Skip to main content

Entra ID (formerly Azure) SCIM Guide

This article describes how to set up SCIM-based user provisioning through Microsoft Entra ID (formerly Azure Active Directory).

K
Written by Katie Briggs
Updated over 7 months ago

Disclaimer: Fulcrum SCIM integration with Entra ID (formerly Azure Active Directory) is currently under review with Microsoft and you will not see it on the Entra ID site yet. SCIM-based user provisioning can currently be manually configured to work between Entra ID and Fulcrum. Contact us at support@fulcrumapp.com to learn more.

Features

  • Push Users - Users in Entra ID can be assigned to the Fulcrum application in Entra ID and will automatically be created and added as members to your Fulcrum organization.

  • Deactivate Users - Users in Entra ID that are unassigned from the Fulcrum application in Entra ID will be removed as members from your Fulcrum organization.

  • Push Membership Updates - Users in Entra ID can update their email, given name, and/or family name and have those changes updated in their Fulcrum organization membership.

  • Push Groups - Groups in Entra ID can be assigned to the Fulcrum application in Entra ID. The users in those groups will automatically be created and added as members to your Fulcrum organization. The groups themselves will also be created in Fulcrum as Fulcrum groups.

  • Map Roles - When app roles are set up and assigned to users in Entra ID, Fulcrum members will automatically be assigned the corresponding Fulcrum role.

Requirements

SCIM provisioning is only supported on certain Fulcrum plans with SSO and Developer Pack enabled.

To avoid duplicating existing users when transitioning to using SCIM, please contact your account executive or CSM to coordinate a migration process.

Configuration Steps

In Fulcrum

  1. Sign in as an Owner to the organization you want SCIM provisioning enabled

  2. Create an API token to be used with the SCIM integration

    1. Go to the API page

    2. Click the NEW API TOKEN button

    3. Provide a useful description such as SCIM Azure / Entra ID

    4. Click CREATE TOKEN to create a new API token

    5. Note/copy the token which will be used to configure the Entra ID Fulcrum application.

Note: The API token is tied to the Fulcrum user who generated it. If that user is removed/deactivated a new one will need to be created and reconfigured in Entra ID.

In Entra ID

  1. Configure Provisioning settings

    1. Open your Enterprise Application for Fulcrum

    2. Click on the Provisioning menu item or the Provision User Accounts tile

    3. Click Get Started

    4. Choose Automatic from the dropdown menu

    5. Enter https://web.fulcrumapp.com/scim as the Tenant URL

    6. Enter the API Token created previously in Fulcrum as the Secret Token

    7. Click the Test Connection button to validate the credentials

    8. Click Save to save the Provisioning configuration

  2. Assign users to the Entra ID Fulcrum app to have them added to your organization in Fulcrum

    1. Click on the Users and groups menu or the Assign users and groups tile

    2. Click Add user/group to add users or groups

    3. Click None Selected

    4. Search for or choose a user or group to add. When all users and groups have been selected click the Select button

    5. Click the Assign button

  3. Add app roles to automatically assign the corresponding Fulcrum role (optional)

    When app roles are set up and assigned to users in Entra ID, Fulcrum members will automatically be assigned the corresponding Fulcrum role.

    1. The first step is to add roles to the app mapping:

      1. Go to the Microsoft Entra ID portal, then to the Enterprise applications tab, and select the Fulcrum app

      2. Inside the app go to the Provisioning tab, then click on Provisioning again

      3. Under Mappings, select Provision Entra ID Active Directory Users

      4. At the bottom of the page, select Show advanced options

      5. Select Edit attribute list for (Fulcrum/customsso)

      6. Remove unnecessary attributes, until the list looks like this:

      7. Go back to the previous screen, select Add Mapping and configure it like this:

      8. The Mappings list should look like this, remove any attributes that are not needed:


    2. The next step is to set up the app roles:

      1. Go to the Microsoft Entra ID portal

      2. Select the App Registrations tab

      3. Select the Enterprise App related to your Fulcrum instance

      4. Select the App Roles tab. This will show a list of the currently available roles

      5. Click on Create app role to create a new role

      6. Create custom roles for the Enterprise Application to match the roles in Fulcrum

      7. Fill out the form and submit. Ensure that the `Display name' field matches a role name in Fulcrum.

        When adding users to the app or editing already provisioned users, you can now assign an app role. The users will then be provisioned with the Fulcrum role that matches the 'Display name' of the app role you have designated. If a role does not exist in Fulcrum that matches the 'Display name' of the app role you have selected, the user will be provisioned with the default Fulcrum role.

        Only one role can be used per user. If you add a user to 2+ groups and the groups have different roles assigned to them, there will be an error.

Troubleshooting

Managed and unmanaged users and groups

Fulcrum separates the ecosystems for managed and unmanaged users and groups.

Unmanaged users are users that are created directly in Fulcrum and are not managed by Entra ID. Entra ID is in fact unaware of these unmanaged users.

Managed users are created in Entra ID and are created in Fulcrum via SCIM provisioning. In Fulcrum, these users will be marked as managed.

Similarly, Fulcrum also has managed and unmanaged groups. Unmanaged groups are completely internal to Fulcrum and are not visible to Entra ID. Managed groups are created and managed in Entra ID. Group memberships cannot be managed in Fulcrum and must be managed in Entra ID. Information on managing groups in Fulcrum.

One of the consequences of this split ecosystem is that managed and unmanaged users and groups may have the same name even though they represent different entities. Refreshing the App Groups in Entra ID will not fetch unmanaged groups from Fulcrum. Pushing a group in Entra ID that has the same name as an unmanaged group in Fulcrum will result in multiple groups with the same name in Fulcrum. This is expected behavior.

Nested groups

Entra ID does not support assigning nested groups to an application through SCIM.

Provisioning time

Entra ID does not execute provisioning requests immediately. Instead, it can take up to 15 minutes to sync changes from Entra ID to Fulcrum.

Other Issues

Please reach out to our support team at support@fulcrumapp.com if you have any difficulties.

Did this answer your question?