This information only applies to organizations on the Pro and Enterprise plans.
SCIM for Azure Active Directory supports the following SCIM resources:
- Users (mapped directly to BSR Users)
- Groups (not directly represented in the BSR, but can be added to BSR Organizations by name to manage Organization membership)
The steps below must be carried out by users with administrative privileges in your Azure AD account.
- Setup (Pro | Enterprise) needs to be complete. You need to know your private
BSR server domain (for example,
buf.example.com) for the steps below.
Enable SCIM provisioning
- Complete the SCIM prerequisites if you haven't already.
- Sign in to your Azure portal.
- Navigate to your BSR application under Enterprise applications in your Azure Active Directory tenant.
- Click Provisioning on the side bar, click Configure Provisioning.
- Under Provisioning Mode, select
- Under Admin Credentials, enter the following information:
- Tenant URL:
- Secret Token: enter the SCIM token you created earlier
- Tenant URL:
- Click Save.
Configure SCIM mappings
Navigate to your BSR application under Enterprise applications in your Azure Active Directory tenant.
On the left sidebar, navigate to Provisioning, and then Provisioning again.
Under Mappings, click Provision Azure Active Directory Users.
Ensure that the following attribute mappings are set. Delete all other attribute mappings.
Azure Active Directory attribute Application attribute
Switch([IsSoftDeleted], , "False", "True", "True", "False")
emails[type eq "work"].value
In the Overview tab in the Provisioning app, click Start Provisioning. Azure will provision users on a fixed interval, but you can also navigate to Provision on demand if you would like to immediately provision users.
If you had previously assigned this Azure application to users before enabling SCIM, Azure will try to match the users to existing users within the BSR, and this should succeed without error. If this fails, consult the Provisioning Logs tab in the Provisioning app.