Azure/Entra ID - SCIM Configuration

SCIM Provisioning with Microsoft Entra ID (Microsoft 365)

This guide explains how to configure SCIM provisioning between Microsoft Entra ID (Microsoft 365) and KZero Passwordless. SCIM allows Microsoft Entra ID to automatically manage the user lifecycle in KZero Passwordless, including:

1. Creating users automatically
   
2. Updating user information
   
3. Disabling users when they leave the organization

Using SCIM improvessecurity, lifecycle management, and administrative efficiency, especially in MSP environments managing multiple tenants.

Prerequisites:

Before starting, make sure you meet the following requirements:

1. Global Administrator permissions in Microsoft 365
   
2. KZero Passwordless administrator access
   
3. An existing KZero Passwordless tenant
   
4. Network access to the SCIM endpoint
   

Important: Custom elements in URLs (tenant names / realm names) are case sensitive. Always copy values exactly as they appear in your environment.

Important: Always maintain a backup administrator account using the .onmicrosoft domain to prevent accidental tenant lockouts.

How SCIM Works with KZero Passwordless

When SCIM is configured, Microsoft Entra ID triggers provisioning events, while KZero Passwordless receives and processes SCIM requests.

SCIM Provisioning Flow

User created in Microsoft Entra ID

↓

User assigned to the SCIM application

↓

Entra ID sends SCIM provisioning request

↓

KZero Passwordless receives the request

↓

User account is automatically created

↓

User authenticates using Passwordless Authentication

Step 1 — Enable SCIM Provisioning in KZero Passwordless

1. Log in to the KZero Passwordless Dashboard
   
2. Select the correct Tenant
   
3. Navigate to Integrations → SCIM
   
4. Select SCIM Endpoint
   

Configure the following values:

1. Profile: Azure
   
2. Azure Tenant ID: Enter your Microsoft Entra Tenant ID
   
3. Enable: ON
   
4. Click Update to save.
   

Step 2 — Configure SCIM Attribute Mapping in KZero Passwordless

KZero Passwordless requires specific attributes to correctly interpret provisioning requests from Microsoft Entra ID. Configure the required attributes in the Advanced Console.

Navigation

1. Open Advanced Console
   

1. Select Clients
   
2. Search for scim-endpoint
   
3. Open the client
   
4. Go to the Client Scopes tab
   
5. Select scim-endpoint-dedicated
   
6. Click Add Mapper by Configuration
   
7. Select User Attribute
   

You must create the following seven attributes:

1. status
   
2. loginName
   
3. firstName
   
4. manager
   
5. lastName
   
6. tag
   
7. email

Attribute Configuration

Status

Field	Value
Mapper Type	User Attribute
Name	status
User Attribute	isSoftDeleted
Token Claim	active
Claim JSON Type	Boolean

Enable all token options (ID token, access token, userinfo, token introspection).

LoginName

Field	Value
Mapper Type	User Attribute
Name	loginName
User Attribute	userPrincipalName
Token Claim	userName
Claim JSON Type	String

Enable all token options (ID token, access token, userinfo, token introspection).

FirstName

Field	Value
Mapper Type	User Attribute
Name	firstName
User Attribute	givenName
Token Claim	name.givenName
Claim JSON Type	String

Enable all token options (ID token, access token, userinfo, token introspection).

Manager

Field	Value
Mapper Type	User Attribute
Name	manager
User Attribute	manager
Token Claim	manager
Claim JSON Type	String

Enable all token options (ID token, access token, userinfo, token introspection).

LastName

Field	Value
Mapper Type	User Attribute
Name	lastName
User Attribute	surName
Token Claim	name.familyName
Claim JSON Type	String

Enable all token options (ID token, access token, userinfo, token introspection).

Tag

Field	Value
Mapper Type	User Attribute
Name	tag
User Attribute	extensionAttribute1
Token Claim	urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:tag
Claim JSON Type	String

Enable all token options (ID token, access token, userinfo, token introspection).

Email

Field	Value
Mapper Type	User Attribute
Name	email
User Attribute	email
Token Claim	email
Claim JSON Type	String

Enable all token options (ID token, access token, userinfo, token introspection).

Step 3 — Create the KZero Passwordless SCIM Application in Microsoft Entra ID

1. Log into Microsoft Entra ID
   
2. Go to Enterprise Applications
   
3. Select New Application
   
4. Click Create your own application
   

Use the following settings:

1. Name: KZero Passwordless SCIM
   
2. Application type: Integrate any other application you don't find in the gallery

ClickCreate.

Assign Users or Groups

In the new Enterprise Application:

1. Go to Users and Groups
   
2. Assign the users or groups that should be provisioned in KZero Passwordless
   
3. Only assigned users will be provisioned.

Step 4 — Enable SCIM Provisioning in Entra ID

1. In the Enterprise Application, select Provisioning
   
2. Configure the following values:
   
1. Provisioning Mode: Automatic
   
2. Authentication Method: Bearer Authentication
   
3. Tenant URL: https://ca.auth.kzero.com/realms/<TENANT_NAME>/scim/v2
   

1. Click Test Connection. If successful:
   
1. Set Provisioning Status to ON
   
2. Click Save

​

Step 5 — Test SCIM Provisioning

To confirm the configuration is working:

1. Create a new user in Microsoft Entra ID
   
2. Assign the user to Enterprise Applications → KZero Passwordless SCIM
   
3. Start provisioning from Overview → Start provisioning
   
4. Verify the user appears in the KZero Passwordless Dashboard

Validation Checklist

Confirm the following before considering the integration complete:

1. SCIM endpoint enabled in KZero Passwordless
   
2. All required attribute mappings configured
   
3. Enterprise Application created in Entra ID
   
4. Users or groups assigned to the application
   
5. Provisioning mode set to Automatic
   
6. Connection test successful
   
7. Test user successfully provisioned

• Related Articles

• SCIM integration - Basics

  SCIM Provisioning with KZero Passwordless ? Why SCIM is important for MSPs SCIM allows you to automatically manage the full user lifecycle from KZero. ? Automatically create users ? Update user information ? Instantly deactivate users ? Reduce ...

• Azure EAM - MPAS integration

  This documentation has been tested and approved by Kelvin Zero's team This document will outline the steps required to enable MPAS as an external authentication method in Microsoft Entra ID. To set up Multi-Pass, ensure you meet the following ...

• Entra IDP integration

  Entra IDP integration This guide walks you through the steps to configure Azure Active Directory (Azure AD) as an Identity Provider (IdP) in the Kelvin Zero Multi-Pass Authentication Service (MPAS) using OpenID Connect. Prerequisites : - An Azure ...

• SAML SSO Integration Guide

  This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...

• D2L Brightspace - SSO Integration

  This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...