Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Setting Up User Provisioning with a Microsoft Entra SCIM app

If your team uses Microsoft for for employee identity management, you can set up an Entra SCIM app to handle user provisioning, deprovisioning, and profile field mapping. 

Before you turn on user provisioning, it's a good idea to check your workspace notification settings. Once you enable SCIM, users will receive notifications even if they haven't signed into their account yet! You can find and adjust these settings in your Admin Console on the Security Settings page.

You must be a Workspace Admin or Access Control Admin in your Haystack workspace to complete this setup.

Enable SCIM in Your Workspace

  1. Log in to your Haystack workspace a click the account dropdown menu in the top right corner of your account. Select Admin Console from the menu. 
  2. In the left hand menu, visit the User Provision & Login page. 
  3. Scroll down to the User Provision Options section and toggle on Enable SCIM based user provision.

  4. Click Save User Provision Options at the bottom of the page. 
  5. Keep this page open as we'll need the details on it in the next setup steps. 

Create a Non-Gallery Application:

  1. Log in to your Microsoft 365 account and visit the Applications section of the portal.
  2. Navigate to Microsoft Entra ID > Enterprise applications.
  3. Click + New application and select Create your own application.
  4. Name the app Haystack Intranet (or any other name that help your identify your app) and select "Integrate any other application you don't find in the gallery (non-gallery)"

Enable and Configure SCIM Provisioning

Now, let's enable SCIM provisioning within your Entra application.

  1. In your new app, click Provisioning in the left menu. Click the Get Started buttonl
  2. Set Provisioning Mode to Automatic.
  3. Admin Credentials: Enter the SCIM connector base URL (Tenant URL) and Secret Token. You'll find these on the User Provision & Login page of your Haystack Admin Console. Make sure you copy the URL exactly so that it includes your team's domain name.

  4. Click Test Connection to ensure Entra can communicate with the app.
  5. Click Save

Configure Attribute Mappings

Next, we'll set up the mapping between your users' Microsoft profiles and Haystack profiles. Some Haystack fields will require customizations to ensure the data maps to your users' profiles. 

 

Default Mappings

  • Update the default mappings so that "objectId" is mapped to "externalId".

  • For most teams, the default mappings for displayName and jobTitle are correct, but double check to ensure you're using the fields that make sense for your team.
Custom Attributes, Overview

Some Haystack profile fields require you to set up new custom attributes. First, we'll add the custom attributes: 

  1. In Entra, go to the User attribute mappings screen.

  2. Click Show advanced options, then Edit attribute list for [App Name].

    Scroll to the bottom, paste the copied Target Attribute from the list below in the Custom Attribute Mappings, Details section. 

  3. Keep the type as String and click Save.
  4. Repeat these steps for all the custom attributes you'd like to add, using the info in the 

    Custom Attribute Mappings, Details section below

Then, we'll map these new custom attributes to your Entra fields:

  1. Add a new mapping using the custom attributes you've created. On the mapping modal, use these details:
    1. Mapping Type: Keep as Direct
    2. Source Attribute: The attribute from Entra you're mapping from. 
    3. Target attribute: The SCIM attribute in Haystack you're mapping to
      1. Use the pairings listed below to guide your setup in b & c above. 
    4. Match object using this attribute / Matching precedence / Apply this mapping: Leave these fields as-is. 
Custom Attribute Mappings, Details

Use the details below and steps above in the Custom Attributes, Overview section to complete your mappings. 

  • Manager
    • Source Attribute: manager
    • Target Attribute: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
  • Hire Date
    • Source Attribute: joinDate
    • Target Attribute: urn:ietf:params:scim:schemas:extension:haystack:1.0:User:joinDate
  • City

    • Source Attribute: city(or locality)

    • Target Attribute: urn:ietf:params:scim:schemas:extension:haystack:1.0:User:locality

  • State
    • Source Attribute: state(or region)
    • Target Attribute: urn:ietf:params:scim:schemas:extension:haystack:1.0:User:region
  • Country

    • Source Attribute: country

    • Target Attribute: urn:ietf:params:scim:schemas:extension:haystack:1.0:User:countryCode

Provision Users

Once you've completed the steps above, your SCIM app is all set up and ready to use! Chat with your implementation team about timing for your launch. When you're ready, provision users as needed to the app!

Keywords: Azure, SCIM, user provisioning, user profile, data mapping, group management, sync, security, guide, admin, provisioning, integration, Microsoft, help, instructions