Skip to main content

SCIM Provisioning using Azure Active Directory (Microsoft Entra ID)

Learn how to provision SCIM using Microsoft Entra ID (Azure Active Directory)

TransferChain Team avatar
Written by TransferChain Team
Updated this week

The System for Cross-Domain Identity Management (SCIM) user management API enables automatic user provisioning between TransferChain and Microsoft Entra ID (previously called Azure Active Directory ‘AAD’).

Requirements

  • Cloud Application Administrator role (or higher) in Azure Active Directory

  • An administrator role in TransferChain

Creating a Custom Application

  1. Log in to your Microsoft Azure Portal, then click on Microsoft Entra ID from the left-hand menu. Alternatively, you can search for it using the top search bar or use this link.

  2. Once inside your Microsoft Entra Admin Center tenant, navigate to Enterprise applications from the left-hand menu and click on it.


  3. Click New Application, then select Create your own application. In the menu that appears, enter a name for the app you wish to integrate and leave the option selected for Integrate any other application you don’t find in the gallery (Non-gallery).

    (i) Deployment may take a few minutes. You can monitor the status under the Notifications dropdown in the top ribbon.

  4. Once the deployment is complete, click the Enterprise Applications link beneath the search bar to locate your newly created application.

Configuring Provisioning

Get the TransferChain SCIM Provisioning Information (URL and token)

  1. Click on Settings

  2. Go to the ‘Marketplace’ Tab

  3. Click on ‘Enable’ under Microsoft Azure SCIM

  4. Copy the Connect URL & Authentication Token and save it for a later step

Configuring Provisioning in Azure AD

  1. Click Provisioning (1), then Get Started (2)

  2. Use the dropdown box to select Automatic (1), enter the Tenant URL of the Provisioning URL copied from TransferChain and your Authentication Token (2, 3)

  3. Click Test Connection and observe the successful test (4)

  4. Click Save (5)

(i) Provisioning sync is done every 40 minutes. See more information here.

Synchronizing All or Assigned Users According to Preference

If you prefer to only provision assigned users in your organization or instead if you prefer to provision all users in your organization you will have to update both the Properties and Provision Settings.

Provision Settings:

  1. Head to Overview from the left-hand menu

  2. Click on the ‘Edit Provisioning’ from the upper tab

  3. Under ‘Settings’ section, you may click the ‘Scope’ dropdown

  4. And choose your preferred option "Sync all users and groups" or "Sync all assigned users and groups"

  5. Then “Save” your Provision Settings

Properties Section:

After you choose your preferred method on Provision Settings you should follow the same option under the Properties Section.

  1. Within your Enterprise Application, from the left-hand menu, you should head to ‘Properties’.

  2. On the “Assignment Required” part, you need to choose “Yes” if you want to assign only specific users under your organization for provisioning, and if you want to provision all of the users under your organization to be provisioned


Assigning Users & Groups

Disabling Groups from Attribute Mapping

Since the current Microsoft Entra ID user provisioning with TransferChain only supports users, you should disable the ‘Provision Microsoft Entra Groups’. Head to:

  1. ‘Attribute mapping (Preview)

  2. Click on ‘Provision Microsoft Entra Groups’, and ‘Disable’ the attribute mapping.


Set Up User Provisioning

  1. Return to the application’s main page

  2. Navigate to Users and groups

  3. Click Add user/group

  4. Click Users under the None Selected section

  5. Search for the desired users and select them from the list

  6. Click Select

  7. Click Assign

Start Provisioning

When you are complete with your setup, you can now start your provisioning.

  1. Head to “Overview” from the left-hand menu

  2. Click on “Start Provisioning”

  3. You are all set!

User Attributes

These fields are supported for mapping user attributes:

  • Name (first and last name)

  • Email (must be lowercase)

  • Active (whether or not a user is enabled or disabled)

(i) Logging in to TransferChain requires an email address, first and last name. To sync users to TransferChain, users in AD must have their email addresses, first and last names included in their profiles.

Did this answer your question?