Skip to main content

Setting up SCIM provisioning with Microsoft Entra ID

Automatically sync your Microsoft Entra ID users to Whistleblower Software using SCIM provisioning.

SCIM (System for Cross-domain Identity Management) lets you automatically provision and deprovision users in Whistleblower Software directly from Microsoft Entra ID. Instead of manually managing users in the platform, any changes you make in Entra ID are synced automatically.

Once set up, users assigned to the application in Entra ID will be provisioned in Whistleblower Software automatically. If a user is removed from the assigned group they will be disabled, and if they are permanently deleted in Entra ID they will be removed from Whistleblower Software entirely.

Before you start

  • In Microsoft Entra ID, you must have one of the following roles to configure SCIM provisioning:

    • Global Administrator

    • Cloud Application Administrator

    • Application Administrator

    • Owner of the service principal

  • In Whistleblower Software, you must have either the Administrator or System Technician role to access Settings > Security > SCIM Provisioning.

  • SCIM 2.0 is available on the Advanced plan only.

Steps

Step 1 - Enable SCIM provisioning in the platform

  1. Go to Settings > Security

  2. Click Generate SCIM Configuration.

  3. Copy the URL shown under the URL field. This is the base URL for all SCIM API requests and will be used as the Tenant URL in Microsoft Entra ID.

  4. Copy the Authorization Header value. This is your Bearer token and will be used as the Secret Token in Microsoft Entra ID.

If you ever need to reset your SCIM credentials, click Regenerate SCIM settings. This will generate a new URL and Authorization Header. Any existing SCIM connection will need to be updated with the new values.

Step 2: Create a new application in Microsoft Entra ID

  1. Go to Microsoft Entra ID and navigate to Enterprise Applications.

  2. Click New Application, then select Create your own application.

  3. Enter a name for the application, for example "Whistleblower Software".

  4. Select Integrate any other application you don't find in the gallery.

  5. Click Create.

Step 3: Configure provisioning

  1. Open the new application and go to Provisioning.

  2. Click Get started and set the Provisioning Mode to Automatic.

  3. Under Admin Credentials, enter the following from Step 1:

    • Tenant URL: Paste the Tenant URL generated in Whistleblower Software.

    • Secret Token: Paste the Secret Token generated in Whistleblower Software.

  4. Click Test Connection to verify the credentials are working correctly. You should see a confirmation that the connection was successful.

  5. Click Save.

  6. Go to Provisioning > Settings and set the Scope to Sync only assigned users and groups. This ensures only the users you explicitly assign are provisioned, rather than your entire directory.

Step 4: Assign users or groups

  1. In the application, go to Users and Groups.

  2. Click Add user/group and select the users or groups you want to provision to Whistleblower Software.

  3. Click Assign.

Step 5: Start provisioning

  1. Go to Provisioning and click Start Provisioning.

  2. The initial sync may take a few minutes depending on the number of users being provisioned.

  3. Once complete, you can check the provisioning logs to confirm the sync was successful.

Verifying the sync

Once provisioning is complete, you can verify the sync was successful in two places:

  • In Microsoft Entra ID: The provisioning logs will show each user that was successfully synced along with their status.

  • In Whistleblower Software: Go to Users. The users assigned in Entra ID should now appear in the list. Any future changes made in Entra ID, such as adding or removing users, will be reflected in Whistleblower Software automatically.

Configuring user permissions after provisioning

When users are provisioned through SCIM, they are assigned base user permissions by default. Permissions cannot be configured during the provisioning process itself, so after the sync is complete you will need to go into the Users page and manually update permissions for any user who needs a different role, such as Administrator.

How deprovisioning works

Whistleblower Software supports deprovisioning through SCIM. The behavior depends on what action is taken in Microsoft Entra ID:

  • If a user is removed from the assigned group: The user will be disabled in Whistleblower Software.

  • If a user is permanently deleted in Entra ID: The user will be fully removed from Whistleblower Software.

Note: Microsoft Entra ID syncs changes on a scheduled incremental cycle. Changes made in Entra ID will not be reflected in Whistleblower Software immediately. If you need to remove a user's access urgently, manually remove them from the Users page.

Troubleshooting

  • Test Connection fails: Double-check that the Tenant URL and Secret Token were copied correctly from Whistleblower Software with no extra spaces. If the token has expired, generate a new SCIM configuration and try again.

  • Users are not appearing after sync: Make sure the users or groups have been assigned to the application in Entra ID and that provisioning has been started. Check the provisioning logs in Entra ID for any errors.

We’re here to support you. If you have questions reach out to us directly via the Messenger icon in the bottom right corner of your screen, or send us an email at [email protected]

Related Articles
Setting up SAML with Google Workspace
Setting up SAML with Microsoft Azure
Setting up SAML with AWS
Setting up SAML with Okta
Setting up SCIM provisioning with Microsoft Entra ID
Did this answer your question?