Entra ID - Configuring SCIM User Provisioning

Learn how to configure SCIM with Microsoft Entra ID to provision users to your Staffbase platform automatically.

In this article, you will learn how to set up SCIM using Microsoft Entra ID (formerly known as Azure Active Directory / Azure AD) as the identity provider.

System for Cross-domain Identity Management (SCIM) allows you to provision users to the Staffbase platform using an identity provider. Learn more.

SCIM is optional for user management. You can choose an option based on your business requirements. Learn more about other options.

Prerequisites

  • The SCIM feature is activated for your organization. If not, contact your Customer Success Manager.
  • You have an Microsoft Entra ID tenant.
  • You have one of the following permissions to configure provisioning in Microsoft Entra ID:
    • Application Administrator
    • Cloud Application Administrator
    • Global Administrator
  • You have the SCIM endpoint URL for your Staffbase platform.
    The URL has the following format: https://<your-domain>/scim
  • You have generated an API token with administrative access via the Staffbase Studio.

Creating an Enterprise Application

You need to create an enterprise application to manage your user provisioning.

Staffbase recommends creating a dedicated application to maintain users for your Staffbase platform. You can use a single enterprise application for both SCIM and SSO for your user management.

  1. In Microsoft Azure, under Azure services, click Microsoft Entra ID.
Microsoft Entra ID Directory
  1. Navigate to Enterprise applications.
  2. Click New application.
  3. Click Create your own application.
    The Create your own application dialog opens.
Create Your Own Application
  1. Provide a name for the application. For example, Staffbase User Provisioning or something similar to help you instantly identify the application.
  2. Select the option Integrate any other application you don't find in the gallery (Non-gallery).
  3. Click Create.
    You have created an application to provision users using SCIM.

Creating the Application Connection

Once you have created the application, you need to establish a connection from Microsoft Entra ID to your Staffbase platform in order to start automatic user accounts provisioning using the application. Learn how application provisioning works in Microsoft Entra ID.

  1. In the enterprise application you created, navigate to Overview.
  2. Under Provision User Accounts, click Get started.
Provision User Accounts

The Provisioning page opens. 3. Click Get started. 4. From the Provisioning Mode dropdown menu, select Automatic.

Automatic
  1. Under Tenant URL, paste your SCIM endpoint URL for your Staffbase platform.
    For example, the URL uses the following format: of https://<your-domain>/scim
  2. Under Secret Token, paste the API token with administrative access.
  3. Click Test Connection.

If the connection does not work, ensure that:

  • the SCIM feature is enabled for your organization.
  • the SCIM endpoint URL is correct.
  • the API token is valid and has administrative access.
  1. Click Save once the connection is successfully created.
    The Mappings and Settings tabs open. You have created automatic provisioning for the application. Now, you need to define the mapping for user provisioning.

Defining the Mapping for User Provisioning

After creating automatic user provisioning, you need to define the mapping for the provisioning by mapping the source attribute to the target attribute. In this, the source attribute is the attribute of the user in Microsoft Entra ID. The target attribute is the attribute of the user that is sent from Microsoft Entra ID to the Staffbase platform.
Learn more about how to customize user provisioning attribute-mappings in Microsoft Entra ID.

For an overview of default attribute mappings, see SCIM Default Attribute Mappings.
In this guide, only a minimum mapping to get you started is shown.
You can create more mappings based on your business needs.

  1. Expand the Mappings section in the enterprise application you created and click Provision Azure Active Directory Users.
Mappings Section
  1. Keep the following source attributes and delete the rest:
    • userPrincipalName
    • Switch([IsSoftDeleted], , "False", "True", "True", "False")
    • mail
    • givenName
    • surname
      After deleting attributes that are not required, the resulting mapping will look like this:
Mappings After Deleting
  1. Click userPrincipalName.
    The Edit Attribute opens.
  2. From the Target Attribute dropdown menu, select externalID.
Target Attribute

You must include the identifier (externalId) as a target attribute, and it should have a Matching precedence of 1 in the mapping.

If you already have existing users in the platform, ensure the identifiers are set and match the set precedence.

