Join us at Elevate✨ Our virtual conference hits screens Dec 14thJoin us at Elevate conference✨ Tune in Dec 14thRegister now

What can we help you with?

SCIM Provisioning of Users and Teams with Azure AD


System for Cross-domain Identity Management (also known as "SCIM") is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), de-provision (deactivate), and update user data across multiple applications at once. 

To set up SCIM provisioning in Azure AD you will need to have the involvement of both the admin and the manager of your Azure AD account. 


SCIM capabilities supported in

  • Provisioning of Users
  • De-provisioning of Users
  • Provisioning of Teams
  • De-provisioning of Teams
  • Team Renaming
  • Updating User Details
  • Assigning Users to Teams
  • Un-assigning Users from Teams



  • Step 1 - Add to Azure AD

Go to your Azure AD homepage and click "Enterprise Applications" on the left pane.

Then, click the New application button:


Search for the application and select it from the search results:



Give the app a name and click on the "Create" button at the bottom:



  • Step 2 - Go to Provisioning

Go to the Provisioning section and click "Get Started".

On the following page, select the "Automatic" Provisioning Mode:



In the "Admin Credentials" section, enter the following:

  • Tenant URL:
    This should be taken from your account (see instructions below)
  • Secret Token:
    This should be taken from your account (see instructions below)


Go to Admin section to retrieve the provisioning token

  • Open up your account
  • Click on your avatar > Admin
  • Go to the Security section
  • Click on SCIM


Here you can generate and copy the provisioning URL and token and then copy and paste into Azure AD.


Click Test Connection button to verify the credentials that are authorized for provisioning:



Click "Save" on the left-hand side of the page to save the configuration.


Under Settings, make sure to set the scope to "Sync only assigned users and groups":


Important Note: For security measures, we recommend that you verify that the Scope is set to "Sync only assigned users and groups" before starting provisioning. This will ensure that the provisioning will be limited to assigned users/groups only, and that no other Azure AD users will have access to unintentionally.


To start provisioning, set Provisioning Status to "On":



Click "Save" on the left-hand side of the page to save the Provisioning Status.

Note: Provisioning sync is done every 40 minutes. 


Set Up User Provisioning

Go back to the application main page, and then go to "Users and groups":

Click "Add user":


Then, click "Users and groups":


Search for users and select them from the list, and then click the "Select" button at the bottom of the screen.


Click the "Assign" button at the bottom-left side:


Note: If you deprovision a user from the app, the user will exist in as an inactive user and will not be counted towards your user count.


User Attributes

These fields are supported for mapping user attributes:

  • Name (can’t contain special characters)
  • Email (must be lowercase)
  • Title (user’s position in the company)
  • Active (whether or not a user is enabled or disabled)
  • User type (we'll discuss this in the section below!)
Note: The username should always be the user’s email address.


Provisioning user types

When provisioning the User Type attribute, it is important to note that there is no support in conflicting user types. This means, if a user is assigned twice (or more) with different user types/ roles whether directly or through a group in the app inside Azure AD, there will be a provisioning conflict error and the user won’t be provisioned properly.


For this reason, we highly recommend that each user is provisioned as the same user type (ex: member and member) any time that they are assigned in the app inside Azure AD. By doing this, we can ensure that provisioning will work properly for that user, and their user type will then be set correctly in as well!



In case you choose not to provision the user type attribute, you can remove it from the attribute mapping by following the steps below: 


Go to the Provisioning section. Under Mappings, click Provision Azure Active Directory Users:



Scroll down to the Attribute Mapping table and make sure to delete the userType attribute by clicking the Delete button:



Click "Save" on the left-hand side of the page to save the configuration.


To configure account custom roles as user type:

  1. Configure the relevant custom role on as described in this article.
  2. Go to Azure AD and click on "App registrations" and search for the application.Group_1_-_2023-01-12T143948.699.png
  3. After selecting the app, navigate to "App roles" where you can view all roles and then click on "Create app role":Group_1_-_2023-01-12T144322.068.png
  4. From the resulting screen, you can configure a new role. To learn more about creating new roles within Azure AD, check out this article. Here, you'll copy the custom role ID from to use as the "Display name" (instructions for this are outlined in number 5 below.)image_3__12_.png
  5. The new role named under “Display name” will be the custom role ID from the platform. This can be taken from the account permissions center by clicking on the three-dot menu right next to the role name and then "Copy ID", as shown below.



Set-Up Team Provisioning

You can provision Groups from Azure AD to by assigning a Group to the application. Doing this will create a new Team in your account with all the users that are assigned to that group in Azure AD.

Important Note: If you assign a group to app within Azure AD, and there is a team with the same name, then the Azure AD group will replace it.
For privacy measures, we recommend coordinating the team provisioning with the admin, in order to avoid users losing access to their data or users gaining access unintendedly.


To do this, go to the application main page, and then go to "Users and groups":

Click "Add user":



Then, click "Users and groups":


Search for a group and select it from the list, and then click the "Select" button at the bottom.


Click the "Assign" button at the bottom-left side:



Error Handling

Please find the below table that contains error codes and their possible reason. Check out the third column for resolution suggestions:

image 1 - 2023-08-23T151258.141.png



  • What happens if the admin who set up the initial SCIM token is no longer admin (their user type changed or they were deactivated)?

If the original admin who created the SCIM provisioning token on your account was deactivated or changed to a different user type (member, guest, or viewer), SCIM will no longer work on your account. In order to reactivate SCIM, the current admin of the account can generate a new token and enter it into the identity provider.


  • How can an admin generate a new SCIM token?

To generate a new SCIM token, open up the admin section of your account. From there, press on the "Security" tab, open up the SCIM section, click on the "Generate" button and copy the generated token.


After entering this token into your identity provider, you should be all set!


  • What happens if I change my personal attributes in my account? 

The sync with Azure AD is a one-way sync, and any changes made to a user profile in the profile or teams page will be overwritten the next time Azure AD syncs with your account. 

What does this mean? 

  • To change any attributes of the user profile you will need to update them in Azure AD
  • In order to add users to teams or remove users from teams created by Azure AD (see: Set up team's provisioning), you will need to make these changes in Azure AD
  • If you create a Team in that is not a group in Azure AD it will not be affected by the groups in Azure AD


  • What happens if I add users to a team in my account? 

If that team is provisioned by Azure AD, these users will eventually be kicked out of the team and replaced by users that are provisioned to the matching Azure AD Group, otherwise when you add users to a team in your account, they will remain in that team.




If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.