This chapter covers SCIM (System for Cross-domain Identity Management) automated provisioning, a critical technology for synchronizing user identities between Microsoft Entra ID and cloud applications. SCIM is a core component of Objective 2.1: Implement and manage identity synchronization in the MS-102 exam. Approximately 10-15% of exam questions touch on provisioning, with SCIM being the mechanism behind many of them. Understanding SCIM deeply is essential for configuring automatic provisioning in Entra ID and troubleshooting synchronization failures.
Jump to a section
Think of SCIM automated provisioning like a large company's HR onboarding system. The HR database (source of truth) contains every employee's record: name, department, role, manager, and start date. When a new employee is hired, HR enters their details into the system. That system doesn't manually call each department—instead, it sends a standardized notification to the IT provisioning system. The IT system reads the notification, creates a user account in Active Directory, assigns the correct groups, sets up email, and grants access to applications like Salesforce and Slack. When an employee leaves, HR marks them as terminated, and the notification triggers account disabling across all systems. The key is that the notification uses a standard format (like SCIM's JSON schema) so that any HR system can talk to any provisioning system without custom integrations. Without this automation, IT would have to manually create each account, leading to delays and errors. SCIM works the same way: a cloud identity provider (like Azure AD) acts as the HR system, and a target application (like Salesforce) acts as the IT system. SCIM defines a standard REST API with endpoints for creating, reading, updating, and deleting users and groups. The identity provider pushes changes to the application automatically, ensuring identity synchronization without human intervention.
What is SCIM and Why Does It Exist?
SCIM (System for Cross-domain Identity Management) is an open standard (RFC 7642, RFC 7643, RFC 7644) for automating the exchange of user identity information between identity domains or IT systems. In the context of MS-102, SCIM is the protocol that Microsoft Entra ID uses to provision users and groups to SaaS applications like Salesforce, ServiceNow, Slack, and many others. Before SCIM, each application required a custom connector or manual user management, which was error-prone and inefficient. SCIM provides a standardized REST API that any identity provider (IdP) and service provider (SP) can implement, enabling plug-and-play provisioning.
How SCIM Works Internally – Step Through the Mechanism
SCIM operates over HTTPS using JSON as the data format. The core operations are: - Create: POST /Users – Adds a new user. - Read: GET /Users/{id} – Retrieves a user. - Update: PUT /Users/{id} – Replaces a user's attributes. - Patch: PATCH /Users/{id} – Partially updates a user. - Delete: DELETE /Users/{id} – Removes a user. - List: GET /Users – Enumerates users with filtering and pagination.
SCIM defines a schema for user and group resources. Each resource has a set of attributes defined by the core schema (e.g., userName, name, emails, phoneNumbers, groups) and can be extended with enterprise attributes (e.g., employeeNumber, department, manager). The schema is discoverable via the /Schemas endpoint.
When Entra ID provisions to an application, it acts as the SCIM client. The provisioning service: 1. Queries the target application's SCIM endpoint to get existing users (GET /Users). 2. Compares the list with users in Entra ID that are in scope for provisioning. 3. For users that exist in Entra ID but not in the app, it sends a POST /Users to create them. 4. For users that exist in both, it compares attributes and sends a PUT or PATCH if differences are detected. 5. For users that exist in the app but not in Entra ID (or are out of scope), it sends a DELETE /Users (if deprovisioning is enabled) or disables the user.
Key Components, Values, Defaults, and Timers
SCIM Endpoint URL: The base URL of the target application's SCIM API, e.g., https://yourdomain.scim.com/scim/.
Authentication: SCIM endpoints typically require a bearer token (OAuth 2.0) or basic auth. Entra ID supports both.
Provisioning Interval: By default, Entra ID runs a provisioning cycle every 40 minutes. This interval can be adjusted but is not configurable in the UI—it's fixed.
Provisioning Scope: Can be set to sync only assigned users and groups, or all users and groups in the directory.
Attribute Mapping: Entra ID allows mapping between its user attributes and the target application's SCIM attributes. Default mappings exist for common apps but can be customized.
Scoping Filters: Use expressions to filter which users/groups are provisioned, e.g., user.department -eq "Sales".
Deprovisioning: When a user is deleted in Entra ID or removed from scope, SCIM sends a DELETE request. If the app does not support DELETE, Entra ID can send a PATCH to disable the user (set active: false).
