Provision users and groups from Microsoft Entra ID to IDaaS

This procedure describes how to configure Microsoft Entra ID (formerly Azure AD) as a SCIM 2.0 client to provision users and groups FROM Entra to Entrust Identity as a Service. When configured, user and group changes in Microsoft Entra ID automatically synchronize to IDaaS approximately every 40 minutes.

tip

If you want to use Microsoft Entra ID for both single sign-on (SSO) and user provisioning, see Integrate Microsoft Entra ID as an Identity Provider to configure SSO first, then return to this guide to add SCIM provisioning.

Step 1: Create an Administration API in IDaaS

Before Microsoft Entra ID can provision users to IDaaS, you need to create an Administration API application in IDaaS with the SCIM Provisioning role and generate a long-lived token for authentication.

1. Open a Web browser and sign in to IDaaS.

2. Click > Security > Applications. The Applications List page appears.

3. Click Add. The Select an Application Template page appears.

4. Select Identity as a Service Integrations from the search drop-down list.

5. Click Administration API. The Add Administration API page appears.

6. Enter an Application Name (for example, "Microsoft Entra SCIM Provisioning").

7. Enter an Application Description (optional).

8. In the Select Role drop-down list, select SCIM Provisioning.

   note

   The SCIM Provisioning role grants the minimum permissions required for inbound provisioning. Do not select Super Administrator or other elevated roles unless required.

9. If required, select an IP List to restrict access to specific IP addresses.

10. Select Enable this application to use a long-lived token for authentication.

11. Click Save. The Administration API Application dialog box appears with the credentials.

12. Open a text editor (such as Notepad) and copy the Long-lived Token value. This is your Secret Token for Microsoft Entra ID.

13. Click OK to close the dialog box.

14. Make note of your IDaaS SCIM endpoint URL and add it to your text file.

    note

    The IDaaS SCIM endpoint follows this format:

    https://{tenant}.{region}.trustedauth.com/api/web/scim/v2

    Example: https://mycompany.us.trustedauth.com/api/web/scim/v2

15. Keep this text file open. You will need these values in Step 3.

For more information about Administration API applications, see Integrate Administration API.

Step 2: Create a SCIM application in Microsoft Entra

1. Sign in to the Microsoft Entra admin center.
2. In the left navigation, click Identity > Applications > Enterprise applications. The All applications page appears.
3. Click + New application. The Browse Microsoft Entra Gallery page appears.
4. Click + Create your own application. The Create your own application pane appears.
5. In the What's the name of your app? field, enter a name (for example, "Entrust IDaaS SCIM Provisioning").
6. Select Integrate any other application you don't find in the gallery (Non-gallery).
7. Click Create. The application is created and the overview page appears.

Step 3: Configure provisioning in Microsoft Entra

1. In the Microsoft Entra application you created in Step 2, click Provisioning in the left navigation.

2. Click Get started. The Provisioning configuration page appears.

3. In the Provisioning Mode drop-down list, select Automatic.

4. In the Tenant URL field, enter the IDaaS SCIM endpoint URL you saved in Step 1.

   https://{tenant}.{region}.trustedauth.com/api/web/scim/v2

5. In the Secret Token field, paste the Long-lived Token you saved in Step 1.

6. Click Test Connection to verify that Microsoft Entra ID can connect to IDaaS. A success message appears if the connection is valid.

   warning

   If the test connection fails, verify that the Tenant URL and Secret Token are correct and that the Administration API application is enabled in IDaaS.

7. Click Save. The provisioning configuration is saved.

Step 4: Configure user attribute mappings

Microsoft Entra ID provisions users to IDaaS by mapping Entra user attributes to SCIM attributes. Review and customize the default attribute mappings as needed.

1. In the Provisioning page, expand Mappings.

2. Click Provision Microsoft Entra ID Users. The Attribute Mapping page appears.

3. Review the attribute mappings. The following table shows the recommended mappings:

   Entra Attribute	IDaaS SCIM Attribute	Required
   userPrincipalName	userName	Yes
   Switch([IsSoftDeleted], , "False", "True", "True", "False")	active	Yes
   mail	emails[type eq "work"].value	No
   givenName	name.givenName	No
   surname	name.familyName	No
   displayName	displayName	No

   note

   The active attribute mapping uses a Switch expression to invert the IsSoftDeleted value because Microsoft Entra uses IsSoftDeleted=True for disabled users, while SCIM uses active=False.

