This article outlines the steps required to configure a SCIM (System for Cross-domain Identity Management) client—using Azure AD as an example—for automatic user provisioning. It provides a detailed guide to help you seamlessly set up and manage user provisioning within your system.

Azure AD supports SCIM to enable automatic provisioning and de-provisioning of users and groups in your application. By integrating with SCIM, you can streamline user management tasks such as:

• Adding users to your application.

• Updating user attributes when they change in Azure AD.

• Removing users when they leave your organization.

Before starting, ensure you have the following:

• Administrator access to your Azure AD tenant.

• A SCIM-compatible backend system (e.g., your application) ready to handle user provisioning requests.

• The SCIM endpoint URL and bearer token for your application.

• User attributes and schema requirements for your application.

1. Log in to Azure Portal
   Navigate to Azure AD Portal and sign in with admin credentials.

2. Register a New Enterprise Application

   • Go to Azure Active Directory → Enterprise Applications.

   • Click on + New Application.

   • Select Create your own application and name it (e.g., "SCIM Provisioning App").

   • Choose Integrate any other application you don’t find in the gallery.

1. Enable Provisioning

   • Navigate to Provisioning in the SCIM app.

   • Click on Get Started to open the provisioning settings.

2. Enter SCIM Endpoint URL

   • Set Provisioning Mode to Automatic.

   • Enter the SCIM endpoint URL (e.g., https://api.yourapp.com/tim/api/scim).

3. Generate a Bearer Token
   Follow these steps to generate a bearer token in TIM application:

   • Step 1: Log in to TIM
     Log in to the application using an account with admin rights.

   • Step 2: Navigate to Administration → Active Users
     Select sys.scim user → 3 dot menu → Generate bearer token.

     Open

     

     if there is no sys.scim user, navigate to TIM migration page (/loom-portal/migrate.htm) as a super admin and click the Setup System Identities button after which the scim user will be created.

     Open

     

   • Step 3: Copy the generated Bearer Token

4. Paste the Bearer Token in Azure SCIM App

   • Return to Azure AD.

   • In the Provisioning section of your SCIM app, paste the bearer token into the Secret Token field.

     Open

     

5. Test Connection

   • Click on Test Connection to validate the endpoint and token.

   • Fix any errors if the test fails.

6. Set Attribute Mappings

   • Configure attribute mappings for Users and Groups.

   • Ensure that required attributes (e.g., userName, email, groups) align with your application schema.

Users Attribute Mapping Table:

Open

Groups Attribute Mapping Table:

Open

7. Set Scope

   • Choose whether to provision All Users or a specific group of users.

8. Start Provisioning

   • Set the Provisioning Status to On.

   • Click Save to activate provisioning.

To select which users and groups are synchronized, go to the Users and Groups blade on your Enterprise application, and choose the users and groups you would like to have provisioned:

Open

Once you have selected the users and groups you would like to provision, the synchronization should run every 40 minutes and create your users and groups as configured.

For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.

1. In the Azure AD, create or pick a group for the people you want to manage.

   Open

   

2. Add users to that group in Azure

   Open

   

3. Assign the group to your SCIM Enterprise application so provisioning will include it.

   • Go to the SCIM Enterprise Application for TIM → Users and groups → Add user/group → select the Azure group.

     Open

     

4. Wait for provisioning (automatic sync every ~40 minutes) or use Azure’s on-demand provisioning to push changes immediately.

5. Verify that group membership appear in TIM.

1. In Azure AD, create or pick a group for the people you want to assign a role to.

2. Name the group using the role. prefix and the role identifier:

   • Standard static role example: role.workflow-designer→ all members get the workflow-designer role in TIM.

3. Add users to that Azure group.

4. Ensure the group is assigned to your SCIM enterprise application in Azure (so it is included in provisioning).

5. Wait for provisioning (or use Azure’s on-demand provisioning) and verify users have the expected role in TIM.

1. No TIM group is created for Azure groups whose name starts with role. These groups map to roles, not to TIM groups.

2. Static role assignment: If a group is named role.<roleName>, every member of that group is assigned the static role <roleName> in TIM. Example: role.processmanager → static role processmanager.

3. Skip system/internal roles: Any system/internal role names (for example system, timer, viewer) are deliberately ignored and will not be assigned.

4. Skip unknown roles: If the role after role. is not recognized by TIM (for example Role.abc where abc is not a known role), TIM will skip it.

