Skip to main content
All CollectionsIntegrationSCIM
SCIM protocol configuration with Azure AD/ Entra ID
SCIM protocol configuration with Azure AD/ Entra ID
Klaxoon. avatar
Written by Klaxoon.
Updated this week

The SCIM (System for Cross-domain Identity Management) protocol automates user management, reducing manual tasks and errors. It also facilitates real-time access synchronization, improving the security and efficiency of identity processes.

Discover the different steps involved in setting it up with Azure AD/ Entra ID.

1. Add Klaxoon to Microsoft Entra ID

Prerequisites

  • Private SSO required

  • Team Monoconsole

  • AzureAD or Okta or via an available API, full details HERE

  • A configuration session will be scheduled with Klaxoon technical teams

Configuration

1. Add Klaxoon to Microsoft Entra ID

  1. Log in to the Microsoft Azure portal with an administrator account.

  2. Go to Identity>Applications>Enterprise applications>New application

  3. Click on “New application”.

  4. In the search bar, enter “Klaxoon” and choose Klaxoon SAML

  5. Rename the application to Klaxoon SCIM (or any other name of your choice), then click on Create to create the application.

2. Configure provisioning

A configuration session should be scheduled with Klaxoon's technical teams. Synchronization tests will then be carried out (in both pre-production and production phases). Once these tests have been completed, the SCIM protocol will be operational.

Go to Provisionning

Then click on “Get started”.

Then select “Automatic” mode

Enter the tenant URL and secret token supplied by Klaxoon

Perform a connection test and click on “Save” in the top left-hand corner.

Then access the “Mapping” menu

Click on “Provision Microsoft Entra ID Groups” to associate the license field.

Add a new Mapping.

Edit the attribute and select “Expression” in “Mapping type”.

Depending on the group's Object ID, I enter the value TRUE or FALSE in the license field:

  • if the value is FALSE, it's an account without a license

  • if the value is TRUE, it's a licensed account

Set up the groups:

  • a group for Free users (all users)

  • a specific group for users with a Pro license only

Retrieve the Object ID of these groups and build the expression on this model:

​Switch([objectId], "false", "Object_ID_groupe_des_PROs", "true", "Object_ID_groupe_des_FREEs", "false")

Select the following Target attibute :

Finally, click on “Ok”.

Then save by clicking on “Save” in the top left-hand corner.

From the overview, go to “Users and groups”.

There, attach the groups.

Choose the Free and Pro user groups, then assign them.

Finally, start provisioning.

Account provisioning will take a variable amount of time, depending on the number and velocity of Entre IDs.

3. How it works

Synchronization cycle :

  • Microsoft Entra synchronizes every 40 minutes

  • When a license is downgraded, the user is automatically removed from the “Pro” group within 24 hours.

License management :

  • Licenses are allocated exclusively via Microsoft Entra

  • The console is now read-only, so administrators can continue to consult statistics and transfer ownership of an activity from one user to another.

Specific points :

  • Take into account delays linked to Microsoft Entra's synchronization velocity

  • Avoid synchronization of external or unauthorized domain names

If you'd like to find out more about the available integrations, check out the resources on this link.

Did this answer your question?