How to Set Up Automatic User Provisioning (SCIM)

With the SCIM interface, users can be automatically created, updated, and deleted in teamecho.

Using SCIM user provisioning, user data can be automatically synchronized from your identity provider. This automates administrative tasks such as manually creating users for new entries, deleting them upon exits, and deactivating/activating users during extended absences (e.g., parental leave, sabbaticals).

Currently, SCIM synchronization is available for Microsoft Entra ID, and other systems will be tested for compatibility as needed. It is required to use SCIM provisioning in combination with SSO.

Configuration

SCIM data can be managed in the teamecho configuration.

image-png-May-27-2024-02-05-39-7067-PM

Are you an administrator and don't see the SCIM User Provisioning field? Contact us, and our Customer Happiness Team will be happy to activate this feature for you!

Entra ID

An Enterprise Application is required to set up synchronization. If an Enterprise Application has already been created for SSO, it can be used; otherwise, a new application can be created, for example, via the Azure Portal: 

create-enterprise-app

In the provisioning settings of the Enterprise Application, the connection to teamecho can be configured. The data from the teamecho configuration will be used for this.

image-png-May-27-2024-02-22-58-1218-PM-1

After successfully testing the connection, the settings are saved, and the mappings are configured. Under "Advanced options," the supported attributes need to be configured, and then the attribute mappings can be adjusted as necessary for your Entra ID usage.

editattributes-pngThe attribute list has to match the screenshot, any additional attributes have to be removed.image-png-May-27-2024-02-31-39-7739-PM-1

Additional details can be found in the Microsoft Entra documentation.

Next, assign the desired users or user groups to the Enterprise Application, and then provisioning can be started.

startprovisioning-png-1

It may take some time for Entra ID to perform the synchronization. Unfortunately, we at teamecho have no control over this 😪.

Looking for details? Both the Azure Portal and teamecho configuration provide logs to better understand what happens during automatic synchronization.

Limitations

  • Only users can be synchronized; groups are not supported at this time. This means that team and department assignments must still be done manually.
    • Deactivated users are automatically removed from their teams/departments and do not consume a teamecho license.
  • SCIM synchronization is currently only tested for Microsoft Entra ID. Additional systems can be added as needed. Contact us!
  • Manually set settings may be overwritten during the migration of existing users. Users not assigned in Entra ID cannot be automatically updated.
  • SSO is required to enable user provisioning.
    • Our preconfigured Entra ID Enterprise Application for SSO cannot yet be used for user provisioning, as Microsoft currently does not process provisioning integrations. Instead, a separate Enterprise Application must be created as described above.
    • If a single-tenant Enterprise Application is already used for SSO, it can also be used for provisioning configuration.
    • Entra ID does not necessarily have to be used as the SSO provider, but the data should be consistent with Entra ID.