/ /

Microsoft Entra ID (SCIM) Setup Instructions

Updated 11 days ago

This article helps you connect your intranet with Microsoft Entra ID using SCIM. You can securely provision/Sync/Deprovision user data and sync attributes between Entra to Simpplr.

Before you start

  • You must have access to manage integrations.on Simpplr to complete these steps.

  • You must have an admin account with your Microsoft Entra

Where to manage SCIM integration in Simpplr

  • To create or manage SCIM integrations, select ‘Application settings’ from the left menu and go to Application -> Integrations -> People data, 

  • Under ‘SCIM sources’ section, create a SCIM connection 

How to set up SCIM integration

If you want to integrate with Microsoft Entra, refer to the following steps.

1. Start with creating the connection in Simpplr

  • You need to have access to manage integrations in Simpplr. App manager and Application settings manager roles have access to Manage integrations page.

  • To create or manage SCIM integrations, select Application settings from the left menu and go to Application -> Integrations -> People data

  • Create the SCIM integration under ‘SCIM sources’ section

What this lets you do

Create a Microsoft Entra SCIM connection and generate a secure token and SCIM URL which are needed to connect Microsoft Entra to Simpplr for user provisioning.

Steps

  1. Go to Application settings -> Application -> Integrations -> People data SCIM.png

    SCIM 1.png

  2. Under SCIM sources, click Add Integration. SCIM 2 .png

  3. Choose Microsoft

  4. Enter a name for the integration.

  5. Click Add.

  6. On the SCIM details page, click Generate token. SCIM 3.png

  7. Copy the token and SCIM URL provided somewhere you have access to for later reference. (The token is visible only once). You will need to paste them again in your Entra portal.

What happens next

You will use the token and SCIM URL to configure your identity provider. The connection allows user data to sync between systems.

Note:

If the page is refreshed or exited, this token will not be displayed again. If a new token is required, go to the SCIM connection details by clicking on the connection name and click on ‘Generate new token’. This will create a new token and invalidate the old ones. Don't forget to change the token in this case in the older applications on Entra ID

How to Configure SCIM in the identify provider

You must have administrator role in the identity provider application

What this lets you do

Finish the connection between identity provider and Simpplr.

Steps

  1. Once logged in as the admin, search for Enterprise applications in the search box and click on the result
    AWS_Azure_Provisioning_2.png

  2. This will open the enterprise application dashboard on Azure/Entra ID. Either select an existing application or create a new one. To create a new application, follow these steps:

    • Click on new application in top-left corner. This will open Browse Azure AD Gallery.

    • Click Create your own application.

    • Enter the name and select Integrate any other application you don't find in the gallery (Non-gallery).
      Entra prov 3.png

    • Click Create.

    • On successful creation, you'll see a success message on the screen.

  3. Go to the Provisioning tab.

  4. Select Get Started, then Automatic from the drop down menu.

  5. This opens the Admin Credentials form. Paste the Entra ID link and token that you got in step 3 above from your Simpplr environment.

  6. Click Test Connection. On successful testing, you'll see a success message on screen.
    AWS_Azure_provisioning_3.png

  7. Click Save.

  8. After clicking Save, the Mappings section appears on screen.
    Entra prov 4.png

  9. Expand the mapping section and click Provision Microsoft Entra ID Users.

  10. Check to ensure enabled is marked Yes and Target Object Actions are all selected (it's preferred to select all options, but you can select required events as per your org's requirements).

    • Click Edit for the emails[type eq"work"}.value field and change Match objects using this attribute from No to Yes. Set the Matching precedence to 2. Click OK to save.

    • By default Entra ID maps userPrincipleName against the username field. To ensure there are no duplicate profiles when SSO and SCIM both exist, we will have to manually update the mapping to point to mail and change the Matching precedence to No as seen in the screenshot below. Remove the Matching precedence. Click OK to save.

    • Go back to emails[type eq "work"].value, click Edit and change the Matching precedence to 1. The final result should appear like the image below.
      image (90).png

    • Similarly, by default Entra ID assigns mailNickName as a mapping field against externalId. We will have to manually update the mapping field to ObjectId against externalId by clicking on the mailNickName field in the below screenshot.

