SCIM with Entra ID

~ minute read

Prerequisites

  • A UserVoice plan that includes SAML Single Sign-On & SCIM
  • UserVoice Admin with Owner Level Permission
  • Azure access to provision apps

Enable in UserVoice

Note: Admins with owner-level permissions are the only admins able to enable and obtain the token.

To enable SCIM and fetch the required token:

  1. Navigate to the Admin Console → Click the settings cog in the lower-left nav → General Settings → User Authentication → Scroll down and toggle SCIM Provisioning on.
  2. Once enabled, click "Create Token" to obtain the API Token for configuring in your IdP. Copy or put this somewhere safe for use later.

Now you can start configuring SCIM in Azure.

Azure Configuration

Step 1: Create SCIM Application

  1. Sign into your Azure Entra ID platform and using the left-side navigation, navigate to Enterprise Applications → All Applications -> New Application.
  2. Give the Application a name and select Non-gallery

Step 2: Configure Provisioning

  1. On the Manage tab → Provisioning, set Provision Mode to Automatic
  2. Under Admin Credentials
    1. Tenant URL: https://{your uservoice url}/api/scim_v2
    2. Secret Token: API Token created in "Enable in UserVoice" step 
  3. Click Test Connection and you should get a success
  4. Click Save at the top
  5. Set Provisioning Status to on

Step 3: Attribute Mappings

From the page you were on, scroll down and click Mapping, and go to Provision Azure Active Directory Users

  1. Target Object Actions → Create, Update, and Delete are checked

Here you will need to add licenseType.

  1. Scroll down and check Show Advanced Options → Edit attribute list for customappsso
  2. Type → string
  3. Name → licenseType
  4. Save
  5. Add new Mapping
    1. Mapping Type → Expression
    2. Expression → SingleAppRoleAssignment([appRoleAssignments])
    3. Target Attribute → licenseType 
    4. Save

NoteIf you do not configure licenseType users will be provisioned as end-users by default. It is not required.

Step 4: App Roles

  1. Navigate to Microsoft Entra Admin Center → Applications → App Registrations → locate the app you created → App Roles
  2. Create App Role 
  3. Display Name followed by Value. See the table here for what each value means:
    1. Full Access Owner → fullaccess_owner
    2. Admin → admin
    3. Admin No Settings → admin_no_settings
    4. Read Only Admin → readonly_admin
    5. Admin Ideas Only → admin_ideas_only
    6. Admin Feedback Only → admin_feedback_only
    7. Contributor → contributor
    8. Revoke Access → none
  4. Allowed member types set to Users/Groups

Step 5: Assign Roles

  1. Navigate back to Enterprise Applications → your application → Users and Groups
  2. Add user/group
  3. Assign Users to the roles created in Step 4

That completes the configuration. 

Logs

If you encounter issues, Azure has logs that you can find in the Application screen and UserVoice has logs that you can find by navigating to Settings → Integrations → Integration Logs (at the very bottom of the page).
  •  

Related to

Related articles