Setting up SCIM with Microsoft Entra

If you don’t already have an application in Entra, you can create one by navigating to “Applications” → “Enterprise Applications” and selecting “create your own application”.

In the app creation flow, input a name for your application and select “Integrate any other application you didn’t find in the gallery).

Once you have an application, you can enable SCIM by clicking on “Provisioning” on the left hand management side bar, or “Provision User Accounts” under the Getting Started section.

On the next view click “Get started” and then switch the provisioning mode from “Manual” to “Automatic”.

You will then be prompted to input Admin Credentials.

Create a new Microsoft Entra SCIM Connection in Stytch in the dashboard

Alternatively you can create through the Create SCIM Connection API – specifying Microsoft Entra as the IdP:

Taking the values from your Stytch SCIM connection, enter the returned base_url as the “Tenant URL” and the bearer_token as the “Secret Token”.

If you did not specify an IdP when creating the SCIM Connection, you must append ?aadOptscim062020 to the returned BaseURL, in order to flag the application into Entra’s SCIM 2.0 compliant version.

Click Test Connection and then save.

Once you’ve saved, click back into “Provisioning”, verify the Mapping and Settings. Within the users mappings, ensure you are mapping objectId to externalId. Next, turn Provisioning Status to “On”.

Once saved, you can test the SCIM integration by Assigning/Removing people from the application and seeing these changes propagate to your Stytch Member records. Entra does automatic syncing on a 40 minute timer, but you can also provision on demand to speed up testing.

To notify your own system of changes that occur via SCIM, you can configure webhooks.