SCIM for Multi-Pass with Microsoft Azure AD
SCIM Provisioning - MPAS with Microsoft Entra ID
This guide configures automatic user/group provisioning from Azure AD to MPAS via the SCIM extension
Step 1 - Enable SCIM in MPAS
- Install and enable the SCIM extension on your MPAS instance.
- In the Admin Console, go to Realm Settings
- Enable SCIM
- Set the Base URL
- Generate a Bearer Token.
| Field | Value |
|---|---|
| SCIM Base URL | https://ca.auth.kzero.com/auth/realms/<TENANT_NAME>/scim/v2 |
| Authentication | Bearer Token (generated in the SCIM settings) |
| Token Lifetime | Prefer JWT with managed rotation. If not possible, use a long‑lived token (restricted scope) as a last resort. |
Step 2 - Create a Dedicated OAuth Client for SCIM (Optional but Recommended)
Create a minimal-scope client used to obtain tokens for SCIM operations or to restrict access to SCIM endpoints.
| Field | Value |
|---|---|
| Client ID | scim-from-azuread (example) |
| Protocol | openid-connect |
| Access Type | confidential |
| Service Accounts Enabled | On (to allow client credentials flow) |
| Roles / Permissions | Grant only SCIM-required permissions (Users/Groups CRUD). Restrict by resource type if possible. |
| Direct Access Grants / Standard Flow | Off (not needed for SCIM) |
if Azure AD cannot perform OAuth2 client credentials to retrieve a fresh token periodically, you may paste a long‑lived Bearer token directly in Azure AD provisioning. Limit scope and rotate regularly.
Step 3 - Restrict Access to SCIM Endpoints
Restrict SCIM endpoints to the SCIM client/role only (resource-type level if supported), minimizing exposure of provisioning APIs.
Step 4 - Configure Azure AD Enterprise Application (Provisioning)
- Enterprise Applications,
- Click on New application
- Open the app
- Go to Provisioning, and click on Get started.
- Set Provisioning Mode to Automatic, enter Tenant URL + Secret Token, and Test Connection.
| Field | Value |
|---|---|
| Tenant URL | https://ca.auth.kzero.com/auth/realms/<TENANT_NAME>/scim/v2 |
| Secret Token | Paste the Bearer token generated in Step 1 (or a JWT obtained via the SCIM client) |
| Provisioning Mode | Automatic |
| Target Objects | Users and Groups |
| Scope | Assigned users and groups (recommended pilot) or All users and groups |
| Error Notifications | Set notification email and enable alerts on failure |
Step 5 - Attribute Mapping
Start with a minimal, reliable mapping and expand later.
| Azure AD Attribute | SCIM Attribute |
|---|---|
| userPrincipalName | userName |
| givenName | name.givenName |
| surname | name.familyName |
| emails[type eq "work"].value | |
| objectId | externalId |
Step 6 - Validate the Setup
Use a quick call to confirm SCIM connectivity before enabling large-scale sync.
PowerShell (Client Credentials example)
$server = "your.keycloak-server.example"
$realm = "yourrealm"
$client_id = "scim-from-azuread"
$client_secret = "your-client-secret"
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/x-www-form-urlencoded")
$body = "client_id=$client_id&client_secret=$client_secret&grant_type=client_credentials"
$response = Invoke-RestMethod "https://$server/auth/realms/$realm/protocol/openid-connect/token" -Method 'POST' -Headers $headers -Body $body
$token = $response.access_token
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Accept", "application/scim+json")
$headers.Add("Authorization", "Bearer " + $token)
$response2 = Invoke-RestMethod "https://$server/auth/realms/$realm/scim/v2/Users" -Method 'GET' -Headers $headers
$response2 | ConvertTo-Json
Best Practices
- Pilot first: start with a small assigned group before full rollout.
- Limit scope & rotate tokens: prefer JWT with rotation; if long‑lived token is necessary, restrict to SCIM only and rotate regularly.
- Monitor provisioning logs: watch Azure AD sync logs and Keycloak SCIM logs to catch mapping errors early.
- Least privilege: restrict SCIM access to the dedicated client/role and resource types needed.
Related Articles
Azure EAM - MPAS integration
This documentation has been tested and approved by Kelvin Zero's team This document will outline the steps required to enable MPAS as an external authentication method in Microsoft Entra ID. To set up Multi-Pass, ensure you meet the following ...Entra IDP integration
Entra IDP integration This guide walks you through the steps to configure Azure Active Directory (Azure AD) as an Identity Provider (IdP) in the Kelvin Zero Multi-Pass Authentication Service (MPAS) using OpenID Connect. Prerequisites : - An Azure ...Multi-Pass Log Sync Service
Multi-Pass Log Sync Service This document outlines how Multi-Pass Log Service can be integrated with various Security Information and Event Management (SIEM) products. The service is a standalone solution to collect JSON-formatted events from ...Wrike - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Wrike using MPAS. SSO simplifies user authentication by allowing access to multiple ...Intercom - SSO configuration
Valid redirect URIs Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This ...