Azure AD SCIM Setup — SCIM Azure Provisioning Guide
Configure automatic user provisioning from Microsoft Entra ID (Azure AD) to SecureCodingHub using SCIM 2.0. This Azure SCIM walkthrough covers token generation, the provisioning app, attribute mapping, and the end-to-end SCIM Azure flow you need before you go live.
Prerequisites
- Azure AD tenant with admin access
- SecureCodingHub org admin account
- SSO configured (recommended but not required)
Step 1 — Generate a SCIM Token
Log in to SecureCodingHub as Org Admin
Go to Settings → SCIM
Click Generate Token
Copy the token — it is shown only once
Step 2 — Configure Provisioning in Azure AD
Go to Azure Portal → Microsoft Entra ID → Enterprise Applications
Select your SecureCodingHub application (or create one)
Go to Provisioning → Get started
Provisioning Mode: Automatic
Tenant URL: https://api.securecodinghub.com/api/sch/scim/v2
Secret Token: paste your SCIM token
Click Test Connection — should succeed
Save
Step 3 — Configure Attribute Mapping
Ensure the following attributes are mapped correctly in your Azure AD provisioning configuration:
| Azure AD Attribute | SecureCodingHub SCIM Attribute |
|---|---|
userPrincipalName | userName |
mail | emails[type eq "work"].value |
givenName | name.givenName |
surname | name.familyName |
Switch([IsSoftDeleted]...) | active |
Step 4 — Start Provisioning
Set provisioning status to On
Save
Azure AD runs the initial cycle (may take 20–40 minutes)
Subsequent cycles run every ~40 minutes
Step 5 — Verify
Check SecureCodingHub Users page
Review provisioning logs in Azure Portal
Pre-deployment checklist for Azure AD SCIM
Two early decisions shape the rest of your Azure AD SCIM deployment. The first is whether to use a gallery application or a non-gallery enterprise application. SecureCodingHub is not currently listed in the Microsoft Entra application gallery, so you will create a non-gallery enterprise app from the New application screen. This is a normal supported path. Gallery apps are convenient when they exist but are not required for SCIM provisioning to work, and the manual setup gives you control over claim names and assignment scope.
The second decision is the relationship between provisioning and assignment. Provisioning in Entra ID does not automatically equal access. You configure provisioning under the Provisioning blade, but users only sync when they are assigned to the application under Users and groups. If you skip the assignment step, the provisioning cycle runs and reports zero changes, which often leads to a wasted hour of investigation. Confirm the Scope setting in the Provisioning blade matches your assignment strategy: Sync only assigned users and groups is the safer default unless you genuinely want every licensed user in the tenant to land in SecureCodingHub.
When the sync stalls
Azure AD will quarantine a provisioning job if it sees repeated errors from the SCIM endpoint. The quarantine banner appears at the top of the Provisioning blade and is the most common cause of a stalled sync. Causes break into a few buckets. Authentication failure is the typical first quarantine: a regenerated or revoked SCIM token in SecureCodingHub still pasted into Azure AD. Generate a new token in SecureCodingHub, paste it into the Secret Token field, click Test Connection until it succeeds, then click Restart provisioning to clear quarantine.
Schema mismatches are the second bucket. If you customize the attribute mapping table and reference a SCIM attribute that the endpoint does not expose, Azure AD logs a schema error and stops processing. Revert to the default mapping confirmed in the SCIM overview page and add custom mappings only after the baseline is working. The third bucket is rate limiting: very large tenants can hit per-minute limits during the initial cycle, which Azure AD interprets as service errors. If you suspect this, scope the initial sync to a smaller assigned group, let it complete, then expand the assignment.