Skip to main content

Setting up SCIM provisioning with Microsoft Entra ID

Automatically sync your Microsoft Entra ID users to Formalize Software using SCIM provisioning.

SCIM (System for Cross-domain Identity Management) lets you automatically provision and deprovision users in Formalize platform directly from Microsoft Entra ID. Instead of manually managing users in the platform, any changes you make in Entra ID are synced automatically.

Once set up, users assigned to the application in Entra ID will be provisioned in Formalize automatically. If a user is removed from the assigned group they will be disabled, and if they are permanently deleted in Entra ID they will be removed from Formalize entirely.

Before you start

  • In Microsoft Entra ID, you must have one of the following roles to configure SCIM provisioning:

    • Global Administrator

    • Cloud Application Administrator

    • Application Administrator

    • Owner of the service principal

  • In Formalize, you must have either the Administrator or System Technician role to access Settings > Security > SCIM Provisioning.

Steps

Step 1 - Enable SCIM provisioning in the platform

  1. Go to Company → Settings → Security → SCIM Provisioning

  2. Click Generate SCIM Configuration.

  3. Copy the URL shown under the URL field. This is the base URL for all SCIM API requests and will be used as the Tenant URL in Microsoft Entra ID.

  4. Copy the Authorization Header value. This is your Bearer token and will be used as the Secret Token in Microsoft Entra ID.

If you ever need to reset your SCIM credentials, click Regenerate SCIM settings. This will generate a new URL and Authorization Header. Any existing SCIM connection will need to be updated with the new values.

Step 2: Create a new application in Microsoft Entra ID

  1. Go to Microsoft Entra ID and navigate to Enterprise Applications.

  2. Click New Application, then select Create your own application.

  3. Enter a name for the application, for example "Formalize Software".

  4. Select Integrate any other application you don't find in the gallery.

  5. Click Create.

Step 3: Configure provisioning

  1. Open the new application and go to Provisioning.

  2. Click Get started and set the Provisioning Mode to Automatic.

  3. Under Admin Credentials, enter the following from Step 1:

    • Tenant URL: Paste the Tenant URL generated in Formalize Software.

    • Secret Token: Paste the Secret Token generated in Formalize Software.

  4. Click Test Connection to verify the credentials are working correctly. You should see a confirmation that the connection was successful.

  5. Click Save.

  6. Go to Provisioning > Settings and set the Scope to Sync only assigned users and groups. This ensures only the users you explicitly assign are provisioned, rather than your entire directory.

  7. If provisioning users in a group, disable the provisioning of “groups” (users in groups will still be provisioned)

Step 4: Assign users or groups

  1. In the application, go to Users and Groups.

  2. Click Add user/group and select the users or groups you want to provision to Formalize Software.

  3. Click Assign.

Step 5: Start provisioning

  1. Go to Provisioning and click Start Provisioning.

  2. The initial sync may take a few minutes depending on the number of users being provisioned.

  3. Once complete, you can check the provisioning logs to confirm the sync was successful.

Verifying the sync

Once provisioning is complete, you can verify the sync was successful in two places:

  • In Microsoft Entra ID: The provisioning logs will show each user that was successfully synced along with their status.

  • In Formalize: Go to Users. The users assigned in Entra ID should now appear in the list. Any future changes made in Entra ID, such as adding or removing users, will be reflected in Formalize automatically.

Configuring user permissions after provisioning

When users are provisioned through SCIM, they are assigned base user permissions by default. Permissions cannot be configured during the provisioning process itself, so after the sync is complete you will need to go into the Users page and manually update permissions for any user who needs a different role, such as Administrator.

How deprovisioning works

Formalize supports deprovisioning through SCIM. The behavior depends on what action is taken in Microsoft Entra ID:

  • If a user is removed from the assigned group: The user will be disabled in Formalize.

  • If a user is permanently deleted in Entra ID: The user will be fully removed from Formalize.

Note: Microsoft Entra ID syncs changes on a scheduled incremental cycle. Changes made in Entra ID will not be reflected in Formalize immediately. If you need to remove a user's access urgently, manually remove them from the Users page.

Troubleshooting

  • Test Connection fails: Double-check that the Tenant URL and Secret Token were copied correctly from Formalize with no extra spaces. If the token has expired, generate a new SCIM configuration and try again.

  • Users are not appearing after sync: Make sure the users or groups have been assigned to the application in Entra ID and that provisioning has been started. Check the provisioning logs in Entra ID for any errors.

We’re here to support you. If you have questions reach out to us directly via the Messenger icon in the bottom right corner of your screen, or send us an email at [email protected]

Related Articles
Setting up SAML with Google Workspace
Setting up SAML with Microsoft Azure
Setting up SCIM provisioning with Microsoft Entra ID
Did this answer your question?