User provisioning setup guide

Learn how to set up user provisioning to efficiently manage employee accounts through an identity provider (IdP).


  • SAML authentication (single sign-on) must be configured.
  • Only Managed Accounts created or updated after January 16, 2023 are eligible.
  • Only admins can set up and manage user provisioning.

Items that can be synchronized from the IdP

With user provisioning, the following account information from your IdP is synced with your organization:

  • Username
  • Email 
  • Language
  • Time zone
  • Role
  • Account status (active/inactive)

Set up user provisioning

1. Enable user provisioning

  • Go to Organization Settings > Organization > User Provisioning.
  • Select Manage.
  • Select Enable.
  • Select Save.

2. Issue a token

Before issuing a token, note that a token-issuer account:

  • Can’t be deleted
  • Can’t be suspended
  • Can’t have permissions changed

To take these actions on a token-issuer account, another admin first needs to reissue the token reconfigure the IdP.

To issue a token:

  • Select Issue Token on the user provisioning screen.
  • Once the token is issued, copy and save the SCIM URL and SCIM token.


Good to know

The issued token is only shown once. If you lose it, delete the old token and issue a new one.


3. Set SCIM credentials on your IdP

  • Select All applications > New application.

  • Select Create your own application.
  • Select Integrate other applications not found in gallery from the search options, and select Create.
  • Select Provisioning from the menu on the left.


  • Select Get started.

  • Select Automatic for provisioning mode.
  • Enter the following information in Administrative Credentials:
    1. Tenant URL: SCIM URL
    2. Secret token: SCIM token
  • Select Test connection.
    If the connection is successful, the following message is shown: “The specified credentials have permission to enable provisioning.” 

4. Create an app role in Microsoft Entra ID

These three app roles should be created:

  • USER

To create the roles:

  • Select Applications > App Registrations.
  • Select All Applications.
  • Select the desired app and then App Roles > Create App Role.

  • Create the following 3 roles:
Display name Allowed member types Value Description Would you like to enable this app role?
Enter any name User or group ADMIN Descriptive text Check
Enter any name User or group USER Descriptive text Check
Enter any name User or group GUEST Descriptive text Check
  • After entering the information, select Apply.

5. Disable Provision Microsoft Entra ID Groups

Provision Microsoft Entra ID Groups are enabled by default. To disable them:

  • Select your application.
  • Select Provisioning from the menu on the left.
  • Select Provision Microsoft Entra ID Groups under Mapping.
  • Select No for Enabled.
  • Select Save.

6. Configure attribute mapping

  • Select your application.
  • Select Provisioning from the menu on the left.
  • Select Provision Microsoft Entra ID Users under Mapping.

  • Edit mapping attributes. Do not remove required attributes.

Good to know

The Microsoft Entra ID attribute settings are just an example. Various settings can be made based on your organization as shown in the Microsoft Entra ID tutorial

  • Delete unnecessary items
  • Set default values
  • Synchronize data only when creating objects to avoid overwriting existing data
  • Select Add new mapping to add attributes to map Managed Accounts and roles.

  • Fill in the fields below, and select OK:
    1. Mapping type: Expression
    2. Source attribute:SingleAppRoleAssignment([appRoleAssignments])
    3. Target attribute: roles[primary eq "True"].value


The following attributes can be synchronized: 

Attribute Microsoft Entra ID property Details
externalId userPrincipalName Uniquely identifies your account such as a unique ID assigned within the IdP. Not shown on the Nulab service screen. 
userName (required) userPrincipalName Email used to uniquely identify an account and used to sync a Managed Account. The default value is user.userprincipalname, but Nulab Pass (Backlog, Cacoo, Typetalk) requires this to be mapped to the Managed Account email. Use the user.mail attribute from the list, or use the appropriate attribute value based on your organization's configuration.
displayName (required) displayName Username
preferredLanguage1 preferredLanguage Language. If not specified by the user in their device’s Settings and Privacy, the language of the token issuer will be used to create the Managed Account. Language isn’t updated when updating a Managed Account.

Switch([country], "Asia/Tokyo","United States","America/New_York","Netherlands","Europe/Amsterdam")

*The above is just an example. Please modify according to your own settings. Please refer to Entra ID help.

Time zone. If not specified by the user, the time zone of the token issuer will be used to create the Managed Account. Time zone isn’t updated when updating a Managed Account.
active (required) Switch([isSoftDeleted],, “False”, “True”, “True”, “False”)

Activate/deactivate a managed account
・true: active

・false: stop

roles[primary eq "True"].value SingleAppRoleAssignment([appRoleAssignments])

・ADMIN: Administrator
・USER: General user

・GUEST: Guest

If not specified, it will be GUEST.

*The preferred language set by each user in their device’s Settings and Privacy becomes the preferred language.

Good to know

If an account role is downgraded to guest due to synchronization:

  • Team admins will lose their team admin privileges.
  • Guests on teams that can’t participate are removed from the team.

7. Assign users

Only assigned users are synchronized with Managed Accounts in user provisioning.

  • Select Users & Groups > Add User or Group.

  • Select None selected under Users and Groups and search for users from the search field.

  • Select the user and then Select.

  • Select Not selected from Select a role and assign it to the user role. The selected role will be the role of the Managed Account (admin, member, guest). If you select a role that is different from the existing Managed Account role, the role will be updated.
  • Select Assign to add the user.

Good to know

To delete a Managed Account while continuing to use Microsoft Entra ID, remove the user from the list of users assigned to the Nulab Pass application on the Entra ID.

8. Start provisioning

When you start user provisioning, information is synchronized only if the Managed Account's email and the user email on the IdP are the same. Non-Managed Accounts or Managed Accounts that haven’t been updated won’t be synchronized even if they have the same email. 

  • Select Overview > Start Provisioning.

  • Wait for synchronization to finish. Check your IdP’s settings to determine how long it will take.

Good to know

If you select Sync all users and groups in Scope of Settings for provisioning, all users registered in Microsoft Entra ID will be subject to user provisioning.

  • If user provisioning was successful, the Provisioned Managed Account label will be displayed on the member list screen.

Good to know

Due to a known bug in Microsoft Entra ID's SCIM client, active synchronization may not work properly. If you get an error, add “?aadOptscim062020” to the end of the SCIM URL to resolve it.

Stop user provisioning

  • Sign in with an administrator account to the Microsoft Azure portal.
  • Select the application with provisioning enabled.
  • Select Provisioning from the menu on the left.
  • Select Stop Provisioning.
  • Select OK.

Disable user provisioning for Nulab organizations

  • Select Organization Settings > Organization > User Provisioning.
  • Select Manage.
  • Uncheck the “Enable” checkbox.
  • Select Save.

Delete the token

  • Select Delete token on the user provisioning screen.

  • Select Delete token in the dialog to confirm your choice.

0 people think that it is helpful. Was this helpful for you?

Have a question we didn't answer?

Contact support