# SCIM provisioning

SCIM (System for Cross-domain Identity Management) stands as a robust protocol designed to streamline the synchronisation of users and groups between two systems.

This article is tailored for organisations grappling with the challenges of managing a sizable workforce and aiming to minimise manual efforts during the implementation of new software. Specifically, for those seeking to ease the administration of the UMA solution for companies with numerous users, we advocate for the adoption of automatic user (de-) provisioning through SCIM.

Essentially, SCIM empowers you to maintain synchronisation between your users in UMA and their associated data.

### Key Advantages of SCIM Implementation

1. **Automatic User Provisioning:** Initiate user provisioning directly from your active directory.
2. **Real-time User Data Updates:** Ensure instant updates of user data in alignment with the active directory (e.g., changes in internal departments).
3. **Automatic User Deprovisioning:** Streamline the process of deprovisioning users who exit your company.

### **How It operates**

SCIM comprises of two integral components: a provider and a client. UMA serves as the SCIM client.

Once provisioning is active between Microsoft Entra ID and UMA, the SCIM provider queries UMA for users earmarked for provisioning.

* If a user is absent, UMA generates the corresponding resource.
* If a user exists but varies in certain aspects, it undergoes an update.

### **Required permissions**

Due to the push-principle inherent in SCIM, UMA never requires direct retrieval of information from Microsoft Entra ID. Consequently, no permissions are needed, solidifying the secure and efficient nature of the SCIM protocol.

For more information on Microsoft Entra ID SCIM, check out this guide from Microsoft below:

{% embed url="<https://learn.microsoft.com/en-us/entra/architecture/sync-scim>" %}

### Setup <a href="#setup" id="setup"></a>

1. Log into UMA, navigate to the integrations page and click to activate SCIM provisioning.

<figure><img src="/files/uxm3tHN6vBzeka195Cco" alt=""><figcaption></figcaption></figure>

2. Copy the **tenant URL** and **token** and save for later.
3. Log into Microsoft Entra ID and create a new **non-gallery** enterprise application.

<figure><img src="/files/raiEfPdHIzI4hDi151sA" alt="" width="439"><figcaption></figcaption></figure>

4. Navigate to **provisioning mode** and select **automatic.** Enter the **tenant URL** and **token** and test the connection.
5. Click on **mappings** and disable Microsoft Entra ID Groups.
6. Click on **Microsoft Entra ID Users**. As a minimum, UMA requires the below:

<table data-full-width="false"><thead><tr><th>UMA Attribute</th><th>Microsoft Entra ID Attribute</th><th data-hidden></th></tr></thead><tbody><tr><td>userName</td><td>userPrincipalName</td><td></td></tr><tr><td>active</td><td>Switch([IsSoftDeleted], , "False", "True", "True", "False")</td><td></td></tr><tr><td>displayName</td><td>displayName</td><td></td></tr><tr><td>externalId</td><td><strong>objectId</strong></td><td></td></tr></tbody></table>

{% hint style="warning" %}
Please ensure to change Microsoft Entra's attribute for **externalId** to **objectId**
{% endhint %}

7. Click **manage,** select **users and groups** and add the users and groups you want to provision with UMA.
8. Click on **provisioning** and click on the **start provisioning** button.

{% hint style="info" %}
The initial Microsoft Entra ID sync is triggered immediately after you enable provisioning. Subsequent syncs are triggered every 20-40 minutes, depending on the number of users and groups in the application. See [Provisioning summary report](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/check-status-user-account-provisioning#provisioning-summary-report) in the Microsoft Entra ID documentation.
{% endhint %}

### Additional information

* When a user is permanently deleted from Microsoft Entra ID, they will be removed from UMA during the next scheduled sync.&#x20;
* If a user is soft deleted in Microsoft Entra ID, they are automatically marked as inactive in UMA during the next sync. The user's email account will also update in UMA according to Microsoft's provisioning request.
* When a user is removed from the SCIM application in Entra ID, they are marked as inactive in UMA at the next scheduled sync.&#x20;
* After activating SCIM integration, user accounts added beforehand will operate independently from those added via SCIM. To sync manually added users with SCIM, include these users in your SCIM application. Note that users provisioned via SCIM cannot be edited or deleted through UMA; only their permissions can be updated.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.meetuma.ai/uma-knowledgebase/integrations/scim-provisioning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.