SCIM with Entra ID

~ minute read

Prerequisites

  • UserVoice plan that includes SAML Single Sign-On & SCIM
  • UserVoice Admin with Owner Level Permission
  • Azure access to provision apps

Enable SCIM in UserVoice

Note: Only Admins with owner-level permissions can enable SCIM and obtain the API token.

  1. Navigate to the Admin Console:
    • Click the settings cog in the lower-left navigation.
    • Go to General SettingsUser Authentication.
    • Scroll down and toggle SCIM Provisioning on.
  2. Once enabled, click Create Token to obtain the API Token for your IdP. Copy and store this token securely.

Azure Configuration

Note: UserVoice does not support Group provisioning.

Step 1: Create SCIM Application

  1. Sign into your Azure Entra ID platform.
  2. Navigate: Enterprise ApplicationsAll ApplicationsNew Application.
  3. Name your application and select Non-gallery.

Step 2: Configure Provisioning

  1. On the Manage tab, go to Provisioning and click New Configuration (or Connect your application).
  2. Under Admin Credentials, enter:
    • Tenant URL: https://{your uservoice url}/api/scim_v2
    • Secret Token: Use the API Token from the previous step.
  3. Click Test Connection and confirm you get a success message.
  4. Click Save at the top.

Step 3: Attribute Mappings

  1. In Overview → Get Started, scroll own to Map Attributes and click Edit Attributes -OR- in the left-nav, click Manage → Attribute Mapping → and click Provision Microsoft Entra ID Users.
  2. Ensure Target Object Actions for Create, Update, and Delete are checked.
  3. Add licenseType:
    • Scroll down to Show Advanced Options → Edit attribute list for customappsso → scroll all the way down to add a new attribute.
    • Type: string
    • Name: licenseType
    • Save
  4. Now back at the Attribute Mapping screen, scroll down to the end of the list and click Add New Mapping:
    • Mapping Type: Expression
    • Expression: SingleAppRoleAssignment([appRoleAssignments])
    • Target Attribute: licenseType
    • OK → Save

Note: If you do not configure licenseType, users will be provisioned as end-users by default. This is optional.

Step 4: App Roles

  1. Navigate to Microsoft Entra Admin CenterApplicationsApp Registrations → locate your app → left-nav → Manage → App Roles.
  2. Click Create App Role. Create roles using the values below (see the table here for what each value means). The Display Name AND the Value must match the roles below, e.g. admin_no_settings for both Display Name AND the Value.
  3. Set Allowed member types to Users and enable the role.

Roles

  • Full Access Owner: fullaccess_owner
  • Admin: admin
  • Admin No Settings: admin_no_settings
  • Read Only Admin: readonly_admin
  • Admin Ideas Only: admin_ideas_only
  • Admin Feedback Only: admin_feedback_only
  • Contributor: contributor
  • Revoke Access: none

Step 5: Assign Roles

  1. Go to Enterprise Applications → your application → Users and Groups.
  2. Add user.
  3. Assign users to the roles created in Step 4.

You can now initiate Provisioning if you haven't already and that completes the configuration.

Logs

  • Azure logs are available in the Application screen.
  • UserVoice logs: Go to SettingsIntegrationsIntegration Logs (bottom of the page).

 

Related to

Related articles