Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Setting Up User Provisioning with a Microsoft Entra SCIM app

If your team uses Microsoft for for employee identity management, you can set up an Entra SCIM app to handle user provisioning, deprovisioning, and profile field mapping. 

Before you turn on user provisioning, it's a good idea to check your workspace notification settings. Once you enable SCIM, users will receive notifications even if they haven't signed into their account yet! You can find and adjust these settings in your Admin Console on the Security Settings page.

You must be a Workspace Admin or Access Control Admin in your Haystack workspace to complete this setup.

Enable SCIM in Your Workspace

  1. Log in to your Haystack workspace a click the account dropdown menu in the top right corner of your account. Select Admin Console from the menu. 
  2. In the left hand menu, visit the User Provision & Login page. 
  3. Scroll down to the User Provision Options section and toggle on Enable SCIM based user provision.

  4. Click Save User Provision Options at the bottom of the page. 
  5. Keep this page open as we'll need the details on it in the next setup steps. 

Create a Non-Gallery Application:

  1. Log in to your Microsoft 365 account and visit the Applications section of the portal.
  2. Navigate to Microsoft Entra ID > Enterprise applications.
  3. Click + New application and select Create your own application.
  4. Name the app Haystack Intranet (or any other name that help your identify your app) and select "Integrate any other application you don't find in the gallery (non-gallery)"

Enable and Configure SCIM Provisioning

Now, let's enable SCIM provisioning within your Entra application.

  1. In your new app, click Provisioning in the left menu. Click the Get Started buttonl
  2. Set Provisioning Mode to Automatic.
  3. Admin Credentials: Enter the SCIM connector base URL (Tenant URL) and Secret Token. You'll find these on the User Provision & Login page of your Haystack Admin Console. Make sure you copy the URL exactly so that it includes your team's domain name.

  4. Click Test Connection to ensure Entra can communicate with the app.
  5. Click Save

Configure Attribute Mappings

Next, we'll set up the mapping between your users' Microsoft profiles and Haystack profiles. Some Haystack fields will require customizations to ensure the data maps to your users' profiles.  

Default Mappings

To ensure data flows correctly and to prevent sync errors, please follow these steps exactly:

    1. Navigate to the homepage of your custom application in Entra.

    2. In the Manage section of the left sidebar, select Provision Microsoft Entra ID Users.

    3. Update externalId: Locate the externalId mapping and update it so that it references objectId.

    4. Remove Enterprise Manager Mapping: To prevent technical bugs, find and delete the mapping for: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager Don't worry—we will add the correct Haystack-specific manager mapping in the next section.

    5. Verify Defaults: For most teams, the default mappings for displayName and jobTitle are correct. Double-check to ensure these align with your team's needs.

Custom Attributes Overview

Some Haystack profile fields require new custom attributes.

  1. In Entra, go to the User attribute mappings screen.

  2. Click Show advanced options, then Edit attribute list for [App Name].

  3. Scroll to the bottom and paste the Target Attribute from the details list below into the Custom Attribute Mappings section.

  4. Keep the type as String and click Save.

  5. Repeat for all desired attributes.

Once attributes are added, map them:

  1. Add a New Mapping using these details:

    • Mapping Type: Direct

    • Source Attribute: The Entra field (e.g., manager or city)

    • Target Attribute: The Haystack SCIM attribute created in the previous step.

Custom Attribute Mappings Details

Use these pairings to complete the steps above:

FIELD: MANAGER
Source/Attribute (Entra): manager
Target Attribute (Haystack SCIM): 
urn:ietf:params:scim:schemas:extension:haystack:1.0:User:managerExternalId

 

FIELD: HIRE DATE
Source/Attribute (Entra): joinDate
Target Attribute (Haystack SCIM): urn:ietf:params:scim:schemas:extension:haystack:1.0:User:joinDate

FIELD: CITY
Source/Attribute (Entra): city (or locality)
Target Attribute (Haystack SCIM):
urn:ietf:params:scim:schemas:extension:haystack:1.0:User:locality

Field: STATE
Source/Attribute (Entra): state (or region)
Target Attribute (Haystack SCIM):
urn:ietf:params:scim:schemas:extension:haystack:1.0:User:region

Field: COUNTRY
Source/Attribute (Entra): country
Target Attribute (Haystack SCIM):
urn:ietf:params:scim:schemas:extension:haystack:1.0:User:countryCode

Custom Attribute Mappings, Details

U

Provision Users

Once you've completed the steps above, your SCIM app is all set up and ready to use! Chat with your implementation team about timing for your launch. When you're ready, provision users as needed to the app!

Keywords: Azure, SCIM, user provisioning, user profile, data mapping, group management, sync, security, guide, admin, provisioning, integration, Microsoft, help, instructions