monday.com logo
monday logo
Learning Resources by monday.com
Help Center
Tutorials and how-to guides for using monday.com
Academy
Interactive courses and webinars that will make you an expert
What’s new
Latest feature releases, improvements, and updates
Video Tutorials
Manage and collaborate on
team projects and tasks from
one place
API Documentation
Technical documentation that gives you the control
Get expert help
Hire a monday.com expert to optimize your workflows
Community
Become part of our community
Community forum
Learn with fellow monday.com enthusiasts
Local Facebook communities
Join a community to find monday.com members near you
Global Facebook community
Join our most active community, the global monday Facebook group
Developer community
Share thoughts and questions with like-minded professionals who speak your language
Nonprofit community
Join our exclusive group for NGOs and nonprofits using monday.com
Support
Contact sales
Get started
How can we help you?
  1. Support
  2. Profile & administration
  3. User authentication

SCIM Provisioning of Users and Teams with Entra ID (previously known as Azure AD)

7 min read
Feature

 

System for Cross-domain Identity Management (also known as "SCIM") is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), de-provision (deactivate), and update user data across multiple applications at once. 

To set up SCIM provisioning in Entra ID (previously known as Azure AD) you will need to have the involvement of both the monday.com admin and the manager of your Entra ID account. 

 

SCIM capabilities supported in monday.com

  • Provisioning of Users
  • De-provisioning of Users
  • Provisioning of Teams
  • De-provisioning of Teams
  • Team Renaming
  • Updating User Details
  • Assigning Users to Teams
  • Un-assigning Users from Teams

 

Configuration

  • Step 1 - Add monday.com to Entra ID

Go to your Entra ID homepage and click "Enterprise Applications" on the left pane.

Then, click the New application button:

Group_9__17_.png

Search for the monday.com application and select it from the search results:

Group_9__18_.png

 

Give the app a name and click on the "Create" button at the bottom:

Group_9__19_.png

 

  • Step 2 - Go to Provisioning

Go to the Provisioning section and click "Get Started".

On the following page, select the "Automatic" Provisioning Mode:

Group_9__20_.png

 

In the "Admin Credentials" section, enter the following:

  • Tenant URL:
    This should be taken from your monday.com account (see instructions below)
  • Secret Token:
    This should be taken from your monday.com account (see instructions below)

 

Go to monday.com Admin section to retrieve the provisioning token

  • Open up your monday.com account
  • Click on your avatar > Admin
  • Go to the Security section
  • Click on SCIM

Group_10__1_.png

Here you can generate and copy the provisioning URL and token and then copy and paste into Entra ID.

 

Click Test Connection button to verify the credentials that are authorized for provisioning:

Group_9__24_.png

 

Click "Save" on the left-hand side of the page to save the configuration.

 

Under Settings, make sure to set the scope to "Sync only assigned users and groups":

Group_9__34_.png

Important Note: For security measures, we recommend that you verify that the Scope is set to "Sync only assigned users and groups" before starting provisioning. This will ensure that the provisioning will be limited to assigned users/groups only, and that no other Entra ID users will have access to monday.com unintentionally.

 

To start provisioning, set Provisioning Status to "On":

Group_9__33_.png

 

Click "Save" on the left-hand side of the page to save the Provisioning Status.

Note: Provisioning sync is done every 40 minutes. 

 

Set Up User Provisioning

Go back to the application main page, and then go to "Users and groups":


Click "Add user":

Group_9__32_.png

Then, click "Users and groups":

Group_9__31_.png

Search for users and select them from the list, and then click the "Select" button at the bottom of the screen.

 

Click the "Assign" button at the bottom-left side:

Group_9__27_.png

Note: If you deprovision a user from the monday.com app, the user will exist in monday.com as an inactive user and will not be counted towards your monday.com user count.

  

User Attributes

These fields are supported for mapping user attributes:

  • Name (can’t contain special characters)
  • Email (must be lowercase)
  • Title (user’s position in the company)
  • Active (whether or not a user is enabled or disabled)
  • User type (we'll discuss this in the section below!)
Note: The username should always be the user’s email address.

