Set up a SCIM Provisioning App in Azure Active Directory

This feature set is currently in open-access beta. Functionality and documentation may change. Please contact your Customer Success Manager if interested in this beta!

This beta documentation will show you how to set up an Azure Active Directory (AD) enterprise app with System for Cross-domain Identity Management (SCIM) provisioning. When done, you will have enabled an enterprise app with provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation, between Azure AD and strongDM.

Before You Begin

Ensure that you have the appropriate roles:

  • In Azure AD, you must be assigned one of the following roles: Application Administrator, Cloud Application Administrator, or Global Administrator.
  • In strongDM, you must be an Account Administrator.

Azure does not support the provisioning of nested roles via SCIM.

Azure AD SCIM Application Setup Guide

Create an enterprise application

  1. Log in to the Azure Active Directory portal.
  2. Go to Manage > Enterprise Applications in the left pane, and click + New application to create a new enterprise application.
  3. Click + Create your own application.
  4. Enter a descriptive name for your app, and then select Integrate any other application you don't find in the gallery (Non-gallery) because you’ll be creating your own application instead of using a published gallery app.

Set up provisioning

  1. Go to the app’s Provisioning section.

  2. Click Get Started.

  3. In the provisioning properties, set the following:

    1. Provisioning Mode: Set to Automatic.
    2. Tenant URL: Set
    3. Secret Token: Set the token from the strongDM Admin UI’s Settings > Provisioning section.

    In this step, you’re using the HTTP Header authentication method and providing a bearer token to access your SCIM implementation.

    The token is generated when provisioning is turned on for your strongDM instance, and it is shown one time only. To enable provisioning, please contact

  4. Click Test Connection to test whether the new app can connect to your SCIM API. If there are errors, make sure your tenant URL and secret token are correct and try again.

  5. Click Save.

Customize user provisioning attribute mappings

  1. Go back to the app’s Provisioning blade, and expand Mappings to view and edit the User attributes that flow between Azure AD and the target application.
  2. Edit the User Mappings one by one by deleting all attributes except for the following:
    1. userName
    2. active
    3. name.givenName
    4. name.familyName
    5. name.formatted
  3. Edit the Group Mappings in the same way by deleting all attributes except for the following:
    1. displayName
    2. members
  4. Set Provisioning Status to On.

Manual SCIM provisioning setup is now complete.

Due to an Azure limitation, syncs may occur from Azure at 40 minute intervals, so there may be changes or additions made in Azure that are not immediately reflected in strongDM (until the next sync).

Admin UI Guide — Previous
Next — Admin UI Guide
Set up an App in Okta for User & Group Provisioning