Synchronize users or groups in Microsoft Entra ID by using SCIM

Step 1: Create SCIM credentials in the CloudSSO console

1. Log on to the Cloud SSO console.

2. In the left-side navigation pane, click Settings.

3. On the User Setting tab, in the SCIM user synchronization settings section, click Create New SCIM key.

   

4. In the SCIM Credential Generated dialog box, copy the SCIM key, and then click OK.

Step 2: Enable SCIM synchronization in the CloudSSO console

1. Log on to the CloudSSO console.

2. In the left-side navigation pane, click Settings.

3. On the User Setting tab, in the SCIM User Synchronization Configuration section, turn on the SCIM synchronization switch.

Step 3: Configure SAML in Microsoft Entra ID

1. Log on to the Azure portal as the global administrator of Microsoft Entra ID.

2. In the upper-left corner of the homepage, click the icon.

3. In the left-side navigation pane, choose Microsoft Entra ID > Manage > Enterprise applications > All applications.

4. Click New application.

5. On the Browse Microsoft Entra App Gallery page, click Create your own application.

6. In the Create your own application panel, enter a name for your application. In this example, enter CloudSSODemo. Then, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

Step 4: Assign users or groups to the application in Microsoft Entra ID

1. On the CloudSSODemo page, choose Manage > Users and Groups.

2. On the page that appears, click Add user/group.

3. Select users or groups.

4. Click Assign.

Step 5: Configure SCIM synchronization in Microsoft Entra ID

1. On the CloudSSODemo page, choose Manage > Provisioning.

2. Click New configuration and configure administrator credentials.

   1. Enter the SCIM endpoint for Tenant URL.

      Copy the SCIM Endpoint value from the CloudSSO console Settings page.

   2. Enter a SCIM credential for Secret token.

      To obtain the credential, perform the operations in Step 1: Create SCIM credentials in the CloudSSO console.

   3. Click Test Connectivity.

   4. If the test is successful, click Create.

3. On the Provisioning page, choose Manage > Settings.

   1. In the Mappings section, configure attribute mappings.

      • Click Provision Microsoft Entra ID Users to configure attribute mappings for users.

        1. Find externalId in the customappsso Attribute column, click its Azure Active Directory Attribute value, and change Source attribute to objectId.

        2. Keep only the attribute mappings shown below and delete the rest.

      • Click Provision Microsoft Entra ID Groups to configure attribute mappings for groups. Keep only the attribute mappings shown below and delete the rest.

      Note

      CloudSSO user and group names have character restrictions. If a Microsoft Entra ID user or group name contains unsupported characters, the mapping fails. To fix this, click displayName in the Azure Active Directory Attribute column, set Mapping type to Expression, and enter an expression to remove or replace unsupported characters. Expression syntax is described in the Microsoft Entra ID documentation.

   2. In the Settings section, select Sync only assigned users and groups for Scope.

   3. In the Provisioning Status section, turn on the switch.

   4. Click Save.

4. Go to the Overview page and refresh to view the synchronization results.

Verify the synchronization results

1. Log on to the CloudSSO console.

2. Go to the User or Group page to view the synchronized users or groups.

   The Source of synchronized users or groups displays as SCIM Synchronization. For more information, see View user information and View the information about a group.

References

Configure SSO from Microsoft Entra ID to CloudSSO