Blog

Active Directory SCIM - Can you sync Active Directory users and groups with SCIM?

March 6, 2024

Learn how to sync Active Directory users to any SaaS app using the SCIM protocol.

SCIM - or the System for Cross-Domain Identity Management  - serves as an open standard for provisioning users across systems and exchanging identity data. It's designed to simplify and automate the transfer of user identity data across varied identity domains and IT systems.

Microsoft Entra, formerly known as Azure Active Directory, uses SCIM to synchronize user profiles and attributes across service providers, triggering updates or user removals in response to changes in user status or roles.

Thanks to SCIM, users on Microsoft Entra can easily be synced across HR systems, other Microsoft systems (like MS Dynamics 365 Human Resources) and any third-party app or service used by a company.

In this article, we’ll explain how SCIM syncing works for active directories, how a company can enable this on their Microsoft Entra, and - if you’re a company selling software - how you can connect your own app to your customer’s active directory.

Note: Microsoft Entra ID was formerly known as Azure Active Directory. These concepts can also refer to Windows Server Active Directory. For the purposes of this article, we’ll use the term “active directory” to refer to any of these systems, unless otherwise specified.

What is the Microsoft Entra Provisioning Service?

Microsoft Entra Provisioning service allows a company using Microsoft Entra/Active Directory to programmatically provision, deprovision and update accounts on cloud-based SaaS apps or other platforms, by connecting their Entra instance to a vendor’s SCIM-based endpoint.

SCIM is an open, RESTful protocol used for the standardized exchange of provisioning requests and identity information. Exposing two endpoints (/Users and /Groups), SCIM allows service providers and identity providers to easily sync a list of user accounts, related profile information and authorization data - In other words, who can access what.

Does Microsoft Entra (Azure AD) Support User and Group Syncing with SCIM?

Yes.

When a company using Entra begins to work with a new vendor, they’ll configure their Entra instance to work with that vendor’s SCIM endpoint. They’ll work with the vendor to complete an “attribute mapping” exercise, which is when they match up fields on either side. For example, a vendor might be using “first_name”, while Entra is using “givenName”.

If you’re a software vendor, you can make this process much easier by submitting your product to the Microsoft Entra App Gallery.

Functioning somewhat like an app store for enterprise companies, this allows you to build a SCIM provisioning integration to support Entra once, which subsequent future customers you onboard can then directly connect to without another onboarding process.

You can read more about how app provisioning works in Entra from Microsoft directly.

How can vendors support SCIM syncing with Azure Active Directory/Microsoft Entra?

If you’re a startup looking to enable user provisioning and syncing between your app and your enterprise clients’ Entra instance, you’ll need to design a SCIM endpoint to handle provisioning requests.

Ultimately, as the vendor, the onus is on you to get this right. Entra generates generic SCIM provisioning requests in a standardized format, but exactly how you receive and process these requests to create users in your app is up to you. Remember, your endpoint will likely serve multiple customers with multiple instances of Entra over its lifetime.

Here are a few recommendations for implementing a SCIM endpoint for Entra:

  • Design and build a SCIM endpoint - but don’t reinvent the wheel: The bad thing about SCIM is that it’s an exacting standard with little room for flexibility, but the great thing about SCIM is that it’s an exacting standard with little room for flexibility!The easiest way to implement SCIM is to follow the open standard as closely as possible.

    That means using the core attributes in the RFC exactly as given, using the right methods (e.g. Use PATCH properly, don’t just push it all through a POST request) and avoiding the use of custom attributes unless absolutely necessary.
  • Get your app onto the Entra App Gallery: Entra’s App Gallery feature allows your app to be “pre-integrated” with Entra, meaning your future customers can one-click enable Single Sign-On (SSO) and automate user provisioning with SCIM. While this isn’t necessarily a method of discovery like a traditional “app store”, it does allow your customers to skip the painful, often lengthy onboarding process with your app.
  • Stress test and look at edge cases: Any code that goes wrong is always a nightmare for a developer, but SCIM code going wrong is a particularly dangerous security issue and is often hard to detect. It’s not difficult to end up in a situation where a user account is believed by both you and your customer’s IdP to have been deleted, but the account actually still exists with full access because of a dropped HTTP request or a race condition in a poorly implemented endpoint.

    To simulate normal SCIM usage, make sure your endpoint can handle bursty, bulk provisioning requests and multiple contradictory provisioning and deprovisioning requests for the same user in quick succession.
  • Keep reusability in mind: If you’ve already got a few enterprise clients, you’ll know that there are a variety of different IdPs you’ll need to support. SCIM is widely used across almost all identity providersWhile a SCIM endpoint is easy enough to build for Entra, different IdPs will use slightly varying implementations of the SCIM protocol which can quickly compound the complexity.

    Make sure your endpoint can account for small variations in attributes and large variations in how each IdP handles groups.

Consider using a SCIM provider instead

If supporting SCIM for Microsoft Entra feels like an insurmountable challenge, you’ll be glad to know there are done-for-you products you can use instead.

Directory Sync by WorkOS allows you to quickly enable SCIM provisioning from Entra and all other major corporate identity providers with a straightforward, API-based integration.

  • Get started fast: With SDKs for every popular platform and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
  • Events-based processing: While webhooks are also supported, WorkOS’ Events API means every SCIM request is processed in order, and in real-time. You’ll never miss a provisioning request again.
  • Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they’re syncing 10 or 10,000 users with your app.

Explore Directory Sync by WorkOS.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.