Configure SCIM user provisioning with Microsoft Entra

Dina Bennett
Dina Bennett
  • Updated

Ziflow integrates with Microsoft Entra using SCIM (System for Cross-domain Identity Management), an industry-standard protocol for automated user provisioning. SCIM allows you to create and manage users in Ziflow directly from Microsoft Entra, reducing manual account administration.

To understand how Microsoft Entra uses SCIM, refer to Microsoft’s official SCIM documentation.

Available on: Enterprise

Prerequisites

  • Ziflow Enterprise edition
  • Admin access to your Ziflow account
  • Admin access to Microsoft Entra
  • Microsoft Entra SSO already configured for Ziflow

SCIM provisioning depends on SSO. If SSO is not configured, stop here and complete the Microsoft Entra SSO setup first.
 

Supported provisioning actions

Ziflow currently supports:

  • Push users
    Assigning users to the Ziflow application in Microsoft Entra  adds them to your Ziflow account.
  • Import users
    Users created in Ziflow can be imported into Microsoft Entra and either matched to existing users or created as new Microsoft Entra users.

Ziflow does not support:

  • Updating user profiles
  • Pushing or importing groups
  • Deleting users via SCIM

Configure SCIM provisioning

Step 1: Get your Ziflow API key

  1. Sign in to Ziflow with an administrator account.
  2. Open your user profile.
  3. Copy your API key. For instructions, see Get your Ziflow API key.

Step 2: Create the Enterprise application in Microsoft Entra

  1. In the Microsoft Entra admin portal, go to Enterprise applications.
  2. Select New application.

    An image within a lightbox
     
  3. Select Create your own application.


     
  4. Enter an application name.
  5. Select Integrate any other application you don’t find in the gallery (Non-gallery).

  6. Select Create.
     

Step 3: Configure provisioning credentials

  1. In the Manage tab of the new application, select Provisioning.
  2. Set Provisioning Mode to Automatic.

  3. Enter the following Admin Credentials. 

    Tenant URL: https://api.ziflow.io/v1/scim/v2

    Secret Token: Your Ziflow API key
     

  4. Select Test Connection.


     
  5. If credentials are correct, you will see a success message in the top right corner. Select Save.

Step 4: Configure attribute mappings

Configure the mapping between Ziflow and Microsoft Entra ID.

  1. Disable group provisioning
  2. Configure user attribute mappings
  3. (Optional) Map Microsoft Entra attributes to Ziflow roles
  4. Save mappings

Disable group provisioning

  1. Open Attribute mappings.

  2. Open Provision Microsoft Entra ID Groups.


     
  3. Disable the mapping.

Configure user attribute mappings

  1. Open Provision Microsoft Entra ID Users.
  2. Disable the following actions:
    • Update target object
    • Delete target object
  3. Remove all attribute mappings except the four listed below:
    • userName
    • emails[type eq "work"].value
    • name.givenName
    • name.familyName

These are the only core user attributes supported by Ziflow.

The complete list of mapped values looks like this:

(Optional) Map Microsoft Entra attributes to Ziflow roles

If you want to assign Ziflow roles during provisioning, you must add a custom attribute mapping.

In Provision Microsoft Entra ID Users, add a new mapping with the following values:

  • Mapping type: Direct
  • Source attribute: employeeType
  • Default value if null: (leave empty)
  • Target attribute: urn:ietf:params:scim:schemas:core:2.0:User:roles
    Match objects using this attribute: No
  • Apply this mapping: Always
SCIM-Entra-role-edit-attribute.png

Why employeeType?

Microsoft Entra requires the source attribute to come from its predefined list.
employeeType is commonly used because:

  • It accepts free-text values
  • You can enter Ziflow role names directly
  • It avoids schema extensions or custom Entra attributes

For testing, you can populate employeeType with your Ziflow role values (ZIFLOW_USER, ZIFLOW_ADMIN, ZIFLOW_MANAGER, ZIFLOW_LITE_USER).

SCIM-Entra-role-example.png

 

Save mappings

Once all mappings are configured:

  1. Save the user attribute mapping.
  2. Confirm that only the supported attributes (plus the optional role mapping) remain.

At this point, SCIM provisioning is fully configured.
 

Assign users and start provisioning

  1. Open Users and Groups in the Enterprise Application.
  2. Assign users to the Ziflow application.
  3. Return to Provisioning.
  4. Click Start provisioning.
    User creation in Ziflow is not instant—allow several minutes for the first sync.


     

Known issues or limitations

  • Group mappings must remain disabled
  • Unsupported attribute mappings will cause provisioning errors

  • Role assignment depends on correct source attribute values

     

Related articles

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.