# Microsoft Entra ID SCIM provisioning

Currently, Ultimo supports SCIM 2.0 to integrate Ultimo with an IDP like Microsoft Entra ID or Okta.

## Creating new enterprise application

This step is already described in <https://developer.ultimo.net/azure-documentation/azure-authentication#creating-new-enterprise-application>. In case you already registered one for SSO, you can use that one.

## Setup provisioning

Under *Enterprise Application* created at the above step, click on *Provisioning:*

<figure><img src="/files/OSmf3IHmlaaBhaF7dmLY" alt=""><figcaption></figcaption></figure>

On the *Provisioning* page click *Get started*.

Under *Provisioning Mode*, select *Automatic*.

<figure><img src="/files/ghTuD53XmMQ62EU2kHCF" alt=""><figcaption></figcaption></figure>

Under *Admin Credentials* use "*Bearer Authentication*" enter *Tenant Url* and *Secret token*.

Tenant Url: \<customurl>.ultimo.net/scim

Secret token: Taken from *Ultimo Configuration Tool*

<figure><img src="/files/3yI0cXKxWMYcaRXTG8zB" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/jI2s8fKU3IozuihoESoe" alt=""><figcaption></figcaption></figure>

Under *Mappings*, click on *Provision Azure Active Directory Groups.* This opens the *Attribute Mapping* dialog for groups.

Disable Provision Azure AD for groups. This is not supported by Ultimo.

<figure><img src="/files/aHefmvK6GIgB7s15TO6d" alt=""><figcaption></figcaption></figure>

Under *Mappings*, click on *Provision Azure Active Directory Users.* This opens the *Attribute Mapping* dialog for users.

Enable Provision Azure AD for users.

Under *Target Object Actions* check *Create*, *Update* and *Delete*

<figure><img src="/files/JRZCs63g9rh38A6MvxKM" alt=""><figcaption></figcaption></figure>

In Attribute Mappings, map the *customappsso Attributes* to the *Microsoft Entra ID Attributes* as follows (you should check the *Attribute mappings* sub-chapter for more details on the attributes supported by Ultimo SCIM provisioning):

<figure><img src="/files/Eas8XoPIPF4sA8gpreky" alt=""><figcaption></figcaption></figure>

This is an important step, please carefully look at the mapping. Compare a user in Microsoft Entra ID to see what attributes are in use and how this is linked to Ultimo otherwise, SCIM might not work as intended.&#x20;

Click *Save.*

Optional: Under *Settings* > *Scope* section select *Sync only assigned users and groups*. This setting is advised. The alternative is to *sync all users and groups* but this might lead to the creation of many accounts.

Optional: Go to Source Object Scope (default all records) and add a filter to limit the dataset. In that way, only objects that meet the criteria will be synchronized.

Set the *Provisioning Status* to *On.*<br>

<figure><img src="/files/yWoOQ7tm0c7raHXE1MO9" alt=""><figcaption></figcaption></figure>

Click *Save*.

Under the *Overview* page make sure provisioning is started.<br>

<figure><img src="/files/LBHXUURv3Z6QfESqdOPB" alt=""><figcaption></figcaption></figure>

In the menu option ‘Users and groups’, specific users or groups can be added which is important when the scope is set to: *Sync only assigned users and groups.*

Microsoft Entra ID runs a SCIM synchronization every 40 minutes. Changes in Microsoft Entra ID are not reflected immediately in Ultimo.

## Attribute-mappings

Under Mappings you can edit the user attributes that are supported by target application. For now, Ultimo supports user accounts provisioning and in order to function as expected the following attributes should be configured: &#x20;

* **username** attribute in Ultimo is populated with the userPrincipalName value of the Microsoft Entra ID user. In Ultimo this value is used as user's identifier. (*This value should be consistent and unique over time because it won't be updated after insertion. Think about reusing accounts.*)
* **active** attribute is a boolean value indicating the users's administrative status. To set the value is recommended to use expression 'Switch(\[IsSoftDeleted], , "False", "True", "True", "False")'. In Ultimo the user is activated(when value is true)/deactivated(when value is false).
* **displayName** attribute should be the full name of the user being described and direct mapped to the displayName of  Microsoft Entra ID user. In Ultimo this value is used as user's description.
* **title** represents the user's title and should be mapped to the jobTitle of  Microsoft Entra ID user. In Ultimo this represents the user's profession.
* **emails\[type eq "work"].value**: email values with attribute's function of type work. In Ultimo only the preferred attribute (primary = true) email of type work is stored as user's email address.
* **name.givenName**: represents the first name of the User. It's recommended to be populated with the givenName value of Microsoft Entra ID user.
* **name.familyName** represents the family name of the user. It is recommended to be populated with the surname value of Microsoft Entra ID user.
* **phoneNumbers\[type eq "work"].value**: phoneNumber values with attribute's function of type work. In case of multiple values it is selected the one with the preferred attribute true (primary = true). If there is only one value then that one is selected. In Ultimo user's phone will be populated with this value.
* **phoneNumbers\[type eq "mobile"].value**: phoneNumber values with attribute's function of type mobile. In case of multiple values it is selected the one with the preferred attribute true (primary = true). If there is only one value then that one is selected. In Ultimo user's mobile phone will be populated with this value.
* **employeeNumber**: represents a string identifier assigned to a user. In Ultimo this is used to set the employee code.
* **department**: represents the name of department. When provided and the value is valid, user's department is updated in Ultimo.
* **organization**: represents the office location of Microsoft Entra ID user. When provided and the value is valid, user's company is updated in Ultimo.
* User's **site** can be updated in Ultimo. There is no default Microsoft Entra ID property mapped for this, feel free to choose the AD property which represents the site in Ultimo.

## Remarks

New users are added to a default group which can be set in the application.

When the source attribute is updated in the (IDP) to an empty value, the SP (IFS Ultimo) won't be notified.&#x20;

## Additional information:

* [How provisioning works in Azure Active Directory](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works)
* [System for Cross-domain Identity Management: Protocol](https://datatracker.ietf.org/doc/html/rfc7644)
* [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.ultimo.net/azure-documentation/microsoft-entra-id-scim-provisioning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.