SCIM Configuration Guide for Microsoft Entra ID

To enable SCIM, you first need an existing application in Microsoft Entra ID. If you haven't created an application yet, please follow these instructions.

After creating the application for the Entra ID SCIM connection, you can take these steps:

• Open your portal in Entra ID
• In the left pane, expand the Applications menu, then click on the Enterprise Applications menu.
• On the page that appears, select All applications, then find and click on the application for which you want to enable provisioning.
  
• Once the application is open, go to the Provisioning menu, then click Connect your application.
  
• When the New provisioning configuration page appears:

• In the Tenant URL field, enter the SCIM endpoints base URL you’ve obtained from the SAML Single Sign-On page.

• In the Secret Token field, enter the token that you’ve created with the Manage Users with SCIM scope to fill the Secret token field.

• Click the Test Connection button.
  
  
  

• Once you see the message “Connection test for ‘your_app_name’ was successful,” click the Create button. You will then be redirected to the Provisioning Overview (Preview) page.
  
  

• Go to the Provisioning menu, then:
  
  

  1. Click Mappings.

  2. Select Provision Microsoft Entra ID Groups.

  3. Set Enabled to No.

  4. Click the Save button and confirm by selecting Yes.
     
     
     
     
     

• Return to the Mappings section and click Provision Microsoft Entra ID Users.
  
• In the Attribute Mappings section, delete all deletable attributes except displayName.
  
  
  
  
• Click the Edit button for the userName record, set all fields as shown in the image below, and then click the OK button.
  

• Click the Add New Mapping link, then add a new mapping for the active field as shown below.
  
  
• Our final mappings will look something like the one below:
  
  
  
  
• Click the Save button at the top of the page
  
• Now, return to your application's provisioning menu and set the Provisioning Status to On, then click the Save button
  

Now lets setup user roles 

• Open the corresponding App registration of the Enterprise Application you created for SSO and SCIM.
• Add the Roles 'Read Only' and 'Account Admin'. (Make sure the DisplayName is exactly as required, the value is irrelevant.) Remove the default roles, so only the two custom roles remain.
• Now back to the Enterprise Application.

• Now back to the Enterprise Application.
• On Overview make sure 'Assignment required?' Is set to yes. (This should be implicit for any privileged App)
• Now to the 'Users and groups' of the enterprise application. Remove all existing assignments and either add users or groups with the intended roles.

• Now go to provisioning, (user) attribute mapping, set thee mapping for userType to the following: Expression: "SingleAppRoleAssignment([appRoleAssignments])"

• From your info, set the userType ind the advanced mapping attribute list to required.

Now we can finally start provisioning users to PowerDMARC:

• Open the Overview (Preview) menu, click Start provisioning, and select Yes to finalize the configuration.

• From now on, users who have been assigned to this application will be sent to PowerDMARC.