Azure SCIM Guide

This article describes how to set up SCIM-based user provisioning through Azure.

Written by Katie Briggs
Updated over a week ago

Disclaimer: This integration with Azure is currently under development and is not available to customers yet. Contact us at to learn more.


  • Push Users - Users in Azure can be assigned to the Fulcrum application in Azure and will automatically be created and added as members to your Fulcrum organization.

  • Deactivate Users - Users in Azure that are unassigned from the Fulcrum application in Azure will be removed as members from your Fulcrum organization.

  • Push Membership Updates - Users in Azure can update their email, given name, and/or family name and have those changes updated in their Fulcrum organization membership.

  • Push Groups - Groups in Azure can be assigned to the Fulcrum application in Azure. The users in those groups will automatically be created and added as members to your Fulcrum organization. The groups themselves will also be created in Fulcrum as Fulcrum groups.


SCIM provisioning is only supported on Fulcrum Enterprise plans with SSO and Developer Pack enabled.

Configuration Steps

In Fulcrum

  1. Sign in as an Owner to the organization you want SCIM provisioning enabled

  2. Create an API token to be used with the SCIM integration

    1. Go to the API page

    2. Click the NEW API TOKEN button

    3. Provide a useful description such as SCIM Azure

    4. Click CREATE TOKEN to create a new API token

    5. Note/copy the token which will be used to configure the Azure Fulcrum application.

Note: The API token is tied to the Fulcrum user who generated it. If that user is removed/deactivated a new one will need to be created and reconfigured in Azure.

In Azure

  1. Configure Provisioning settings

    1. Open your Enterprise Application for Fulcrum

    2. Click on the Provisioning menu item or the Provision User Accounts tile

    3. Click Get Started

    4. Choose Automatic from the dropdown menu

    5. Enter as the Tenant URL

    6. Enter the API Token created previously in Fulcrum as the Secret Token

    7. Click the Test Connection button to validate the credentials

    8. Click Save to save the Provisioning configuration

  2. Assign users to the Azure Fulcrum app to have them added to your organization in Fulcrum

    1. Click on the Users and groups menu or the Assign users and groups tile

    2. Click Add user/group to add users or groups

    3. Click None Selected

    4. Search for or choose a user or group to add. When all users and groups have been selected click the Select button

    5. Click the Assign button


Managed and unmanaged users and groups

Fulcrum separates the ecosystems for managed and unmanaged users and groups.

Unmanaged users are users that are created directly in Fulcrum and are not managed by Azure. Azure is in fact unaware of these unmanaged users.

Managed users are created in Azure and are created in Fulcrum via SCIM provisioning. In Fulcrum, these users will be marked as managed.

Similarly, Fulcrum also has managed and unmanaged groups. Unmanaged groups are completely internal to Fulcrum and are not visible to Azure. Managed groups are created and managed in Azure. Group memberships cannot be managed in Fulcrum and must be managed in Azure. Information on managing groups in Fulcrum.

One of the consequences of this split ecosystem is that managed and unmanaged users and groups may have the same name even though they represent different entities. Refreshing the App Groups in Azure will not fetch unmanaged groups from Fulcrum. Pushing a group in Azure that has the same name as an unmanaged group in Fulcrum will result in multiple groups with the same name in Fulcrum. This is expected behavior.

Nested groups

Azure does not support assigning nested groups to an application through SCIM.

Provisioning time

Azure does not execute provisioning requests immediately. Instead, it can take up to 15 minutes to sync changes from Azure to Fulcrum.

Other Issues

Please reach out to our support team at if you have any difficulties.

Did this answer your question?