Configuration and Verification Commands
To configure SCIM provisioning in Entra ID: 1. In the Azure portal, go to Enterprise applications > select the app > Provisioning. 2. Set Provisioning Mode to Automatic. 3. Enter the Tenant URL (SCIM endpoint) and Secret Token. 4. Test the connection. 5. Configure attribute mappings and scoping filters. 6. Start provisioning.
To verify provisioning status, use Microsoft Graph PowerShell:
Get-MgServicePrincipalProvisioning -ServicePrincipalId "object-id"Or check provisioning logs in the Azure portal under Monitoring > Provisioning logs. Look for: - Success: User was created/updated/deleted. - Skipped: User was not in scope. - Failure: Error occurred; details are provided.
How SCIM Interacts with Related Technologies
SCIM is closely related to: - Microsoft Graph: SCIM provisioning uses the provisioning service within Entra ID, which is part of the Microsoft Graph identity infrastructure. - Synchronization Rules: SCIM attribute mappings are defined using a mapping editor similar to that in Microsoft Identity Manager. - Conditional Access: Provisioning does not directly affect Conditional Access, but if a user is not provisioned, they cannot access the app. - B2B Collaboration: SCIM can provision guest users to applications, but the guest user must exist in the directory first.
Specific Numbers, Defaults, and RFC References
RFC 7642 defines the SCIM protocol.
RFC 7643 defines the core schema.
RFC 7644 defines the REST API.
Default provisioning cycle: 40 minutes.
Maximum number of users per provisioning cycle: 10,000 (hard limit per call; larger directories are processed in batches).
SCIM supports pagination via startIndex and count parameters. Default count is 100, max is 1000.
Entra ID supports SCIM versions 1.1 and 2.0, but 2.0 is recommended.
The SCIM endpoint must support HTTPS (TLS 1.2 or higher).
Trap Patterns and Common Misconfigurations
Wrong Endpoint URL: Many candidates assume the SCIM endpoint is the app's login URL. It is typically /scim/ or /scim/v2.
Missing Bearer Token: If the token is expired or invalid, the test connection fails.
Attribute Mismatch: If the target app expects userName but the mapping sends userPrincipalName, provisioning may fail silently.
Deprovisioning Disabled: By default, deprovisioning is enabled. If an admin wants to disable it, they must change the provisioning scope or disable the provisioning cycle.
Exam-Relevant Commands and Verification
Test connection: Use the Azure portal Test Connection button.
View provisioning logs: Get-MgServicePrincipalProvisioning or portal.
Force a provisioning cycle: Use the Restart provisioning option in the portal (this triggers an immediate cycle).
Monitor progress: The provisioning progress bar shows percentage complete.
Configure SCIM Endpoint in App
The target application must expose a SCIM endpoint. This is typically done by enabling SCIM provisioning in the application's settings. For example, in Salesforce, you navigate to Setup > Identity > SCIM, and generate a bearer token. The endpoint URL is provided by the application. For custom apps, you implement the SCIM API yourself. The endpoint must support HTTPS and respond to the /Users and /Groups endpoints. The application registers the endpoint with Entra ID by providing the URL and token during the provisioning configuration.
Add Enterprise Application in Entra ID
In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application. Select the application from the gallery if available, or create a custom application (Non-gallery). For gallery apps, the SCIM configuration is often pre-filled. For custom apps, you manually enter the SCIM endpoint URL and token. The application object is created in Entra ID, which will hold the provisioning configuration.
Configure Provisioning and Test Connection
In the provisioning blade, set Provisioning Mode to Automatic. Enter the Tenant URL (SCIM endpoint) and Secret Token. Click Test Connection. If successful, the connection validates that Entra ID can reach the SCIM endpoint and authenticate. If it fails, check the URL, token, and network connectivity (firewall rules). The test sends a GET request to the SCIM endpoint's /Users endpoint with the token in the Authorization header.
Define Attribute Mappings and Scoping
Attribute mappings define how Entra ID user attributes map to SCIM attributes. Default mappings are provided for common apps. You can customize mappings, add expressions, or use constants. Scoping filters restrict which users/groups are provisioned. For example, you can provision only users in the Sales department. The provisioning engine evaluates scoping filters during each cycle.
Start Initial Provisioning Cycle
After configuration, click Start provisioning. The initial cycle can take from minutes to hours depending on the number of users. Entra ID queries the SCIM endpoint to get existing users, then compares with Entra ID users in scope. It creates missing users, updates changed users, and disables/deletes users that are out of scope. The provisioning logs show each operation's status. After the initial cycle, subsequent cycles run every 40 minutes.
