SCIM - Microsoft Entra ID
1 Before You Start
- You must have a ProcedureFlow account with "Org Admin" role and a pricing plan that supports SCIM
- You must have a Microsoft Entra account and administrative access to configure Enterprise Applications (either through Entra Admin portal or Azure Portal)
- Decide the scope of the deployment, i.e. whether users only or users and groups will be provisioned.
2 Configure ProcedureFlow to Support Provisioning
- Sign into ProcedureFlow using your Org Admin account.
- Go to Administration > Developers > Personal Access Tokens and click New Access Token to create a new token to use for SCIM.
- Name the token, select an expiration, and assign the Read and write SCIM permission.
Note Be sure to create a token with long enough expiry or no expiry at all — when the token expires, the integration with Microsoft Entra ID will fail until a new token is generated and configured.
- Click Create Token. The token will temporarily appear on the Personal Access Tokens screen. Copy the token to save elsewhere; you will need this for configuring Microsoft Entra ID, and once you refresh this screen the token will no longer be available.
3 Create and Configure a new Enterprise Application in Microsoft Entra ID
This can be done either through the Entra Admin portal or in the Entra section of the Azure Portal.
Important These steps were accurate at time of publication, but because they reflect a third party's processes they are subject to change. Please confirm with Entra Administrators.
- Navigate to the Enterprise Applications section of the respective portal, then click New application in the Enterprise applications screen:
- Click Create your own application and in the popup enter a name for the application. Make sure the Integrate any other application you don't find in the gallery (Non-gallery) option is selected.
- Once the new application is created, navigate to it. This is where you can set up SCIM Provisioning as well as single sign on with SAML.
- In the provisioning setup screen, select Automatic provisioning mode.
- Enter
https://api.procedureflow.com/v1/scim/v2in the Tenant URL field - Enter the token created in step 2 above in the Secret Token field
- Select the Send an email notification when a failure occurs checkbox and enter an email account for the administrator or team responsible for maintaining applications and identity.
- Click Test Connection to make sure it connects using the token.
- Enter
- You will now see a Mappings section under the Provisioning tab. Click to expand the mapping options:
- Click Provision Microsoft Entra ID Groups. If your organization does not have the SCIM Groups feature activated, change Enabled to “No” and save. If your organization does have the SCIM Groups feature activated, make sure the following options are selected (Create, Update, Delete). The ProcedureFlow SCIM Groups API requires that displayName and members attributes are provided. Any other attributes will be ignored. Click Save after configuring.
- Click Provision Microsoft Entra ID Users. The ProcedureFlow SCIM Users API requires userName, active, and displayName attributes to be mapped. The active attribute should already have a calculated field (
Switch([IsSoftDeleted], , "False", "True", "True", "False")); please leave this as is. The userName attribute mapping must be updated to use the mail source attribute. This will map users' primary email as their user name in ProcedureFlow. Click Save after configuration is completed. Your configuration should look like the following:
- Click Provision Microsoft Entra ID Groups. If your organization does not have the SCIM Groups feature activated, change Enabled to “No” and save. If your organization does have the SCIM Groups feature activated, make sure the following options are selected (Create, Update, Delete). The ProcedureFlow SCIM Groups API requires that displayName and members attributes are provided. Any other attributes will be ignored. Click Save after configuring.
4 Define Who Will Be in Scope for Provisioning
Microsoft Entra ID provides a few different mechanisms to manage who is provisioned to the application. The recommended approach is to directly assign users and groups to the application. Experienced administrators can also use scoping filters to provision users.
Note It is recommended to start with a small group of users or a limited sized group. Before rolling out to a larger audience, verify that things are working as expected. Newly added users in the small test group should receive an email invite to join ProcedureFlow.