WorkOS Docs Homepage
Integrations

Azure AD SCIM

Learn about syncing your user list with Azure AD SCIM.

This guide outlines how to synchronize your application’s Azure AD directories using SCIM.

To synchronize an organization’s users and groups provisioned for your application, you’ll need to provide the organization with two pieces of information:

  • An Endpoint that Azure AD will make requests to.
  • A Bearer Token for Azure AD to authenticate its endpoint requests.

Both of these are available in your Endpoint’s Settings in the WorkOS Dashboard.

Steps 2, 3, and 4 below will need to be carried out by the organization when configuring your application in their Azure AD instance.

Sign in to your WorkOS Dashboard and select “Organizations” from the left hand navigation bar.

Select the organization you’ll be configuring a new Directory Sync for.

Click “Add Directory”.

A screenshot showing where to add a new directory in the WorkOS dashboard.

Select “Azure AD” from the dropdown, and enter the organization name.

Then, click “Create Directory.”

A screenshot showing the "Create Directory" menu in the WorkOS dashboard.

We have support for whitelabeled URLs for Directory Sync endpoints. Contact us for more info!

Your Azure AD directory sync has now been created successfully with an Endpoint and Bearer Token.

A screenshot showing the Azure SCIM endpoint and bearer token in the WorkOS dashboard.

Sign in to the Azure Active Directory Admin Center Dashboard. Select “Enterprise applications” from the list of Azure services.

A screenshot showing where to select "Enterprise applications" in the Azure Active Directory Admin Center Dashboard

If your application is already created, select it from the list of applications and move to Step 3.

A screenshot showing where to select the application of choice in the All Applications menu in Azure.

If you haven’t created a SCIM application in Azure, select “New Application”.

A screenshot showing where to select a new application in the All Applications menu in Azure.

Select “Create your own application” and continue.

A screenshot showing where to select "Create your own application" in the All Applications menu in Azure.

Give your application a descriptive name, and select the “Integrate any other application you don’t find in the gallery (Non-gallery)” option, then click “Create”.

A screenshot showing where to configure the name of a new application in Azure.

Select “Provisioning” from the “Manage” section found in the navigation menu.

A screenshot showing where to select "Provisioning" from the "Manage" section in Azure.

Click the “Get Started” button.

A screenshot showing where to select "Get Started" in the "Provsioning" menu in Azure.

Select the “Automatic” Provisioning Mode from the dropdown menu.

In the “Admin Credentials” section, copy and paste the Endpoint from your WorkOS Dashboard in the “Tenant URL” field.

Then, copy and paste the Bearer Token from your WorkOS Dashboard into the Secret Token field.

Click “Test Connection” to receive confirmation that your connection has been set up correctly. Then, select “Save” to persist the credentials.

A screenshot showing where to configure the provisioning mode and credentials in Azure.

Expand the “Mappings” section.

A screenshot showing where to expand "Mappings" in Azure.

Make sure the group and user attribute mappings are enabled, and are mapping the correct fields. The default mapping should work, but your specific Azure setup may require you to add a custom mapping.

A screenshot showing where to ensure User attribute mappings are enabled in Azure.

Make sure that you are mapping “objectId” to “externalId” within the Attribute Mapping section.

A screenshot showing where to ensure "objectId" is mapped to "externalId" in the Attribute Mapping section in Azure.

In order for your users and groups to be synced, you will need to assign them to your Azure AD SCIM Application. Select “Users and groups” from the “Manage” section of the navigation menu.

A screenshot showing where to navigate to "Users and groups" from the "Manage" section in Azure.

Select “Add user/group” from the top menu.

A screenshot showing where to select "Add user/group" in the Users and groups menu in Azure.

Select “None selected” under the “Users and Groups”. In the menu, select the users and groups that you want to add to the SCIM application, and click “Select”.

A screenshot showing where to select users for a SCIM application in Azure.

Select “Assign” to add the selected users and groups to your SCIM application.

A screenshot showing where to assign the selected users for the SCIM application in Azure.

In the Provisioning menu, confirm the “Provisioning Status” is set to “On” and that the “Scope” is set to “Sync only assigned users and groups”.

A screenshot showing where to ensure that the "Provisioning Status" is "On" and "Scope" is set to "Sync only assigned users and groups" in Azure.

Begin provisioning users and groups and witness realtime changes in your WorkOS Dashboard.

No emails are coming through for users from Azure. How do I get emails for my Azure users?

For cloud-managed users, Azure AD pulls the email from the mail attribute in Exchange. If your customer doesn’t have this set up, they will need to configure attribute mapping in their SCIM app in Azure in order to provision users with WorkOS. They can use this tutorial from Microsoft. They’ll want to map a known email attribute, such as UPN, to the emails[type eq “work”].value SCIM attribute. For directories with synchronized-users, they will need to map the userPrincipalName attribute into the emails[type eq “work”].value SCIM attribute.

Can profile images be accessed with Azure SCIM?

Azure AD's SCIM provisioning does not support transmitting image.

Why do I receive a dsync.user.updated event after dsync.user.created?

Azure AD sends a newly provisioned user over to WorkOS in two separate actions. WorkOS will then send these actions as two individual events to your app. This is expected behavior.

How often do Azure AD SCIM 2.0 directories perform a sync?

Azure AD SCIM 2.0 Directory Sync Interval:

By default, Azure AD SCIM 2.0 directories sync events on a scheduled time interval, typically every 40 minutes.

For more details, please refer to Azure AD's official documentation.

On-Demand Provisioning:

There's also an option for On-demand provisioning which syncs events in real-time.