User Provisionning - SCIM x Entra ID

❓ What is SCIM & Why Use It?

• SCIM (System for Cross-domain Identity Management) is an open standard REST API (SCIM 2.0, per RFC 7642/7643/7644) designed to automate provisioning and de‑provisioning of users and groups between identity domains (e.g., HCM → Entra ID → apps).
• It simplifies identity lifecycle management by standardizing endpoints (/Users, /Groups) and payload schemas, reducing need for custom integrations.

⚙️ Core Components in the Microsoft Architecture

1. Human Capital Management (HCM) or other sources
   • Source of truth for user and group data.
2. Microsoft Entra provisioning service
   • Cloud service responsible for sending SCIM requests to target endpoints.
3. SCIM 2.0 endpoint (your app or service)
   • Exposes /Users and /Groups endpoints with JSON/REST adhering to SCIM schema.
   • Must support create/update/delete operations, metadata, paging, filtering.
4. Microsoft Entra Connect Cloud Sync agent (optional for hybrid AD)
   • On-premises agent listening for provisioning requests.
   • Queries Active Directory, applies attribute filters/scopes, and sends results to Entra via SCIM.
5. Service Bus (in hybrid scenarios)
   • Message broker between provisioning service and Cloud Sync agent.

⏩ High-Level Synchronization Flow

1. Source actions
   • User or group created/updated/deleted in HCM or on-prem AD.
2. Provisioning trigger
   • Entra provisioning service detects changes and enqueues SCIM requests.
3. Agent handling (hybrid)
   • Cloud Sync agent picks up queue, filters results, constructs SCIM payloads, and sends them to Entra ID.
4. SCIM operations
   • Calls such as POST/PUT/PATCH/DELETE are made to SCIM endpoint with proper schema.
5. Result ingestion
   • Entra writes provisioning results to target app’s user store or internal directory.

✅ Step-by-Step Integration Guide

1. Design Schema Mapping

• Identify user and group attributes required by the app (e.g. name, email, jobTitle).
• Map these to SCIM core schema (e.g. id, userName, meta).

2. Understand Entra’s SCIM Implementation

• Familiarize with expected behavior from Entra provisioning service (supported endpoints, paging, error formats).

3. Build or Deploy SCIM Endpoint

• You can implement using any technology stack—common samples exist in .NET Core.
• Ensure compliance with SCIM 2.0: support for JSON, standard HTTP verbs, query parameters, filtering, metadata fields.

4. Connect Endpoint with Entra Provisioning Service

• In Azure Portal → Entra ID → Enterprise applications → select your SCIM‑compatible app.
• Under Provisioningtab:
  • Set Provisioning Mode → Automatic
  • Supply the SCIM endpoint URL and authentication token/secret.
  • Map attributes and enable actions (create, update, delete).

5. Configure On-Premises Hybrid Sync (if applicable)

• Install the Cloud Sync agent on-prem AD.
• Configure filters/scopes for which OUs, users, groups are synchronized.
• Agent listens to provisioning requests via Service Bus, retrieves AD data, and forwards via SCIM.

6. Test & Validate

• Use test users/groups to ensure provisioning, updates, and de‑provisioning work as expected.
• Monitor logs:
  • Cloud Sync: agent logs
  • App-side SCIM endpoint: debug or HTTP logs
  • Azure Portal: Provisioning Logs blade

✨ Tips & Best Practices

• Paging & Filtering: Support startIndex, count and filter in queries.
• Attribute Patterns: Include necessary enterprise schema attributes.
• Token Security: Keep your secret tokens confidential and rotate regularly.
• Scopes: Configure based on group membership or role to limit sync scope.
• Error Handling: Implement SCIM-compliant error formats to aid troubleshooting.
• Logging: Make logs traceable to SCIM request IDs for debugging.

♻️ Hybrid Setup Recap

• The Cloud Sync agentbridges on-prem AD with Entra provisioning via Service Bus:

  1. Provisioning service → SCIM request → Service Bus
  2. Agent receives request, queries AD, filters objects, and sends SCIM response
  3. Provisioning service applies changes to target endpoint

❤️ Benefits of SCIM with Entra ID

• Standardized: Eliminates proprietary connectors.
• Automated provisioning: Onboarding/offboarding as business events.
• Scalable: Supports large organizations with flexible filters and agent models.

⭐ Summary Table