Enterprise Scenario 1: Salesforce Provisioning
A global sales organization uses Salesforce as its CRM. They have 5,000 sales users in Entra ID, and they want to automate user creation and deactivation in Salesforce. The administrator configures SCIM provisioning using the Salesforce gallery app. They set the scope to 'Only assigned users and groups' and assign the Sales team group. The initial provisioning cycle creates 4,800 users (some are guest users not in scope). Later, when a sales rep leaves, their Entra ID account is disabled, and the next provisioning cycle deactivates the user in Salesforce (sets active: false). Common issues: The SCIM endpoint URL for Salesforce is https://yourdomain.my.salesforce.com/services/scim/v2. The token is generated in Salesforce under Setup > Identity > SCIM. If the token expires, provisioning fails. The administrator must monitor provisioning logs and set up alerts for failures.
Enterprise Scenario 2: ServiceNow Provisioning
A large enterprise uses ServiceNow for IT service management. They need to provision all employees (20,000 users) to ServiceNow. They use SCIM provisioning with the ServiceNow gallery app. The scope is set to 'Sync all users and groups'. The attribute mapping maps userPrincipalName to userName and displayName to name. However, ServiceNow expects a unique userName that does not conflict with existing users. In production, they encountered a conflict where two users had the same userName (due to a previous manual import). The provisioning engine skipped those users. The administrator resolved by cleaning up duplicates in ServiceNow and re-provisioning. Performance consideration: The initial cycle for 20,000 users took 4 hours due to pagination and network latency. The administrator scheduled the initial cycle over a weekend.
Scenario 3: Custom Application Provisioning
A company develops a custom HR app that needs to sync user profiles from Entra ID. They implement the SCIM 2.0 API on their app. They register the app as a non-gallery enterprise application. They configure custom attribute mappings to include employeeId and department. During testing, they discovered that the SCIM endpoint did not support PATCH, only PUT. They updated the mapping to use PUT for updates. They also implemented filtering to only provision users with employeeType equal to 'Employee'. Common failure: The custom app returned a 500 error for malformed JSON. The administrator used the provisioning logs to identify the exact request body and fixed the API. They also enabled logging on the app side to debug.
What MS-102 Tests on SCIM Automated Provisioning
MS-102 objective 2.1: 'Implement and manage identity synchronization' includes configuring and troubleshooting provisioning. Specific areas tested:
Understanding the SCIM protocol and its role in provisioning.
Configuring automatic provisioning in Entra ID for gallery and non-gallery apps.
Troubleshooting provisioning failures using logs and test connection.
Knowing the default provisioning cycle (40 minutes) and how to force a cycle.
Understanding attribute mappings and scoping filters.
Recognizing the difference between SCIM and other synchronization methods (e.g., Microsoft Identity Manager, Graph API).
Top Wrong Answers and Why Candidates Choose Them
'SCIM is used for syncing on-premises AD to Entra ID.' – This is wrong. SCIM is for provisioning to cloud apps. On-premises sync uses Azure AD Connect.
'The default provisioning cycle is 24 hours.' – Wrong. It's 40 minutes. Candidates confuse it with password hash sync (30 minutes) or directory sync (30 minutes).
'SCIM requires an on-premises connector.' – Wrong. SCIM is cloud-to-cloud. No on-premises component.
'You can change the provisioning interval in the portal.' – Wrong. The interval is fixed at 40 minutes. You can only trigger a manual restart.
'SCIM supports only user objects, not groups.' – Wrong. SCIM supports both users and groups (RFC 7643 defines group resource).
Specific Numbers, Values, and Terms on the Exam
SCIM endpoint: Must be URL starting with https://.
Bearer token: Used for authentication.
Provisioning logs: Located under Enterprise applications > Provisioning logs.
Test connection: Validates endpoint reachability and authentication.
Initial cycle: Can take hours; subsequent cycles are incremental.
Scoping filter: Uses expressions like user.department -eq "Sales".
Attribute mapping: Uses JSONPath expressions.
Deprovisioning: Sends DELETE or PATCH to disable user.
Edge Cases and Exceptions
If the SCIM endpoint does not support DELETE, Entra ID can be configured to send a PATCH to set active: false.
If the app does not support groups, group provisioning can be disabled.
If the token expires, provisioning fails with a 401 error. The admin must generate a new token and update the configuration.
