Azure SCIM - Automatic User Provisioning

Yariv Hazony
Last Updated: 1 month ago

Table of Contents

1. Accessing Azure AD (Microsoft Entra ID) SCIM Connection via Enterprise Application:

2. Create Your Application:

3. Integrating with Other Applications that not found in the gallery:

4. Configuring Provisioning User Accounts:

  • Navigate to the Provision User Accounts section under the overview menu of the Enterprise Application.

  • Select Getting Started and proceed to the provisioning menu, then choose “Get started”.

5. Configure automatic provisioning and input the Tenant URL:

  • Enter the secret token in the “Secret Token” field, which you'll receive from the SCIM setting in the Dcoya portal.

  • Test the connection after entering your Tenant URL and Secret Token.

  • Once the test is successful, click the “Save” button.

6. Adjusting Provisioning Settings:

  • Go to the Provisioning menu in the Enterprise Application.

  • Disable “Provision Azure Active Directory Groups” by selecting the Group mapping and setting Enabled to No.

  • Under Settings at the bottom, turn “On” Provisioning Status and hit the “Save” button.

7. Synchronizing Security Groups:

Ensure your security groups are synchronized by creating synchronizing groups based on AAD attributes in the Main AAD portal menu:

  • In the Enterprise Application, navigate to Users and Groups and select Add user/Group.
  • Choose your user or group and complete the selection process by assigning the users/groups.

  • Test the synchronization by going to the Provisioning menu and selecting Provision on Demand.
  • Test the synchronization by going to the Provisioning menu and selecting Provision on Demand.
  • Select a user/group to provision by typing a name in the search box and selecting “Provision”.


Provisioning and Deprovisioning Synchronization Timeframe:

  • Provisioning on demand takes about 5 minutes to reflect in the SCIM group.

  • Provisioning Cycle takes about 40 minutes to 1 hour to reflect within the SCIM group.

  • Deprovisioned users remain in the SCIM group within DCOYA for 30 days (soft delete) or are immediately removed (hard delete).


1. Need to remap attributes?

  • Go to the “Enterprise Application Overview” Menu and click provisioning.
  • Click “Edit Provisioning” and select “Provision Azure Active Directory Users” in the Mappings drop-down.
  • Click the “Mappings” drop down and select “Provision Azure Active Directory Users”.
  • Within the "Attribute Mapping" menu, you can scroll through the page to see the default attributes of Azure Active Directory.

DCOYA uses the following attribute fields:

• Mail

• Given Name

• Surname

• Department

• Title

• Country

• Business Phone

• Manager
  • Choose the attribute you wish to remap by selecting it from the "Source attribute" drop-down menu, then click "Ok" to confirm your selection.


  • While the Manager field can be remapped, it will retrieve only the Manager ID unless the Manager's Name has been set up in the application.

  • When modifying an attribute, make changes to the "Source" attribute only, without altering the "Target" attribute.

  1. Title: Utilizing Scoping Filters for Targeted User Inclusion or Exclusion Based on Attributes

    Scoping filters provide the capability for the Azure provisioning service to selectively include or exclude users based on specific attribute values. For instance, you may specify that only users with a "Department" attribute set to "HR" should undergo provisioning. Another scenario could involve excluding accounts for non-users (e.g., Printer) from the provisioning process.

  • To generate scoping filters, proceed to the "Enterprise Application Overview" menu within the application you've created, then click on "provisioning."
  • Select the link to “Add Scoping Filters.”

  • Expand the menu for "Mappings" by clicking the arrow, then select "Provision Azure Active Directory Users."
  • Select the link “All Records” under the Source Object Scope.
  • Click on “Add scoping" filter.
  • Select the "Add New Scoping Clause" button to introduce a new clause. If multiple clauses exist within the same filter, they will be evaluated using "AND" logic.
  • After inputting your scoping clauses, provide a title for your filter and proceed by clicking OK. You have the option to create multiple scoping filters using this method, each with its unique set of clauses.
  • Click OK once more to incorporate the new scoping filter(s) into the application. If multiple scoping filters are present, they will be assessed using "OR" logic.


Scoping filters determine the objects included in the provisioning process. For example, a scoping filter clause like "city EQUALS Tel Aviv" will provision all Active Directory (AD) accounts where the city is Tel Aviv. To establish an exclusion attribute, consider it as the opposite operation. For instance, "department NOT EQUALS Third Party" will provision all AD accounts except those in the Third Party department.

Was this article helpful?