 

Do note, when using Entra ID for both SCIM provisioning and SSO login:

  • When a user is created via SCIM provisioning, their email in monday.com will always match the 'UserPrincipalName' parameter in Entra ID
  • When connecting SSO, you need to ensure the email field sent to monday.com is mapped to 'UserPrincipalName' or a field that holds an equivalent value

 

Provisioning user types

In case you choose not to provision the user type attribute, you can remove it from the attribute mapping by following the steps below: 

 

Go to the Provisioning section. Under Mappings, click Provision Azure Active Directory Users:

Group_9__30_.png

 

Scroll down to the Attribute Mapping table and make sure to delete the roles attribute by clicking the Delete button:

Group 1 - 2023-11-08T151447.984.png

 

Click "Save" on the left-hand side of the page to save the configuration.

 

To configure account custom roles as user type:

  1. Configure the relevant custom role on monday.com as described in this article.
  2. Go to Entra ID and click on "App registrations" and search for the monday.com application.Group_1_-_2023-01-12T143948.699.png
  3. After selecting the monday.com app, navigate to "App roles" where you can view all roles and then click on "Create app role":Group_1_-_2023-01-12T144322.068.png
  4. From the resulting screen, you can configure a new role. To learn more about creating new roles within Entra ID, check out this article. Here, you'll copy the custom role ID from monday.com to use as the "Display name" (instructions for this are outlined in number 5 below.)image_3__12_.png
  5. The new role named under “Display name” will be the custom role ID from the monday.com platform. This can be taken from the account permissions center by clicking on the three-dot menu right next to the role name and then "Copy ID", as shown below.

    Group_1_-_2023-01-12T114829.796.png

 

Set-Up Team Provisioning

You can provision Groups from Entra ID to monday.com by assigning a Group to the monday.com application. Doing this will create a new Team in your monday.com account with all the users that are assigned to that group in Entra ID.

Important Note: If you assign a group to monday.com app within Entra ID, and there is a monday.com team with the same name, then the Entra ID group will replace it.
For privacy measures, we recommend coordinating the team provisioning with the monday.com admin, in order to avoid users losing access to their data or users gaining access unintendedly.

 

To do this, go to the application main page, and then go to "Users and groups":


Click "Add user":

Group_9__25_.png

 

Then, click "Users and groups":

Group_9__23_.png

Search for a group and select it from the list, and then click the "Select" button at the bottom.

 

Click the "Assign" button at the bottom-left side:

Group_9__22_.png

 

Error Handling

Please find the below table that contains error codes and their possible reason. Check out the third column for resolution suggestions:

image 1 - 2023-08-23T151258.141.png

Set a default owner for automations, integrations, and workflows 

Tip: This option is ideal for accounts using SCIM or GraphQL.

 

Note: You must be an admin to make a transfer of all automations from one owner to another or to set a default owner.

 

Admins can define a fallback policy that automatically transfers ownership of automations, integrations, and workflows from deactivated users, regardless of the reason for deactivation. As a result, no automations, integrations, or workflows will be affected by user offboarding, ensuring that the account's automated flows continue to run smoothly.

To access these settings, open the Administration section of your account as so:

transfer automations 6.png

 

And then the Automations Ownership tab:

transfer automations 8.png

 

With this option, automations, integrations, and workflows will automatically transfer to this default owner when a user is deactivated. This applies when any user is deactivated in your account.

transfer automations 2.png

 

You can choose any active user on your account to be the default owner. Select the user from the dropdown menu and click Save to apply your choice:

transfer automations 5.png

 

In addition, during the user deactivation process, the admin is able to change the default ownership transfer and select a different target owner for the automations of the off-boarded user. This can be done f rom the Users tab by clicking the three dots to the right of the user's name and selecting Deactivate user:

transfer automations 4.png

 

You can then choose a new owner from the dropdown menu. If you've set a default owner, you can override this default when manually deactivating a user within your monday.com account:

transfer automations 9.png

 

FAQs

We've outlined a list of SCIM-related frequently asked questions for you. Click on this link here to check them out!

 

 

 

If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.

Last modified on

Still have questions?
We can help.

Chat support

Get in touch with our support team through our chat for any questions, concerns, or inquiries.

Community forum

Learn, share ideas and connect with other monday.com customers.

Expert help

Hire a monday.com expert to optimize your workflows.

On this page