Skip to main content

SCIM Integration: User Provisioning on MS Entra ID

Trio articles

This guide explains how to configure SCIM 2.0 user provisioning between Trio and Microsoft Entra ID (formerly Azure AD).

SCIM integration enables automated lifecycle management of users from Entra ID to Trio, including:

  • Automatic user creation

  • Attribute synchronization

  • Account updates

  • Deprovisioning (when disabled or unassigned in Entra)

Trio acts as the SCIM service provider, and Entra ID acts as the identity provider (IdP) initiating provisioning requests.

Prerequisites

Before configuration, ensure:

  • Admin access to Trio Admin Dashboard

  • Global Admin or Application Admin access to Microsoft Entra ID

  • Ability to create Enterprise Applications in Entra

  • Outbound HTTPS connectivity to the Trio SCIM endpoint

  • SCIM 2.0 support enabled in your Trio tenant

Step 1: Generate SCIM Credentials in Trio

SCIM provisioning requires:

  • A SCIM Base URL

  • A Bearer Token (Secret Token)

Steps

  1. Log in to the Trio Admin Dashboard

  2. Navigate to:
    Integrations → User Management

  3. Locate SCIM

  4. Click Add and Configure

  5. In the sidebar, click Get Started

  6. Enter a unique identifier name for the integration

  7. Click Generate Token

  8. When prompted:

    • Copy the generated Secret Token

    • Click Confirm

    • Click Done

.

After confirmation, Trio displays:

  • SCIM API URL (Base URL endpoint)

  • Associated configuration status

Important

  • The token is shown only once during generation.

  • Store it securely.

  • It is used as a Bearer token in Entra provisioning settings.

Step 2: Create Enterprise Application in Microsoft Entra ID

Provisioning in Entra requires creating a custom Enterprise Application.

Steps

  1. Navigate to:
    https://entra.microsoft.com

  2. Open Enterprise Applications

  3. Click New Application

  4. Select Create your own application

  5. Enter an application name

  6. Select:
    Integrate any other application you don’t find in the gallery

  7. Click Create

.

The application will be created in your tenant.

Step 3: Configure SCIM Provisioning in Entra

Provisioning settings define how Entra connects to Trio.

Steps

  1. Open the newly created Enterprise Application

  2. From the left sidebar, select Provisioning

  3. Go to overview and Connect your application

    .

  4. Configure the following fields:

    • Provisioning Mode: Automatic

    • Tenant URL: Paste the SCIM API URL copied from Trio

    • Secret Token: Paste the Secret Token generated in Trio

  5. Click Test Connection

  6. If successful, click Create or Save

Technical Notes

  • Authentication method: Bearer Token

  • Protocol: SCIM 2.0

  • Endpoint: /Users

  • Communication: HTTPS only

If connection fails, verify:

  • Token accuracy

  • No trailing spaces

  • Network accessibility

Step 4: Assign Users or Groups

Provisioning only applies to users assigned to the Enterprise Application.

Steps

  1. In the Enterprise Application, open Users and Groups

  2. Click Add user/group

  3. Click None selected

  4. Select the users (or groups) to provision

  5. Click Assign

.

.

Only assigned users will be synchronized.

Step 5: Start Provisioning

Provisioning must be explicitly started.

Steps

  1. Go to the Overview tab of the Enterprise Application

  2. Click Start provisioning

Entra will initiate:

  • SCIM POST requests to create users

  • PATCH requests for updates

  • DELETE or deactivate operations for deprovisioning

Provisioning runs on a scheduled sync cycle after initial activation.

Step 6: Verify Provisioned Users in Trio

To confirm successful provisioning:

  1. Log in to Trio

  2. Navigate to:
    Identity → Users

  3. Verify that assigned users appear in the user list

Provisioned users are created automatically through SCIM API calls from Entra.

Provisioning Behavior

When SCIM is active:

  • New assigned users → Created in Trio

  • Attribute updates in Entra → Synced via PATCH

  • User unassigned → Deprovisioned or disabled

  • Group assignments → Reflected if supported

Trio does not require manual user creation once SCIM is enabled.

Troubleshooting

Connection Test Fails

  • Verify SCIM API URL format

  • Regenerate token in Trio

  • Ensure no firewall blocks outbound HTTPS

  • Confirm provisioning mode is set to Automatic

User Not Appearing in Trio

  • Confirm user is assigned to the Enterprise Application

  • Ensure provisioning has started

  • Check provisioning logs in Entra:

    • Enterprise Application → Provisioning → Logs

Token Expired or Compromised

  • Regenerate token in Trio

  • Update Secret Token in Entra provisioning settings

  • Re-test connection

Related Articles
Identity Provider Configuration: Google Workspace
Identity Provider Configuration: Microsoft Entra ID
Cloud Directory Configuration: Microsoft Entra ID
Understanding Trio IdP: The Architecture of Modern Identity Management
Welcome to Trio: Your Complete Onboarding Guide for a Successful Setup
Did this answer your question?