Matching Precedence

The Source attribute for the externalId can be different depending on which value externalId should have in your Staffbase platform.

  1. Click OK.
  2. Click Save.

Ensure to save the changes after you add each mapping.

  1. Click mail.
    The Edit Attribute opens.
  2. From the Source Attribute dropdown menu, select userPrincipalName.

You can also select a user field that contains the user's email address value.

Edit Attribute

  1. Click OK.

  2. Click Save.
    The final result will look like this:

Final Mapping

You have created the minimum mapping required to get you started with provisioning users.

Optional: Adding User's Locale

You can optionally add the user's locale to the attribute mapping you have created in the previous section.

  1. Click Add New Mapping.
    The Edit Attribute opens.

  2. From the Source Attribute dropdown menu, select preferredLanguage.

You can also select a different source attribute that contains the user's language. It must be a valid locale code like: en_US or it_IT.
All supported locale codes can be found here.

  1. Optionally, set Default value if null (optional).
  2. From the Target Attribute dropdown menu, select locale.
  3. From the Apply this mapping dropdown menu select Only during object creation to prevent overwriting existing language preferences users may have set upon registration.
Edit preferredLanguage
  1. Click OK.
  2. Click Save.

Assigning Users

After mapping, you can assign users and prepare them for provisioning.
Learn more about how to assign users and groups to an enterprise application in Microsoft Entra ID.

Staffbase recommends starting with on-demand provisioning of a few users to test everything works as expected.

  1. In the enterprise application you created, click Users and groups.
Users and Groups

The Users and groups page opens.

  1. Click Add user/group.
Add User
  1. Click None Selected.
    The Users and groups dialog opens.
  2. Search for the user or group you want to add and click Select.
Search User
  1. Click Assign.
    You have assigned users or groups to the application.

Provisioning Users On-Demand

After assigning users, provision one or two users on-demand to see if it works as expected.
Learn more about on-demand provisioning in Microsoft Entra ID.

  1. In the enterprise application you created, click Provisioning.
    The Provisioning page opens.
  2. Click Provision on demand.
    The Provision on demand page opens.
Provision On Demand
  1. Search and select the user you want to provision.

All users you added to the application can be provisioned.

  1. Click Provision.
Provision

You have provisioned the user to the Staffbase platform.

You can find the provisioned user under the Registered Users section in the Staffbase Studio. If the provisioned user is new, you can find the user under Pending Users.

Test with on-demand provisioning to ensure everything works as expected. You can configure more mappings depending on your business requirements. Learn more about it here. After testing it again, you can configure automatic provisioning.

Provisioning Users Automatically

  1. In the enterprise application you created, click Provisioning.
    The Provisioning page opens.
  2. Click Start provisioning.

Provisioning cycles usually last 40 minutes. Click Refresh to see the provisioning status.
The provisioning logs might take some time to update after provisioning is complete.
Learn more about how long will it take to provision users.

The Microsoft Entra ID provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in an application unexpectedly.
Learn more about accidental deletions prevention.

You have automatically provisioned users added to the application.

Deprovisioning Users

The provisioning service supports both deleting and disabling users (sometimes referred to as soft-deleting). A delete indicates that the user has been removed completely from the application. A disable is a request to set the active property to false on a user, thereby deactivating the user in Staffbase.

Learn more about deprovisioning and understand the different scenarios that trigger a disable or a delete.

Provisioning Groups

If you have left the default mapping for groups enabled during your user provisioning, the selected groups will also be made available to the Staffbase platform.

In general, you don't need to customize the mapping for groups itself, except to make sure it is enabled if you want to make groups available in addition to users.

Mappings Section

In the Staffbase platform, the groups will always be a Manual Internal Group.

View of SCIM Group in Staffbase

If you have kept the default mappings, the Identifier of the group is the Object Id of the Microsoft Entra ID group and the group name has the prefix [SCIM] followed by the display name of the Microsoft Entra ID group.

View of SCIM Group in Staffbase
Detail view of SCIM Group in Staffbase

Good to know for group provisiong

Additional Helpful Information