Azure/Entra ID - SCIM Configuration
This application has been formally tested by Kelvin Zero Inc.
This documentation provides a step-by-step guide to setting up SCIM provisioning for Microsoft 365 (M365) using Multi-Pass. SCIM enables automated provisioning and deprovisioning of users, improving both security and administrative efficiency.
To set up SCIM with Multi-Pass and Microsoft 365, ensure you meet the following requirements:
- Global Admin permissions in Microsoft 365
- MPAS Admin rights
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment
Important: Ensure you always configure a backup admin account on the tenant that uses the .onmicrosoft domain only to prevent accidental lockouts
Azure/Entra ID - SCIM Configuration
Step 1 - Configure Multi-Pass to Support SCIM Provisioning (SP)
- Open Multi-Pass Dashboard
- Select the correct tenant
- Select Integrations and then SCIM
- Select SCIM Endpoint
- Set the Profile to Azure
- Insert your Azure Tenant ID
- Toggle on the Enable switch
- Select Update
- Select Advanced Console
- Select Clients and search for "scim-endpoint"
- Go to the Client Scopes tab
- Click on scim-endpoint-dedicated
- Select Add Mapper by Configuration
- Select User Attribute
- Create 7 User Attributes based on the tables below
- status
- loginName
- firstName
- manager
- lastName
- tag
- email
Status
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | status |
| User Attribute | isSoftDeleted |
| Token Claim | active |
| Claim JSON Type | Boolean |
Add to ID token | ON |
Add to access token | ON |
| Add to userinfo | ON |
Add to token introspection | ON |
LoginName
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | loginName |
| User Attribute | userPrincipalName |
| Token Claim | userName |
| Claim JSON Type | String |
Add to ID token | ON |
Add to access token | ON |
Add to userinfo | ON |
Add to token introspection | ON |
FirstName
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | firstName |
| User Attribute | givenName |
| Token Claim | name.givenName |
| Claim JSON Type | String |
Add to ID token | ON |
Add to access token | ON |
| Add to userinfo | ON |
Add to token introspection | ON |
Manager
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | manager |
| User Attribute | manager |
| Token Claim | manager |
| Claim JSON Type | String |
Add to ID token | ON |
Add to access token | ON |
| Add to userinfo | ON |
Add to token introspection | ON |
LastName
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | lastName |
| User Attribute | surName |
| Token Claim | name.familyName |
| Claim JSON Type | String |
Add to ID token | ON |
Add to access token | ON |
| Add to userinfo | ON |
Add to token introspection | ON |
Tag
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | tag |
| User Attribute | extensionAttribute1 |
| Token Claim | urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:tag |
| Claim JSON Type | String |
Add to ID token | ON |
Add to access token | ON |
| Add to userinfo | ON |
Add to token introspection | ON |
Email
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | |
| User Attribute | |
| Token Claim | |
| Claim JSON Type | String |
Add to ID token | ON |
Add to access token | ON |
| Add to userinfo | ON |
Add to token introspection | ON |
Step 2 - Create the Multi-Pass SCIM Application in Entra ID
- Log into Entra ID as an Administrator
- Browse to Enterprise Apps
- Select New Application
- Select Create your own application
- In the Name field, write Multi-Pass SCIM
- Select Integrate any other application you don’t find in the gallery (Non-gallery)
- Click Create
- The new application will load, select Users and Groups under Manage
- Add the Users or Groups you want to be configured with SCIM to Multi-Pass
Step 3 - Enabling and Testing SCIM Provisioning (IdP)
- Create a new user in Entra ID
- Browse to Enterprise Apps and locate the Multi-Pass SCIM application
- Under Manage, select Users and Groups.
- Assign the User to the Multi-Pass SCIM application
- Select Provisioning under Manage
- Under Provisioning Mode, select Automatic
- Under Admin Credentials, select Bearer Authentication
- Under Tenant URL, enter:
- Select Test Connection
- Set Provisioning Status to ON
- Select Save
- Browse to Overview (Preview)
- Select Start provisioning if it has not started
- Once it has started, return to Multi-Pass to confirm the user synced to the platform
Related Articles
Azure EAM - MPAS integration
This documentation has been tested and approved by Kelvin Zero's team This document will outline the steps required to enable MPAS as an external authentication method in Microsoft Entra ID. To set up Multi-Pass, ensure you meet the following ...Entra IDP integration
Entra IDP integration This guide walks you through the steps to configure Azure Active Directory (Azure AD) as an Identity Provider (IdP) in the Kelvin Zero Multi-Pass Authentication Service (MPAS) using OpenID Connect. Prerequisites : - An Azure ...D2L Brightspace - SSO Integration
This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...Mulesoft - SSO Integration
This application has been formally tested by Kelvin Zero Inc. This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Mulesoft using Multi-Pass. SSO simplifies user authentication by allowing access to multiple ...Acronis - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...