Creating a SCIM Provisioning application in Microsoft Entra-ID is a straightforward process that significantly enhances the management of user identities in cloud-based applications. In this article, we'll guide you through the steps to set up a SCIM Provisioning application for Spreadly.

Step 1: Create an Enterprise Application

First, navigate to the Applications section in Entra-ID, and select Enterprise applications. Here, click on + New application and then choose + Create your own application. Name your application "Spreadly" and select the "Non-gallery" option. This step initiates the process of integrating your custom application with Microsoft's identity management solution.

Step 2: Obtain SCIM Secret Token from Spreadly

Access the "*Team > Members*" section in Spreadly to find your SCIM Secret Token. This token is essential for secure communication between Spreadly and Microsoft Entra-ID. Copy this token as you'll need it in the next steps.

Step 3: Set Up Provisioning

Now, open the newly created enterprise application in Entra-ID and go to Provisioning > Manage: Provisioning. Set the Provision Mode to "Automatic". Input the Tenant URL as https://spreadly.app/api/v1/scim and enter the Secret Token you previously copied from Spreadly. To ensure the setup is correct, click on "Test connection", then save your settings.

Step 4: Edit Mappings

In this step, you'll configure how attributes of Users and Groups in Microsoft Entra-ID correspond to those in Spreadly.

User Mappings

The attributes objectId and userPrincipalName must be set up with the correct matching precedence.

Azure Active Directory Attribute	customappsso Attribute	Matching precedence
objectId	externalId	1
userPrincipalName	userName	2
givenName	name.givenName
surname	name.familyName
telephoneNumber	phoneNumbers[type eq "work"].value
mobile	phoneNumbers[type eq "mobile"].value
jobTitle	title
department	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
employeeOrgData.division	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division
companyName	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization
streetAddress	addresses[type eq "work"][streetAddress]
city	addresses[type eq "work"][city]
postalCode	addresses[type eq "work"][postalCode]
state	addresses[type eq "work"][region]
country	addresses[type eq "work"][country]

See https://help.spreadly.app/en/article/user-provisioning-with-scim-20-10h4w3d/#2-user-attributes for the full list of supported SCIM attributes for users.

Group Mappings

Azure Active Directory Attribute	customappsso Attribute	Matching precedence
objectId	externalId	1
displayName	displayName

See https://help.spreadly.app/en/article/user-provisioning-with-scim-20-10h4w3d/#2-group-attributes for the full list of supported SCIM attributes for groups.

Step 5: Test the Mapping

To verify that your mappings are correct, use the "Provision on demand" feature. Select a user or group to test the mapping. This step is crucial to ensure that the data flows correctly between Microsoft Entra-ID and Spreadly.

Step 6: Select Users/Groups for Provisioning

Finally, manage who will be provisioned by visiting "Manage: Users and groups" in your enterprise application. Here, select the users and groups you expect to be provisioned. This step determines which identities from Microsoft Entra-ID will be managed in Spreadly.

Step 7: Configure Single Sign-On (optional)

Finally, set up the Single Sign-On (SSO) feature for a seamless user experience. Under "Manage: Single sign-on," copy the Sign on URL from Spreadly's "Team > Settings." Additionally, upload the Spreadly application logo (download here). For a cleaner user interface, make the default Spreadly App (Application ID: f6f257df-7ac4-4e92-886c-4768649ca097) invisible to users.

Updated on: 17/09/2024