioning page in ConfigCat.

  

• Add the SCIM URL as the Tenant URL and the Token as the Secret token on the New provisioning configuration page in Azure. Click on the Create button.

  

• Select the Provisioning menu and in the Mappings, configure the mapping for Users and Groups.

  

  • Mapping for Users: Configure only the following mappings and remove all other mappings if there are any.

    Provisioning Attribute	Microsoft Entra ID Attribute
    externalId	objectId
    userName	userPrincipalName
    displayName	displayName
    active	Switch([IsSoftDeleted], , "False", "True", "True", "False")

    

  • Mapping for Groups: Configure only the following mappings and remove all other mappings if there are any.

    Provisioning Attribute	Microsoft Entra ID Attribute
    externalId	objectId
    displayName	displayName
    members	members

    

3. Assign Users/Groups to the Enterprise Application

To start user provisioning with Entra ID, you need to assign groups to the Enterprise application.

• Select Users and groups on the Manage section of the menu, and click Add user/group. Then, you can select the groups you want to assign.

  

caution

In ConfigCat, you can assign permissions only to groups that are synchronized from your Identity Provider, therefore it's important to select groups for synchronization rather than individual users.

4. Start provisioning

• Go to the Overview page of the provisioning configuration and click on Start provisioning.

  

• Wait until the first provisioning is finished, and you should see each synced group and user on ConfigCat's Authentication & Provisioning page.

5. Next Steps

• Continue with assigning ConfigCat permissions to the synced groups.