# Microsoft Azure AD

This guide helps administrators sync their EntraID directory with an application they want to onboard to their organization. Integrating your application with Entra ID automates user management tasks and ensures access rights stay up-to-date.

This registration sets up the following:

1. **Endpoint**: This is the URL where EntraID sends requests to the onboarded app, acting as a communication point between them.
2. **Bearer Token**: Used by EntraID to authenticate its requests to the endpoint, ensuring security and authorization.

These components enable seamless synchronization between your application and the EntraID directory.

1. ## Create an endpoint and API token

   Select the "SCIM Provisioning" tab to display a list of Directory Providers. Choose "Entra ID" as your Directory Provider. If the Admin Portal is not accessible from the app, request instructions from the app owner.

   ![Setting up Directory Sync in the admin portal of an app being onboarded: Entra ID selected as the provider, awaiting configuration](@/assets/docs/guides/scim-integrations/google-dir-sync/1.png)

   Click "Configure" after selecting "EntraID" to generate an Endpoint URL and Bearer token for your organization, allowing the app to listen to events and maintain synchronization.

   ![Endpoint URL and Bearer token for your organization.](@/assets/docs/guides/scim-integrations/entra-id-scim/00-2.png)

2. ## Add a new application in Entra ID

   To send user-related updates to the app you want to onboard, create a new app in Microsoft Entra ID.

   Go to the Microsoft Azure portal and select "Microsoft Entra ID".

   ![Microsoft Entra ID in the Azure portal.](@/assets/docs/guides/scim-integrations/entra-id-scim/01.png)

   In the "Manage > All applications" tab, click "+ New application".

   ![Adding a new application in Microsoft Entra ID.](@/assets/docs/guides/scim-integrations/entra-id-scim/02.png)

   Click "+ Create your own application" in the modal that opens on the right.

   ![Creating a new application in Microsoft Entra ID.](@/assets/docs/guides/scim-integrations/entra-id-scim/03.png)

   Name the app you want to onboard (e.g., "Hero SaaS") and click "Create", leaving other defaults as-is.

   ![Creating a new application in Microsoft Entra ID.](@/assets/docs/guides/scim-integrations/entra-id-scim/04.png)

3. ## Configure provisioning settings

   In the "Hero SaaS" app's overview, select "Manage > Provisioning" from the left sidebar.

   ![Configuring provisioning for the "Hero SaaS" app.](@/assets/docs/guides/scim-integrations/entra-id-scim/05.png)

   Set the Provisioning Mode to "Automatic".

   In the Admin Credentials section, set:

   - Tenant URL: _Endpoint_
   - Secret Token: _Bearer Token generated previously_

   ![Setup Provisioning Mode and Admin Credentials.](@/assets/docs/guides/scim-integrations/entra-id-scim/06.png)

   In the Mappings section, click "Provision Microsoft Entra ID Users" and toggle "Enabled" to "Yes".

   ![Making sure the "Provision Microsoft Entra ID Users" is enabled.](@/assets/docs/guides/scim-integrations/entra-id-scim/07.png)

   ![Making sure the "Provision Microsoft Entra ID Users" is enabled.](@/assets/docs/guides/scim-integrations/entra-id-scim/08.png)

   Close the modal and reload the page for changes to take effect.

   Go to "Overview > Manage > Provisioning" and ensure "Provisioning Status" is toggled "On".

   ![Making sure the "Provisioning Status" is toggled "On".](@/assets/docs/guides/scim-integrations/entra-id-scim/010.png)

   Entra ID is now set up to send events to Hero SaaS when users are added or removed.

4. ## Map custom attributes (optional)

   By default, Entra ID syncs standard attributes such as email, first name, last name, and display name. To sync a custom attribute (for example, a department code or employee ID), you must map it explicitly in the provisioning configuration.

    In your app's **Provisioning** settings, click **Edit attribute mappings** under the **Mappings** section.

    At the bottom of the page, select **Show advanced options**, then click **Edit attribute list for [app name]**. Add the custom target attribute as a new SCIM extension schema field (for example, `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber`). This ensures the attribute exists for mapping.

    In the attribute mapping list, click **Add new mapping** at the bottom.

    Configure the mapping:

    - **Mapping type**: Select **Direct**.
    - **Source attribute**: Select the Entra ID attribute that contains the value you want to sync (for example, `employeeId` or a custom extension attribute like `extension_<appId>_<attributeName>`).
    - **Target attribute**: Select or type the matching SCIM attribute name as configured in Scalekit (for example, `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber`).

    Click **Ok**, then save the provisioning configuration.
**Note:** Custom extension attributes in Entra ID follow the naming pattern `extension_<appId>_<attributeName>`, where `<appId>` is the Application (client) ID from your Entra app registration. You can find the Application (client) ID in the Entra ID portal under **App registrations > Your app > Application (client) ID**.

    Entra-synced on-prem Active Directory extension attributes appear in this same format (for example, `extension_<appId>_employeeNumber`).

    Entra ID takes up to 40 minutes for attribute changes to propagate to the application during a sync cycle. To test immediately, use **Provision on demand**.

5. ## Test user and group provisioning

   In the Hero SaaS Application, go to "Provision on demand". Input a user name from your user list and click "Provision".

   ![Provisioning a user/group on demand.](@/assets/docs/guides/scim-integrations/entra-id-scim/020.png)

   Once provisioned, the user should appear in the admin portal, showing how many users have access to the Hero SaaS app.

   ![Group (Admins) provisioned in the admin portal.](@/assets/docs/guides/scim-integrations/entra-id-scim/013.png)
**Note:** Provisioning or deprovisioning users can be done from "Manage > User and groups > Add user/group". [Entra ID takes up to 40 minutes](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#getting-started:~:text=Once%20connected%2C%20Microsoft%20Entra%20ID%20runs%20a%20synchronization%20process.%20The%20process%20runs%20every%2040%20minutes.%20The%20process%20queries%20the%20application%27s%20SCIM%20endpoint%20for%20assigned%20users%20and%20groups%2C%20and%20creates%20or%20modifies%20them%20according%20to%20the%20assignment%20details.) for the changes to propagate to the application.