Skip to main content

About SCIM Directory Integration with Microsoft Entra ID

SCIM Directory Integration with Microsoft Entra ID in Iru Endpoint allows you to set up SCIM-based user directory synchronization between Microsoft Entra ID and Iru Endpoint, enabling automatic user and group provisioning and deprovisioning.

How It Works

The SCIM integration creates a secure connection between Microsoft Entra ID and Iru Endpoint, enabling automatic synchronization of user and group data. When users or groups are added, modified, or removed in Microsoft Entra ID, these changes are automatically reflected in Iru Endpoint through the SCIM protocol.

Prerequisites

  • Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Iru Endpoint tenant. You will need to obtain the SCIM access token and API URL.
  • Copy and store the token provided outlined in the SCIM Directory Integration article. Once you click Done, the token will not be visible and will be required in a later step.
  • Be sure to review the supported user and group attributes listed in the SCIM Directory Integration.
  • Ensure that nested groups are not included with SCIM as Microsoft does not support this functionality.

Creating the SCIM Integration in Microsoft Entra ID

1

Access Microsoft Entra Admin Center

Sign in to the Microsoft Entra admin center.
2

Navigate to Entra ID

Open the portal menu and then select Entra ID.
3

Access Enterprise Apps

On the Entra ID menu, under select Enterprise apps.
4

View All Applications

In the Manage section, select All applications.
5

Create New Application

Select New application. If you have already created a SAML single sign-on application, you can select that application and add SCIM.
6

Choose Application Type

Select Create your own application.
7

Name the Application

Give the application a name.
8

Select Integration Type

Select Integrate any other application you don’t find in the gallery (Non-gallery).
9

Create Application

Click Create.
10

Access Provisioning

You will be taken to the Overview page for the newly created app. Under Manage, select Provisioning.
11

Create New Configuration

Click New Configuration.
12

Configure SCIM Connection

Paste the Iru Endpoint SCIM API URL that you copied earlier into the Tenant URL field.
13

Add Secret Token

Paste the API token that you copied earlier into the Secret token field.
14

Test Connection

Click Test connection. You should see a successful test notification.
15

Create Configuration

Click Create.
16

Access Provisioning Settings

Click on the Provisioning in the Manage section.
17

Configure Mappings

Expand the Mappings reveal triangle and ensure that both Groups and Users are enabled.
18

Configure Settings

Expand the Settings reveal triangle.
19

Set Scope

For Scope, choose Sync only assigned users and groups.
20

Enable Provisioning

Set the Provisioning Status to On.
21

Save Configuration

Click Save.
22

Close Settings

Click the X in the upper-right corner to close the settings.

Assigning Users and Groups

1

Access Users and Groups

Under Manage, select Users and groups.
2

Add Users and Groups

On the menu, select Add user/group.
3

Select Users and Groups

On the Add Assignment dialog, select the link under Users and groups.
4

Choose from List

A list of users and security groups is displayed. You can search for a specific user or group or select multiple users and groups that appear in the list.
5

Select Assignments

Select the user(s) and group(s) you would like to be assigned.
6

Confirm Selection

Click Select.
7

Complete Assignment

Select Assign to finish assigning users and groups to the app.
8

Verify Assignment

Confirm that the users and groups you added appear in the Users and groups list.
If you see a message indicating that a free tier is being used, it means you can only add users (not groups) to the SCIM Enterprise App.

Considerations

Syncing

User syncing is one-way, meaning the Microsoft Entra ID SCIM app will send user information to Iru Endpoint only when new information is needed.If a user or group is added to the SCIM app in Microsoft Entra ID after the app was created, a sync will happen every 40 minutes (set by Microsoft Entra ID). If you want the sync to happen sooner, you can stop/start the provisioning in the SCIM app on the Microsoft Entra ID. This will not impact existing users/groups in Iru Endpoint.

Removing Users

  • If Entra ID sends sets a use to inactive, the user will be set as inactive in your Iru Endpoint tenant.
  • If Entra ID deletes a user, the user will be deleted from your Iru Endpoint tenant.

Blueprint Conditional Logic

If you use Assignment Map conditional logic with groups, you must explicitly add each group you want to have provisioned in Iru Endpoint to the SCIM app. Groups will not sync automatically by adding users that happen to be members of the group.

Microsoft Device Compliance

If you are using an Entra ID SCIM user directory integration and the Microsoft Device Compliance integration ensure that the user and group attribute mappings for the externalId attribute in your SCIM application map to objectId as listed below. The objectId is used by Iru Endpoint to map user and group resources in Intune.
User AttributeUser Value
externalIdobjectId
Group AttributeGroup Value
externalIdobjectId
Updating User Mappings and Group Mappings
1

Access SCIM Application

Navigate to the SCIM enterprise application in the Microsoft Entra admin center.
2

Open Provisioning

Select Provisioning.
3

Access Attribute Mapping

Select the Attribute mapping (Preview) section.
4

Choose User or Group Mapping

If you are updating user attributes, click on Provision Microsoft Entra ID Users. If you are updating group attributes, click on Provision Microsoft Entra ID Groups.
5

Verify External ID Mapping

Verify that externalId is mapped to objectId.
6

Update Mapping if Needed

If it is not, click the Edit button to the right of the attribute and select objectId from the list.
7

Save Changes

Click Save.
8

Return to Overview

Click the X to go back.
9

Restart Provisioning

Once back on the Provisioning overview page, if any values were changed, you need to push the updated values to Iru Endpoint immediately by stopping and then starting the provisioning service.
10

Pause Provisioning

Click the Pause provisioning button.
11

Start Provisioning

Click the Start provisioning button.