SCIM Provisioning with Microsoft Entra ID (Azure)

This guide describes how to configure SCIM provisioning between Microsoft Entra ID (formerly Azure AD) and Descope, enabling Azure to automatically create, update, deactivate, and manage groups for users in your Descope tenant.

Prerequisites

Before starting:

• SSO must already be configured and working for the Descope tenant.
• A tenant must exist in Descope with an associated Access Key that has the Tenant Admin role.
• The Azure Enterprise Application must have assigned users and/or groups.
• SCIM provisioning within Azure runs on defined cycles and is not instantaneous. Refer to Microsoft's documentation for expected propagation times.

Note: If you are using SCIM, disable JIT (Just-In-Time) provisioning under Tenant Settings to prevent conflicts between SCIM-managed attributes and SSO-driven user creation.

Step 1: Enable SCIM Provisioning in Azure

1. In the Azure portal, go to your Enterprise Application connected to Descope.
2. Navigate to Provisioning in the left sidebar.
3. Click Get Started to begin SCIM setup.

Step 2: Configure the SCIM Endpoint and Authentication

1. Set the Provisioning Mode to Automatic.
2. Fill in the following values:

3. Click Test Connection to verify.
4. Click Save.

Step 3: Configure Attribute Mappings

Once saved, navigate to the Mappings section.

User Mappings

Azure should map standard user fields such as givenName, surname, email, and userPrincipalName to the SCIM schema.

Group Mappings

Azure can also manage SCIM group creation, updates, and deletions. Groups pushed from Azure will appear in Descope and can be mapped to roles.

Step 4: Start or Test Provisioning

You can test provisioning by:

• Selecting Provision on Demand for individual users.
• Starting full provisioning from the main Provisioning panel.

Once the provisioning is active, users and groups in Azure will be reflected in Descope. Changes will take effect upon the next login for each user.