Active Directory SCIM - Can you sync Active Directory users and groups with SCIM?
Learn how to implement Active Directory SCIM syncing for users and groups of any SaaS app. There’s also a done-for-you alternative that can help.
Are you building an app that integrates with enterprise systems? Syncing Active Directory users and groups with SCIM could be the feature that wins over your next big customer.
Microsoft Entra, formerly Azure Active Directory, uses SCIM to synchronize user profiles and attributes across service providers. Whether syncing with HR tools, other Microsoft services like Dynamics 365 Human Resources, or third-party apps, Microsoft Entra ID ensures changes — like promotions, departures, or new hires — are instantly reflected across your ecosystem.
In this article, we’ll break down:
- How Active Directory SCIM syncing works
- Steps to enable SCIM in Microsoft Entra
- How to connect your app to your customers’ Active Directory
Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based service distinct from Windows Server Active Directory. This article focuses on Microsoft Entra ID.
What is the Microsoft Entra provisioning service?
Microsoft Entra Provisioning service allows a company using Microsoft Entra/Active Directory to programmatically provision, deprovision, and update accounts on cloud-based SaaS apps or other platforms by connecting their Entra instance to a vendor’s SCIM-based endpoint.
SCIM is an open, RESTful protocol used for the standardized exchange of provisioning requests and identity information.
SCIM’s core endpoints include /Users and /Groups, but it also allows for extensions and additional endpoints for custom resources.
SCIM allows service providers and identity providers to easily sync a list of user accounts, related profile information, and authorization data — in other words, who can access what.
Read more: SCIM vs. LDAP: Key differences + Which to use
Does Microsoft Entra (Azure AD) support user and group synchronization with SCIM?
Yes.
When a company using Entra begins to work with a new vendor, they’ll configure their Entra instance to work with that vendor’s SCIM endpoint. They’ll work with the vendor to complete an “attribute mapping” exercise, which is when they match up fields on either side. For example, a vendor might use “first_name”, while Entra is using “givenName”.
If you’re a software vendor, you can make this process much easier by submitting your product to the Microsoft Entra App Gallery.
Functioning somewhat like an app store for enterprise companies, this allows you to build a SCIM provisioning integration to support Entra once, which subsequent future customers you onboard can directly connect to without another onboarding process.
You can read directly from Microsoft about how app provisioning works in Entra.
However, if migrating to Microsoft Entra doesn't fit your plans, use a third-party tool like SCIM for ADFS to link your ADFS setup with any SCIM-compatible apps you use.
How can vendors support Microsoft Entra/Azure Active Directory SCIM syncing?
Suppose you’re a startup looking to enable user provisioning and syncing between your app and your enterprise clients’ Entra instance. In that case, you must design a SCIM endpoint to handle provisioning requests.
Ultimately, as the vendor, you are responsible for getting this right. Entra generates generic SCIM provisioning requests in a standardized format, but you are responsible for exactly how you receive and process these requests to create users in your app. Remember, your endpoint will likely serve multiple customers with multiple instances of Entra over its lifetime.
Here are a few recommendations for implementing a SCIM endpoint for Entra:
- Design and build a SCIM endpoint — but don’t reinvent the wheel: The bad thing about SCIM is that it’s an exacting standard with little room for flexibility, but the great thing about SCIM is that it’s an exacting standard with little room for flexibility! The easiest way to implement SCIM is to follow the open standard as closely as possible.
That means using the core attributes in the RFC exactly as given, using the right methods (e.g., Use PATCH properly, don’t just push it all through a POST request), and avoiding using custom attributes unless necessary.
- Get your app onto the Entra App Gallery: Entra’s App Gallery feature allows your app to be “pre-integrated” with Entra, meaning your future customers can one-click enable Single Sign-On (SSO) and automate user provisioning with SCIM. While this isn’t necessarily a method of discovery like a traditional “app store,” it does allow your customers to skip the painful, often lengthy onboarding process with your app.
- Stress test and look at edge cases: Any code that goes wrong is always a nightmare for a developer. However, if the SCIM code goes wrong, it is a hazardous security issue and is often hard to detect. It’s not difficult to end up in a situation where you and your customer’s IdP believe a user account has been deleted. However, the account actually still exists with full access because of a dropped HTTP request or a race condition in a poorly implemented endpoint.
To simulate normal SCIM usage, make sure your endpoint can handle bursty, bulk provisioning requests and multiple contradictory provisioning and deprovisioning requests for the same user in quick succession.
- Keep reusability in mind: If you’ve already got a few enterprise clients, you’ll know that there are various IdPs you’ll need to support. SCIM is widely used across almost all identity providers. While a SCIM endpoint is easy enough to build for Entra, different IdPs will use slightly varying implementations of the SCIM protocol, which can quickly compound the complexity.
Ensure your endpoint can account for slight variations in attributes and significant variations in how each IdP handles groups.
Consider using a SCIM provider instead
If supporting SCIM for Microsoft Entra feels like an impossible challenge, you’ll be glad to know there are done-for-you SCIM connectors you can use instead.
Directory Sync by WorkOS lets you quickly enable SCIM provisioning from Entra and all other major corporate identity providers with a straightforward, API-based integration.
- Get started fast: With SDKs for every popular platform and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
- Events-based processing: While webhooks are also supported, WorkOS’ Events API means every SCIM request is processed in order and in real-time. You’ll never miss a provisioning request again.
- Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard — whether they’re syncing 10 or 10,000 users with your app.
Explore Directory Sync by WorkOS.