      1. So the final result should be:

Default

Change to

mailNickName = ExernalId

ObjectID = ExternalId


Entra prov 6.png

  1. Since there is no standard mapping for Simpplr roles or mobile numbers, we'll need to add them ourselves.

  2. Adding roles:

    1. In the Azure portal, go to Microsoft Entra ID > App registrations in the left sidebar. Select your application.

    2. Click on App Roles in the left sidebar, then Create app role.
      Entra prov 7.png 

    3. Roles for End User and Application manager need to be created one at a time. So in the next step, put application manager in Display name and application_manager in Value. Allow member types to be Users/Groups and an appropriate description like Simpplr Application manager role. Check the Do you want to enable this app role? checkbox and click on Apply.
      AWS_Azure_provisioning_8.png

    4. Repeat the previous step for End users with the value Display name as End User, Value as end_user, with a description like Simpplr End user role and click on Apply.

      Display name

      End User

      Value

      end_user

      Description

      Simpplr End user role

    5. To map these roles to your application and SCIM, from the Active Directory home page, go to Enterprise applications in the left sidebar, then select your application.

    6. Select the Provisioning tab, then click Edit provisioning.
      AWS_Azure_provisioning_9.png

    7. Expand the Mappings section and click on Provision Microsoft Entra ID Users. This will open the Attribute Mapping page.
      AWS_Azure_provisioning_10.png

    8. Scroll down to the bottom of the page and click Add New Mapping. AWS_Azure_provisioning_17.png

    9. In the mapping type, select Expression.

    10. Use the following values:
      Expression: SingleAppRoleAssignment([appRoleAssignments]) (recommended)
      Target attribute: roles[primary eq "True"].value and click on Ok and then Save.
      AWS_Azure_provisioning_11.png

  1. Adding mobileYes  number:

    1. Go to the Attribute Mapping page again (refer step 12.7 above for Attribute Mapping page).

    2. Add a mapping with the following values:

      1. Mapping type: Direct

      2. Source attribute: mobile

      3. Target Value: phoneNumbers[type eq "other"].value

    3. Click Ok and then Save.

  2. Go back to your application home page, and in the Provisioning tab, click Start Provisioning. It takes approximately 30 mins to start the SCIM provisioning.

  3. To add the users, simply go to Users and Groups from your Application homepage in the left sidebar.

  4. Click on Add user/group.

  5. Click on the link below Users and groups.
    AWS_Azure_provisioning_12.png

  6. Search for the the appropriate group you created in the steps above and click Select.
    AWS_Azure_provisioning_13.png

  7. Click on Select a role and select the appropriate role.
    AWS_Azure_provisioning_14.png

  8. Click Assign.

  9. To provision manually or to retry, click on Provision on demand in the Provisioning page of your application, select the user and click on Provision. Make sure that the user is assigned to the app and has a role, or else the provisioning will be skipped by Entra ID automatically.

2. How to control which fields to provision

You can control which fields sync from Microsoft to Simpplr

What this lets you do

See and adjust how user attributes from your Microsoft map to Simpplr fields.

Steps

  1. In Microsoft Entra ID, go to Enterprise Applications and select the app created for Simpplr SCIM.

  2. Click Provisioning > Attribute mapping > Provision Microsoft Entra ID Users.

  3. To add an attribute:

    • Click Show advanced options.

    • Click Edit attribute list for customappsso.

    • Add the attribute you want to map and click Save.

  4. To map an attribute:

    • Click Add New Mapping.

    • Enter the Azure user attribute as the source and the SCIM attribute as the target.

    • Click Ok and then Save.

  5. Review the standard SCIM fields and their mappings to Simpplr fields.

    • For standard SCIM fields, see the SCIM core schema.

    • For Simpplr-specific and custom fields, mappings are shown in the Field Mappings section. To check that click on the SCIM integration -> Go to Field mapping

  6. Configure which attributes to sync by adjusting the mappings as needed.

What happens next

If the user has the mapped attribute in Azure, it will sync to Simpplr.

Label

Label value

Attribute mapping

First name

first_name

name.givenName

Last name

last_name

name.familyName

Email

email

emails[] → primary or arr[0]

Employee number

employee_number

EntrpriseSchema.employeeNumber

Job title

title

title

Department

department

EntrpriseSchema.department

Division

division

EntrpriseSchema.division

Business Unit

business_unit

Company name

company_name

EntrpriseSchema.organization

User type

user_type

Manager

manager_id

manager.value

Hire date

start_date

About

about

Pronouns

pronouns

Name pronunciation

name_pronunciation

Birthday date

birth_date

Language

supported_language_id

preferredLanguage

Locale

supported_locale_id

locale

Time zone

timezone_id

timezone

Pay currency

pay_currency

Username

username

IDP

Photo

Groups

groups

Phone

phone

phoneNumbers.work

Extension

extn

Mobile phone

mobile

phoneNumbers.mobile

Assistant

assistant_id

Zoom

im_zoom

Skype

im_skype

Slack ID

im_slack

Microsoft Teams ID

im_microsoft_team

Address 1

address1

streetAddress

Address 2

address1

formatted

City

city

locality

State/Province

state

region

Zip code

zip_code

postalCode

Country

country_name

country

Roles

roles

roles

Custom Field Label

actual label of custom field

license Type

What happens next

Your selected attributes will sync between your identity provider and Simpplr.

