Provisioning users with Entra ID - olet88/SCIM-API GitHub Wiki

User provisioning works the same way regardless of the approach you choose. It is one-way, meaning you can only provision users from Entra ID to your application, not the other way around.

Getting Started

To begin, navigate to Entra ID and create a new enterprise application as shown in the menu below:

image

Adding users and groups

For this example, we’ll name the app "scimTest". Under the Manage section in the side menu, select Provisioning.

  1. Enter your tenant URL, ensuring it is suffixed with /scim/v2.
  2. If your app uses authentication (which it should in production!), enter the** secret token** here. This token will be included in the headers for all requests.
  3. After inputting these details, test the connection, then save the configuration.

An example tenant URL when using NGrok for local testing would be: https://4e43-2a55-799-487-7600-1d15-58nr-7392-28a0.ngrok-free.app/scim/v2.

Once configured, navigate back to Overview and start provisioning. Provisioning runs in 40-minute cycles due to a technical limitation in Entra ID. To add users and groups, click Users and groups in the side menu.

Groups and users are sent from Entra ID to the API using a POST request, while group members are always sent later with a PATCH request. You can also manually provision users and groups at any time using Provision on demand in the side menu. However, group members are only provisioned through the standard cycle. This is another limitation in Entra ID.

Deleting users and groups

By default:

  • Groups are hard deleted from Entra ID using a DELETE request when removed from the app.
  • Users are marked as inactive using a PATCH request instead of being deleted.

This API accounts for these behaviors.