4. To add or edit an attribute mapping:

   1. Click Add New Mapping or click an existing mapping to edit it.
   2. Configure the Source attribute, Target attribute, and Matching precedence as needed.
   3. Click OK to save the mapping.

5. Click Save to save all attribute mappings.

Step 5: Configure group provisioning (optional)

If you want to provision Entra security groups to IDaaS along with their memberships, enable group provisioning.

1. In the Provisioning page, expand Mappings.

2. Click Provision Microsoft Entra ID Groups. The Attribute Mapping page appears.

3. Review the Target Object Actions. Ensure that Create, Update, and Delete are enabled.

4. Review the attribute mappings. The following table shows the recommended mappings:

   Entra Attribute	IDaaS SCIM Attribute	Required
   displayName	displayName	Yes
   objectId	externalId	Yes
   members	members	Yes

5. Click Save to save the group mappings.

   note

   Group membership changes are synchronized automatically during provisioning cycles. When a user is added to or removed from a group in Microsoft Entra ID, the change is reflected in IDaaS within approximately 40 minutes.

Step 6: Assign users and groups, then start provisioning

Before Microsoft Entra ID can provision users, you must assign the users or groups to the application.

1. In the Microsoft Entra application, click Users and groups in the left navigation.

2. Click + Add user/group. The Add Assignment pane appears.

3. Click Users and groups. The Users and groups selection pane appears.

4. Select the users and/or groups you want to provision to IDaaS.

5. Click Select.

6. Click Assign. The users and groups are assigned to the application.

7. Return to the Provisioning page.

8. To test provisioning for a single user before starting the full sync:

   1. Click Provision on demand in the top menu.
   2. Select a user to test.
   3. Click Provision. Microsoft Entra ID performs a test provisioning operation and displays the results.

9. To start the provisioning cycle:

   1. In the Provisioning page, click Start provisioning in the top menu.
   2. The initial provisioning cycle begins. This can take several minutes to several hours depending on the number of users and groups.
   info

   After the initial provisioning cycle completes, Microsoft Entra ID performs incremental synchronization cycles approximately every 40 minutes. Only changed users and groups are synchronized during incremental cycles.

Step 7: Monitor provisioning and troubleshoot issues

1. To view provisioning activity and logs in Microsoft Entra:

   1. In the Microsoft Entra application, click Provisioning in the left navigation.
   2. Review the Current cycle status and Provisioning statistics.
   3. Click View provisioning logs to see detailed logs of all provisioning operations.

2. To view provisioning activity in IDaaS:

   1. In IDaaS, click > System > Audit Logs. The Audit Logs page appears.
   2. Filter the logs by SCIM or Provisioning to see inbound provisioning events.
   3. Review the logs for any errors or warnings.

   For more information, see View and export audit logs.

Common issues and solutions

Issue	Cause	Solution
Test connection fails	Invalid SCIM endpoint URL or token	Verify the Tenant URL and Secret Token match the values from Step 1. Ensure the Administration API application is enabled.
Users not provisioning	Users not assigned to the application	Assign users or groups to the application in Step 6.
Attribute mapping errors	Required SCIM attributes missing	Review the attribute mappings in Step 4. Ensure userName and active are mapped correctly.
Token expired	Long-lived token has been rotated or revoked	Generate a new long-lived token in IDaaS and update the Secret Token in Microsoft Entra provisioning settings.
Groups not provisioning	Group provisioning not enabled	Enable group provisioning in Step 5 and ensure groups are assigned to the application.
Provisioning cycle delays	Sync cycle timing	Microsoft Entra ID performs incremental cycles approximately every 40 minutes. Changes may not appear immediately.

Additional resources

• Microsoft Entra SCIM provisioning documentation
• Integrate Microsoft Entra ID as an Identity Provider
• Integrate Administration API
• Create and manage user attributes
• Create and manage groups