3. Verify the user data in Simpplr

  1. Once mapping is complete, verify the user data in Simpplr

  2. For any discrepancies, check the error log within the identity service provider portal. Refer to the troubleshooting section for the common errors and how to resolve them.

  3. You can check the logs in the Provisioning page of your application. To check the logs, click View Provisioning Logs.

  4. It will open the following page. Check the status to know if the user was provisioned.
    AWS_Azure_provisioning_15.png

  5. Click on any particular entry to know the reason for failure/skipped.
    AWS_Azure_provisioning_16.png

3. Error handling and resolution

During the SCIM provisioning flow, if a field is invalid, such as

  • The manager value in Azure and that manager is not present in Simpplr, we will receive an error indicating an invalid field with the message "Invalid manager_id"

  • Timezone entered in Azure, and that timezone is not present in the Simpplr timezone dropdown options, we will receive an error indicating an invalid field with the message "Invalid timezone_id.

  • When a license is exhausted in Simpplr and we attempt to provision a user through SCIM, an email is received stating: "Unable to assign Simpplr license to the user." SCIM last.png

4. How to Edit a SCIM Integration

What this lets you do

Update the name or logo of an existing SCIM integration.

Steps

  1. In Simpplr, navigate to the SCIM integration you want to edit.

  2. Update the name as needed.

  3. If using a custom vendor, you can also update the logo.

What happens next

Your changes are saved and reflected in the integration list.

3. How to Disable a SCIM Source

What this lets you do

Temporarily stop user provisioning from a specific SCIM source without deleting it.

Steps

  1. In Simpplr, find the SCIM source you want to disable.

  2. Click the option to Disable the source.

What happens next

Provisioning from this source stops. The authentication token remains valid, but no new users will be provisioned.

4. How to Enable a Disabled SCIM Source

What this lets you do

Resume user provisioning from a previously disabled SCIM source.

Steps

  1. In Simpplr, locate the disabled SCIM source.

  2. Click the option to Enable the source.

What happens next

Provisioning resumes. No changes are needed in your identity provider.

5. How to Generate a New SCIM Token

What this lets you do

Rotate your SCIM token for security. The old token is revoked, and you must update your identity provider with the new token.

Steps

  1. In Simpplr, go to the SCIM integration.

  2. Click the option to Generate New Token.

  3. Copy the new token and update it in your identity provider’s configuration.

What happens next

The old token is revoked. The new token must be used in your identity provider to maintain the connection.

6. How to Delete a SCIM Source

What this lets you do

Remove a SCIM integration and revoke its token, stopping all future provisioning from that source.

Steps

  1. In Simpplr, find the SCIM source you want to delete.

  2. Click the option to Delete the source.

What happens next

The integration and its token are removed. No new users will be provisioned from this source.

Configure app role mapping using expressions

This guide explains how to configure app role assignments and group mappings using an expression. It also covers required roles, group setup, and mapping behavior to ensure correct user access.

Expression used for mapping

Use the following expression to map user roles:

Switch(SingleAppRoleAssignment([appRoleAssignments]), "Corporate", "Frontline User", "Frontline")

What this does

This expression evaluates the user’s assigned app role and maps it to a corresponding value:

  • Users with Corporate role are mapped to Frontline User

  • Users with Frontline role remain mapped to Frontline

  • For  admins we need to create separate group assigning application manager Role to them

This ensures consistent role handling during provisioning.

How this appears in mapping

exp.pngIn the attribute mapping configuration (for example, in your identity provider):

  • The above expression is added to the relevant field (such as role or group mapping)

  • The evaluated output determines the role assigned in the target system

Ensure the mapping field supports expressions and is correctly linked to app role assignments.

App role configuration

exp 1.pngIn the app registration, create the following three roles:

  • Corporate

  • Frontline

  • Simpplr App managers

These roles are used as the source values for mapping and access control.

Group setup

Create the following groups:

  • Corporate user

  • Frontline user

  • Simpplr App managers

These groups represent user segments and are used for role-based access.

exp 2.png

Was this article helpful?
Subscribe to receive updates on this article