Skip to main content
To test out SCIM, set up an Entra developer instance to use for this guide.

Configure a SCIM connection for a specific Organization

1

Create application in Entra

If you don’t already have an application in Entra, create one by navigating to “Applications” → “Enterprise Applications” and selecting “create your own application”.Go to Entra App Catalog to create SCIM appIn the app creation flow, input a name for your application and select “Integrate any other application you didn’t find in the gallery”.Create your SCIM application in Microsoft Entra
2

Enable automatic provisioning

Once you have an application, enable SCIM by clicking on “Provisioning” on the left hand management side bar, or “Provision User Accounts” under the Getting Started section.In Entra app navigate to ProvisioningOn the next page, click “Get started” and then switch the provisioning mode from “Manual” to “Automatic”.Select automatic provisioning mode in Entra SCIM appYou should now see an “Admin Credentials” section. Leave this tab open, and navigate back to Stytch.
3

Create SCIM Connection in Stytch

Create a SCIM Connection on the Organization in the Stytch Dashboard or the Create SCIM Connection endpoint. Select Microsoft Entra as the IdP.Create Microsoft Entra SCIM Connection In StytchOnce you click save, you’ll be provided with the base url and bearer token you’ll need for the next step.Entra Connection Credentials from StytchLeave this tab open and navigate back to Entra to input the returned credentials.
4

Configure SCIM credentials in Entra

On the “Provisioning” tab under “Admin Credentials”:
  1. Copy the “BaseURL” from Stytch into the “Tenant URL” field
  2. Copy the “HTTP Header Bearer Token” from Stytch into the “Secret Token” field
If you did not specify an IdP when creating the SCIM Connection, you must append ?aadOptscim062020 to the returned BaseURL to flag the application into Entra’s SCIM 2.0 compliant version
Input admin credentials for SCIM with Microsoft EntraClick “Test Connection”, then save.Navigate back to “Provisioning”, and
  1. Under “Mappings” ensure that objectId is mapped to externalId (i.e. objectId is set to the “Source” attribute and externalId is set to the “Target” attribute).
  2. Toggle “Provisioning Status” to “On”. Enable provisioning for Entra SCIM
5

Provision users

Once saved, you can test the SCIM integration by assigning people to and removing people from the application. Entra does automatic syncing on a 40 minute timer, but you can provision on demand to speed up testing.Provision on demand with Entra for testingYou should see the status of the member changing from active to deactivated.
6

(Optional) Configure webhooks

To notify your own system of changes that occur via SCIM, configure webhooks. See the full list of relevant webhooks here.

Next Steps

If you only have a few customers who require SCIM connections, you can manage them by hand in the Stytch Dashboard. However, as your enterprise customer base grows, you may want to build a UI in your application to allow admins of Organizations to self-serve creating and updating their own SCIM connections. The simplest way to add SCIM connection management to your application is to use Stytch’s pre-built Admin Portal component. Admin Portal SCIM Management UI

Admin Portal Guide

Read the guide on Admin Portal.

Admin Portal SDK Reference

Jump straight to the React, Next.js, or Vanilla JS SDK reference.