Inbound SCIM for New Azure AD Connections

Auth0 can be integrated with Microsoft Azure Active Directory (now known as Microsoft Entra ID) with the Microsoft Azure AD connection type, which uses the OpenID Connect (OIDC) protocol for user authentication. These instructions are for new Azure AD connections; for older connections using pairwise user identifiers (sub), see Older Connections.

1. Launch the Auth0 Dashboard, go to Authentication > Enterprise > Microsoft Azure AD > [your-connection] > Settings.

2. Ensure that User ID Attribute Type is set to User Object Identifier (oid) and Use Common Endpoint toggle is Disabled.

3. Select the Provisioning tab and disable Sync user profile attributes at each login unless you want to sync additional attributes at login.

4. In the same section, enable Sync user profiles using SCIM.

5. Under the Mapping tab, ensure the SCIM attribute containing the User ID setting is set to externalId.

6. Review the Additional Mappings to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes. See attribute mapping for details.

This section uses the Auth0 Dashboard, but these steps can also be managed with the Management API. See the Deployment Guidelines section for best practices.

1. In the Auth0 dashboard, browse to the SCIM Setup tab, then copy the SCIM Endpoint URL and paste it somewhere safe.

2. Generate SCIM token by clicking Generate New Token and set an expiration date for the token if you wish.

3. Select the scopes you want to allow. The default scopes required by Azure AD are get:users, post:users, patch:users, and delete:users.

1. Confirm that an OpenID Connect application has already been registered to handle user authentication in the Microsoft Entra ID > App registrations section of the Azure portal.

2. Confirm that your OpenID Connect application has Assignment Required set to Yes in the Microsoft Entra ID > Enterprise applications > [your-oidc-app] > Manage > Properties section, and has users assigned in the Users and Groups tab.

3. Next, register a new Non-gallery application in the Azure portal by browsing to Microsoft Entra ID > Enterprise applications > New application > Create your own application, entering an application name, and selecting Create.

4. Go to the Users and Groups tab and assign the same Azure AD users and groups that are assigned to the registered OpenID Connect app. 

5. Select the Provisioning tab, select Get started, and choose Automatic as the Provisioning Mode.

6. Select Admin Credentials, then enter the SCIM Endpoint URL value you saved earlier as the Tenant URL. At the end of the URL, add ?aadOptscim062020 query parameter to fix known Azure AD issues described here.

7. Paste the token value into the Secret Token field and select Save.

8. Go to Mappings and select Provision Microsoft Entra ID Users, then go to Attribute Mappings and edit the attributes of the line containing externalId and mailNickname.

9. In the Edit Attribute screen, change Source attribute to objectId, then choose OK.

10. Go back to Attribute Mappings and select the line containing emails[type eq "work"].value and mail.

11. In the Edit Attribute screen, change Match objects using this attribute to Yes, then set Matching precedence to 2 and choose OK. The attribute mapping screen looks like this as you continue to use the Attribute Mappings section to configure additional SCIM attributes:

Save the attribute mappings, then select X in the upper-right corner to return to the Provisioning screen.

1. On the Enterprise application overview screen, select Manage > Provisioning and then Provision on Demand to test the SCIM connection.

2. Go to Select a user or group and type the name of a user that you assigned to the application, then select the user and choose Provision. This creates the user in the Auth0 tenant.

3. Provision all assigned users by following the instructions to set the Provisioning Status to On.