5. Case-insensitive: All role and group name matching is case-insensitive. Role.Processmanager and role.processmanager are identical to TIM.

• Error: "Invalid SCIM endpoint or token"
  Ensure the SCIM URL and bearer token are correct and accessible from Azure AD.

• Provisioning updates not reflected in your app
  Check the attribute mappings and ensure your backend handles PATCH requests correctly.

• Unexpected de-provisioning
  Review the Scope settings to avoid unintentional deletions.

• Group memberships lost after group deletion in target app and re-provisioning
  When Azure AD provisions a group and someone later deletes this group from the target application (TIM), the group is re-created during the next provisioning cycle. However, its members are not automatically reassigned unless provisioning is manually restarted.
  If group memberships are missing after a group is re-provisioned, manually restart provisioning to restore memberships.

• Nested groups not expanding
  Azure AD’s SCIM provisioning does not flatten nested group hierarchies. If you provision a group that contains another group as a member, the nested group itself may be created, but its user members will not be automatically included in the parent group’s membership payload. As a result, you’ll see the “create group” operation for the nested group, but user members inside that nested group will be skipped.

• manager deletion from user in Azure AD
  When a user's manager attribute is cleared in Azure Active Directory, Azure AD does not include this change in SCIM update payloads sent to the target application.

Updates to add users or modify groups in Azure AD will be replicated to the Platform with at most 40 minutes since the modification to the Azure Group.

A user is disabled in the Platform for up to 30 days after the user is removed/disabled. After 30 days the user is permanently deleted from the Platform.  For more information see Azure's documentation on de-provisioning

SCIM provisions users with a default password via the SCIM endpoint. After the user is provisioned, they can log in using this default password defined by initpass-x-others tim property.

If a user/group exists in the TIM platform and was created with SCIM (externalId is present), it will not attempt to create the user/group. If the user exists but its externalId is null, the TIM will bind the externalId taken from the incoming user in request, matching by username or email. If the user/group doesn't exist in the platform, it will be created in the SCIM directory.

The synchronization with Azure is a one-way-sync. User changes in TIM do not update the user in your Azure AD who will still show up as provisioned. Remove (and re-provision) the user in Azure as needed. 

Yes, it is possible to immediately provision a user/group through Azure's provision-on-demand feature. This allows you to trigger provisioning manually, bypassing the standard 40-minute automatic provisioning cycle.

Limitations to Consider:

• Group Provisioning: On-demand provisioning of groups supports updating up to five members at a time. If you need to provision a group with more than five members, you'll need to do so in multiple steps.

• Cross-Tenant Synchronization: Connectors for cross-tenant synchronization do not support group provisioning and, as a result, do not support on-demand provisioning of groups.

• User Deletion: Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported.

While provision-on-demand offers faster provisioning, it is not a full replacement for the automatic provisioning process and might still be subject to certain timing limitations.

The initial synchronization with the TIM Platform can take anywhere from 30 minutes up to about 2 days, depending on how many users and groups you synchronize and how you choose to synchronize them. Refer to the following chart to get a better estimate: How long will it take to provision users?

This can occur for a couple of reasons:

1. If a user already exists within the platform and has all the correct data when initially provisioning, "skipped" will be shown.

2. "Skipped" can also appear when changes are made to Azure AD resources that are not being synchronized with the platform.

Additionally, if changes are made in the target application (TIM platform), re-provisioning may be skipped due to Azure AD limitations with group memberships. While the group and user can be re-provisioned, group members may not be automatically reassigned. This issue can cause inconsistencies in group memberships.
The workaround is to restart provisioning in Azure AD. However, it's important to note that restarting provisioning will not immediately affect on-demand provisioning, it will only take effect when the automatic provisioning cycle starts, which occurs approximately every 30-40 minutes.

Yes, under the Provisioning → Edit → Settings → Scope: You can select Sync only assigned users and groups. This settings ensures that only users and groups that have been added under the Users and groups blade in the Enterprise Application will be synchronized.

• Azure AD SCIM Documentation

• SCIM Protocol Specification

• https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works#provisioning-cycles-initial-and-incremental

• TIM Feedback to Microsoft

• https://learn.microsoft.com/en-us/entra/identity/app-provisioning/known-issues?pivots=cross-tenant-synchronization#service-issues