User sync with Microsoft 360 (Azure AD / Entra ID) SCIM API
What is SCIM provisioning in UnSpot
SCIM (System for Cross-domain Identity Management) 2.0 lets your identity provider (IdP) — such as Microsoft Entra ID or Okta — automatically create, update, and deactivate UnSpot accounts. UnSpot supports provisioning of users, groups, and your organizational structure. Synchronization is one-way: from your IdP to UnSpot. Full details of every endpoint are in the UnSpot SCIM API reference.
Before you begin
- You need UnSpot administrator rights that include integration management.
- Decide whether newly provisioned users should receive a welcome email — you can toggle this in the SCIM settings.
- The SCIM token has a configurable validity period. When it expires, provisioning stops and UnSpot notifies administrators. Plan token rotation in advance.
Step 1. Enable SCIM in UnSpot
- Go to Administration > Access > Integrations and click Connect on the SCIM card.
- Copy the SCIM URL and the Token — you will enter both in your IdP.
- Set the token validity period.
- Choose whether to send a welcome email to users created via SCIM.
Attention: store the token securely. Anyone who has it can manage users in your workspace via the SCIM API.
Step 2. Configure Microsoft Entra ID (Azure AD)
Note: the videos below were recorded with the older Azure portal interface; menu names may differ slightly in the current Microsoft Entra admin center.
- Open the Microsoft Entra admin center and create an Enterprise application.
- In the application side menu, select Provisioning and choose the Automatic mode.
- Enter the Tenant URL (the SCIM URL from UnSpot) and the Secret token, then click Test Connection and save.
Attribute mapping
- Provision Microsoft Entra ID Groups > choose “Show advanced options” > Edit attribute list for customappsso > in the “members” line remove the checkbox “urn:ietf:params:scim:schemas:core:2.0:Group” in the referenced object > Save.
- Provision Microsoft Entra ID Users > replace the source attribute “mailNickname” with “objectId” and keep the attributes listed below > Save.
- userPrincipalName
- Switch([IsSoftDeleted], “False”, “True”, “True”, “False”)
- jobTitle
- givenName
- surname
- telephoneNumber
- objectId
- department
Choose the sync scope
Sync only assigned users and groups: assign Users and Groups to the application, then click Start provisioning.
Sync all users and groups: in Provisioning, choose “Sync all users and groups”, save, and start provisioning.
Step 2 (alternative). Configure Okta or another SCIM 2.0 IdP
Any IdP that supports SCIM 2.0 with Bearer-token authentication can provision users to UnSpot. In your IdP, set the SCIM connector base URL to the SCIM URL from UnSpot and use the token as the HTTP Header > Authorization: Bearer credential. Supported operations: create, update, and deactivate users; push groups.
What happens during synchronization
- New users in the sync scope are created in UnSpot (optionally receiving a welcome email).
- Profile changes (name, job title, phone, department) are updated automatically.
- Users deactivated or removed in the IdP are deactivated in UnSpot.
- Groups are created and their membership is kept in sync; the organizational structure can be provisioned as well.
Token expiration
When the SCIM token approaches its expiration date, UnSpot notifies administrators, and after expiry provisioning requests are rejected until the token is updated. You can change the validity period in the SCIM settings at any time.
SCIM API reference
For the full endpoint documentation with examples, see UnSpot SCIM API reference. For verification and automation, the following SCIM 2.0 endpoints are available (authorization: Authorization: Bearer <token>):
| Method | Endpoint | Purpose |
|---|---|---|
| GET | /api/scim/Schemas | SCIM schema definitions |
| GET / POST | /api/scim/Users | List (supports count, startIndex, filter by email) / create user |
| GET / PUT / PATCH / DELETE | /api/scim/Users/{id} | Read, replace, patch, or delete a user |
| POST | /api/scim/Users/{id}/avatar | Upload a user avatar (multipart/form-data) |
| GET / POST | /api/scim/Groups | List / create groups |
| GET / PUT / PATCH / DELETE | /api/scim/Groups/{id} | Read, replace, patch, or delete a group |
| PUT | /api/scim/OrgUnits | Replace the organizational structure |
Troubleshooting
- 401 Unauthorized — the token is missing, invalid, or expired. Check the Authorization header format (
Bearer <token>) and the token validity period in UnSpot. - Provisioning errors in Entra ID — open the provisioning logs in the Entra admin center; most mapping errors are caused by a wrong source attribute (make sure
objectIdis used, notmailNickname). - In UnSpot, synchronization history is available in Reports > Integration history.