Configure SCIM with Microsoft Entra ID
Step-by-step guide to connect Microsoft Entra ID to Scrydon via SCIM 2.0 for automated user and group provisioning.
This guide walks you through configuring Microsoft Entra ID provisioning for Scrydon over SCIM 2.0.
Prerequisites
- Scrydon org admin access so you can open
Settings → Platform → Identity. - Microsoft Entra ID tenant access with rights to create or edit Enterprise Applications.
- A Scrydon SCIM token generated from the Provisioning (SCIM) tab in Scrydon.
If you already have a Scrydon Enterprise Application in Entra for SSO, reuse it. If not, create a non-gallery application just for provisioning.
1. Create the Enterprise Application
Open Enterprise Applications
Sign in to the Microsoft Entra admin center and navigate to:
Identity → Applications → Enterprise applications
Create a new application
Click + New application, then choose Create your own application.
Create a non-gallery app
Give the app a name such as Scrydon SCIM and choose:
Integrate any other application you don't find in the gallery (Non-gallery)
2. Configure the SCIM connection
Open the Provisioning tab
Inside the Enterprise Application, open Provisioning in the left sidebar. Click Get started if this is the first time you configure provisioning.
Set Provisioning Mode to Automatic
Set Provisioning Mode to Automatic.
Fill in the admin credentials
Under Admin Credentials, enter:
- Tenant URL: your Scrydon SCIM endpoint, for example:
https://auth.YOUR-TENANT.scrydon.com/api/auth/scim/v2- Secret Token: the SCIM token generated in Scrydon.
Paste the raw token only. Do not prefix it with Bearer and do not wrap it in
quotes. Entra adds the bearer prefix itself.
Test the connection
Click Test Connection.
If Entra can reach Scrydon, you will see a green success message. During this
step Entra often probes the SCIM ServiceProviderConfig endpoint before it
starts real provisioning traffic.
If the test fails, verify that the URL ends with /api/auth/scim/v2, the token
is still active in Scrydon, and the token was pasted without a Bearer prefix.
3. Map your users and groups
Under Mappings, Entra creates default entries for users and groups.
Users
Open Provision Microsoft Entra ID Users and review the attribute list.
- Entra usually maps
userPrincipalNametouserName. - If Scrydon should use email as the canonical work email, make sure
emails[type eq "work"].valueis mapped tomailor your chosen email source. - Remove attributes you do not want to send.
Groups
Open Provision Microsoft Entra ID Groups and confirm:
displayNameis mapped for the group name.membersis mapped for membership sync.
Scrydon applies Entra membership updates through SCIM PATCH requests, so group
membership changes flow through the group mapping rather than a full group replace.
4. Define the scope and start provisioning
Assign users and groups
In the Enterprise Application, open Users and groups and assign the users or groups that should sync into Scrydon.
Choose the provisioning scope
Go back to Provisioning, then under Settings → Scope choose one of:
- Sync only assigned users and groups: recommended for first rollout.
- Sync all users and groups: syncs your entire directory.
Turn provisioning on
Set Provisioning Status to On and click Save.
Verify the initial sync
After the first sync starts, verify the results in Scrydon:
Settings → Organization → Membersfor usersSettings → Organization → Teamsfor groupsSettings → Platform → Audit Logsfiltered onscim.*for request history
Ongoing sync behavior
- After the initial sync, Entra performs incremental syncs every 20 to 40 minutes. This cadence is controlled by Entra, not by Scrydon.
- Adding or removing a user from the Scrydon app in Entra is reflected in Scrydon on the next sync cycle.
- Removing a user from the Scrydon app in Entra deactivates them in Scrydon (see how deprovisioning works).
- Re-assigning a previously removed user in Entra reactivates their Scrydon account automatically.
Troubleshooting
"Provisioning has failed" banner in Entra
- Open Provisioning → Provisioning logs in Entra.
- Find the failing event. The
Status detailscolumn shows the SCIM error returned by Scrydon. - Compare the failure against the common cases below.
Common error messages
| Error | Meaning | Fix |
|---|---|---|
401 Unauthorized | Token invalid, revoked, or malformed | Generate a new token in Scrydon, paste the raw token into Entra, and test again |
400 mutability: email is immutable via SCIM | Entra tried to change an existing user's email | Deprovision and reprovision the user instead of editing the email |
400 mutability: userName is immutable via SCIM | Entra tried to change an existing user's userName | Deprovision and reprovision the user instead |
507 Insufficient Storage | Org has reached the user or group scale cap | Contact Scrydon support |
409 uniqueness | Duplicate externalId, or two Entra identities map to the same Scrydon email | Resolve the identity conflict in Entra |
429 Too Many Requests | Rate limit exceeded | Entra will back off and retry |
Provisioning stops unexpectedly
If Entra reports that sync has stopped after working initially:
- Go to Provisioning → Overview in the Scrydon app in Entra.
- Click Clear current state and restart synchronization.
- Click Save.
If the issue persists, verify the SCIM token has not been revoked in Scrydon.