ManagementTenantsSCIM

SCIM Provisioning with Microsoft Entra ID (Azure)

This guide describes how to configure SCIM provisioning between Microsoft Entra ID (formerly Azure AD) and Descope, enabling Azure to automatically create, update, deactivate, and manage groups for users in your Descope tenant.

Prerequisites

Before starting:

  • SSO must already be configured and working for the Descope tenant.
  • A tenant must exist in Descope with an associated Access Key that has the Tenant Admin role.
  • The Azure Enterprise Application must have assigned users and/or groups.
  • SCIM provisioning within Azure runs on defined cycles and is not instantaneous. Refer to Microsoft's documentation for expected propagation times.

Note: If you are using SCIM, disable JIT (Just-In-Time) provisioning under Tenant Settings to prevent conflicts between SCIM-managed attributes and SSO-driven user creation.

Who gets provisioned is controlled in Azure

Azure only pushes users to Descope if they are assigned to the Enterprise Application — either directly or as a member of a group that is assigned to the app. With JIT disabled, a user who is not assigned in Azure cannot log in to your application — Azure rejects authentication for unassigned users. (In multi-app setups where SSO and SCIM use different Azure applications, authentication can succeed via the SSO app but Descope reports the user as unknown because no SCIM record exists.)

For ongoing onboarding, the recommended pattern is to assign a group (for example, an "All Employees" group or a department group) to the Enterprise Application rather than assigning users one by one. New employees added to the group are then provisioned automatically by Azure's next provisioning cycle. See SCIM Best Practices for the full pattern.

Step 1: Enable SCIM Provisioning in Azure

  1. In the Azure portal, go to your Enterprise Application connected to Descope.
  2. Navigate to Provisioning in the left sidebar.
  3. Click Get Started to begin SCIM setup.

Enable SCIM in Azure SCIM Setup Step 2 in Azure

Step 2: Configure the SCIM Endpoint and Authentication

  1. Set the Provisioning Mode to Automatic.
  2. Fill in the following values:
FieldValue
Tenant URLhttps://api.descope.com/scim/v2
Secret TokenProjectID:AccessKey (must be scoped to the tenant with the Tenant Admin role)

The Tenant URL can be found in the SCIM Provisioning section under your tenant's SSO configuration in the Descope Console.

Tenant URL

  1. Click Test Connection to verify.
  2. Click Save.

Azure SCIM configuration

Step 3: Configure Attribute Mappings

Once saved, navigate to the Mappings section.

User Mappings

Azure should map standard user fields such as givenName, surname, email, and userPrincipalName to the SCIM schema.

Azure SCIM user mappings

Group Mappings

Azure can also manage SCIM group creation, updates, and deletions. Groups pushed from Azure will appear in Descope and can be mapped to roles.

Azure SCIM group mappings

Step 4: Start or Test Provisioning

You can test provisioning by:

  • Selecting Provision on Demand for individual users.
  • Starting full provisioning from the main Provisioning panel.

Start provisioning in Azure On-demand provisioning in Azure

Once the provisioning is active, users and groups in Azure will be reflected in Descope. Changes will take effect upon the next login for each user.

Was this helpful?

SCIM

Learn how to provision and manage users and groups using SCIM with Descope, including setup guides for Okta, Azure, and other IdPs.

SCIM with Okta

Learn how to configure SCIM provisioning between Okta and Descope to automate user and group lifecycle management.

On this page

SCIM Provisioning with Microsoft Entra ID (Azure)PrerequisitesStep 1: Enable SCIM Provisioning in AzureStep 2: Configure the SCIM Endpoint and AuthenticationStep 3: Configure Attribute MappingsUser MappingsGroup MappingsStep 4: Start or Test Provisioning