If the app returns a 429 (rate limiting), Entra ID will retry after the Retry-After header duration.
For large directories (>10,000 users), the initial cycle may be split into multiple batches. Each batch is processed sequentially.
How to Eliminate Wrong Answers
If the question mentions 'synchronizing users from on-premises AD', the answer is Azure AD Connect, not SCIM.
If the question asks about 'automatic provisioning to a SaaS app', the answer is SCIM.
If the question gives a time interval, 40 minutes is the SCIM provisioning cycle; other intervals (30 min, 24 hours) are for different sync types.
If the question mentions 'custom attribute mapping', it's SCIM provisioning.
If the question asks about 'deprovisioning', SCIM handles it via DELETE or PATCH.
SCIM is an open standard (RFC 7642-7644) for automating user provisioning between identity providers and cloud applications.
Microsoft Entra ID uses SCIM to provision users and groups to SaaS apps like Salesforce, ServiceNow, and Slack.
The default provisioning cycle is every 40 minutes; it cannot be changed in the UI but can be manually restarted.
SCIM supports CRUD operations: Create (POST), Read (GET), Update (PUT/PATCH), Delete (DELETE).
Attribute mappings define how Entra ID attributes map to SCIM attributes; custom mappings can include expressions.
Scoping filters restrict which users/groups are provisioned based on conditions like department.
Deprovisioning removes or disables users when they are deleted from Entra ID or removed from scope.
Troubleshooting provisioning failures involves checking provisioning logs, test connection, and token validity.
These come up on the exam all the time. Here's how to tell them apart.
SCIM Provisioning
Cloud-to-cloud synchronization
Uses REST API (SCIM protocol)
Default cycle every 40 minutes
No on-premises component
Used for SaaS apps like Salesforce
Azure AD Connect Sync
On-premises to cloud synchronization
Uses SQL and sync engine
Default sync every 30 minutes
Requires a server with Azure AD Connect installed
Used for syncing AD users to Entra ID
Mistake
SCIM is the same as Azure AD Connect.
Correct
SCIM is for cloud-to-cloud provisioning, while Azure AD Connect syncs on-premises AD to Entra ID. They are different tools for different scenarios.
Mistake
The default provisioning cycle is every 30 minutes.
Correct
The default cycle is every 40 minutes. 30 minutes is the typical interval for password hash sync or directory sync in Azure AD Connect.
Mistake
SCIM only supports user objects, not groups.
Correct
SCIM supports both users and groups. The /Groups endpoint is used for group provisioning.
Mistake
You can change the provisioning interval in the Azure portal.
Correct
The provisioning interval is fixed at 40 minutes and cannot be changed. You can only trigger a manual restart to force a cycle.
Mistake
SCIM provisioning requires an on-premises agent.
Correct
SCIM provisioning is entirely cloud-based. No on-premises agent is needed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The SCIM endpoint URL for Salesforce is typically `https://yourdomain.my.salesforce.com/services/scim/v2`. Replace yourdomain with your actual Salesforce instance. The token is generated in Salesforce under Setup > Identity > SCIM.
By default, SCIM provisioning runs every 40 minutes. This interval is fixed and cannot be changed in the Azure portal. To trigger an immediate cycle, you can click 'Restart provisioning' in the provisioning blade.
Yes, SCIM supports both user and group resources. The /Groups endpoint is used to create, update, and delete groups. However, group provisioning must be enabled in the attribute mappings and supported by the target application.
If the bearer token expires, provisioning will fail with a 401 Unauthorized error. The administrator must generate a new token in the target application and update the provisioning configuration in Entra ID with the new token.
Check the provisioning logs in the Azure portal under Enterprise applications > Provisioning logs. Look for 'Failure' status and review the error details. Also, use the 'Test connection' button to verify connectivity and authentication. Ensure the SCIM endpoint is reachable and the token is valid.
SCIM is a standardized protocol for provisioning between identity providers and applications. Microsoft Graph API is a REST API for accessing Microsoft 365 data, including users. SCIM is used for automated provisioning to third-party apps, while Graph API is used for programmatic access to Microsoft services.
Yes, SCIM supports deprovisioning. When a user is deleted from Entra ID or removed from provisioning scope, Entra ID sends a DELETE request to the SCIM endpoint. If the target app does not support DELETE, Entra ID can be configured to send a PATCH to set the user's active attribute to false.
You've just covered SCIM Automated Provisioning — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?