In this guide, we’ll show you how to set up SCIM in Microsoft Entra ID to allow for user provisioning.
Prerequisites
- User provisioning by SCIM (available with Nulab Pass).
- SAML authentication (single sign-on) must be configured.
Supported features
With user provisioning, you can:
- Create Managed Accounts
- Update Managed Account attributes
- Deactivate Managed Accounts
- Delete Managed Accounts
SCIM set-up
To set up SCIM for Microsoft Entra ID:
In Nulab
- Go to your Nulab organization settings.
-
Select Organization > User provisioning to open the SCIM configuration screen.
- If user provisioning isn’t enabled:
- Select “Manage.”
- Select the “Enable” checkbox.
- Select “Save.”
- Write down the SCIM URL somewhere safe.
- If a token hasn’t been issued:
- Select “Generate token.”
- Write down the SCIM token somewhere safe.
- If user provisioning isn’t enabled:
In Microsoft Entra ID
- Log in to Microsoft Entra Admin Center.
- Select “Enterprise applications.”
- Select All applications > New application.
- Select “Create your own application.”
- Select “Integrate other applications not found in gallery” from the search options, and select “Create.”
- Select “Provisioning” from the menu on the left.
- Select “Get started.”
- Select “Automatic” for provisioning mode.
- Enter the following information in “Administrative credentials”:
- Tenant URL: SCIM URL
- Secret token: SCIM token
- Select “Test connection.”
If the connection is successful, the following message is shown: “The specified credentials have permission to enable provisioning.”
Create roles in Microsoft Entra ID
To create app roles:
- Select Applications > App registrations.
- Select “All applications.”
- Select the desired app and then App roles > Create app role.
Enter the following information and select “Apply.”
| Display name | Allowed member types | Value | Description | Enable app role? |
| ADMIN | User or group | Enter any value | Enter any description | Select checkbox |
| USER | User or group | Enter any value | Enter any description | Select checkbox |
| GUEST | User or group | Enter any value | Enter any description | Select checkbox |
Disable provision groups
Provision groups are enabled by default in Microsoft Entra ID. To disable them:
- Select the application.
- Select “Provisioning” from the menu on the left.
- Select “Provision Microsoft Entra ID Groups” under “Mapping.”
- Select “No” for “Enabled.”
- Select “Save.”
Configure attribute mapping
- Select the application.
- Select “Provisioning” from the menu on the left.
- Select “Provision Microsoft Entra ID Users” under “Mapping.”
-
Edit mapping attributes. Existing settings are just examples and can be changed based on your organization. Make sure you:
- Delete unnecessary items.
- Set default values.
- Sync data only when creating objects to avoid overwriting existing data.
- Don’t remove required attributes.
- Select “Add new mapping” to add attributes to map Managed Accounts and roles.
- Fill in the following fields and select “OK”:
- Mapping type: Expression
- Source attribute: SingleAppRoleAssignment([appRoleAssignments])
- Target attribute: roles[primary eq "True"].value
The following attributes can be synched:
| Attribute | Microsoft Entra ID property | Details |
| externalId | userPrincipalName | Uniquely identifies your account (e.g., a unique ID assigned within the IdP). Not shown on the Nulab service screen. |
| userName (required) | userPrincipalName | Email used to uniquely identify an account and sync a Managed Account. The default value is user.userprincipalname, but Nulab Pass (Backlog, Cacoo) requires this to be mapped to the Managed Account email. Use the user.mail attribute from the list, or use the appropriate attribute value based on your organization's configuration. |
| displayName (required) | displayName | Username |
| preferredLanguage1 | preferredLanguage | If the user does not specify a language in their device’s Settings and Privacy, the language of the token issuer will be used to create the Managed Account. Language isn’t updated when updating a Managed Account. |
| timezone |
Switch([country], "Asia/Tokyo","United States","America/New_York","Netherlands","Europe/Amsterdam") *The above is just an example. Please modify according to your own settings. Please refer to Entra ID help. |
If not specified by the user, the time zone of the token issuer will be used to create the Managed Account. Time zone isn’t updated when updating a Managed Account. |
| active (required) | Switch([isSoftDeleted],, “False”, “True”, “True”, “False”) |
Activate/deactivate a Managed Account ・false: stop |
| roles[primary eq "True"].value | SingleAppRoleAssignment([appRoleAssignments]) |
ADMIN: Administrator GUEST: Guest If not specified, it will be GUEST. |
Good to know
If an account is downgraded to “guest” due to synchronization:
If an account is downgraded to “guest” due to synchronization:
- Team admins lose their team privileges
- Guests on teams that can’t participate are removed from the team.
Assign users
Only assigned users are synched with Managed Accounts in user provisioning. To assign users:
- Select Users and groups > Add user/group.
- Select “None selected” under “Users and groups” and search for users from the search field.
- Select the user and then “Select.”
- Select “Not selected” from “Select a role” and assign it to the user role. The selected role will be the role of the Managed Account (admin, member, guest). If you select a role that’s different from the existing Managed Account role, the role will be updated.
- Select “Assign” to add the user.
Good to know
To delete a Managed Account while continuing to use Microsoft Entra ID, remove the user from those assigned to Nulab Pass on Entra ID.
To delete a Managed Account while continuing to use Microsoft Entra ID, remove the user from those assigned to Nulab Pass on Entra ID.
Start user provisioning
When you start user provisioning, information is synched only if the Managed Account email and user email on the IdP are the same. Non-Managed Accounts or Managed Accounts that haven’t been updated won’t be synched even if they have the same email. To start provisioning:
- Select Overview > Start provisioning.
- Wait for synchronization to finish. Check your IdP’s settings to determine how long it will take.
Good to know
If you select “Sync all users and groups” in Scope > Settings for provisioning, all users registered in Microsoft Entra ID will be subject to user provisioning.
If you select “Sync all users and groups” in Scope > Settings for provisioning, all users registered in Microsoft Entra ID will be subject to user provisioning.
- If user provisioning is successful, the “Provisioned Managed Account” label will be displayed on the member list screen.
Good to know
If you get a sync error, add “?aadOptscim062020” to the end of the SCIM URL to resolve it. This is due to a known bug in Microsoft Entra ID’s SCIM client.
If you get a sync error, add “?aadOptscim062020” to the end of the SCIM URL to resolve it. This is due to a known bug in Microsoft Entra ID’s SCIM client.
Stop user provisioning
To stop user provisioning:
- Sign in with an administrator account to the Microsoft Azure portal.
- Select the application with provisioning enabled.
- Select “Provisioning” from the menu on the left.
- Select “Stop provisioning.”
- Select “OK.”
Disable user provisioning for Nulab organizations
- Select Organization settings > Organization > User provisioning.
- Select “Manage.”
- Uncheck the “Enable” checkbox.
- Select “Save.”
Delete the token
- Select “Delete token” on the user provisioning screen.
- Select “Delete token” in the dialog to confirm your choice.