Create a Microsoft Entra enterprise application

Creating a Microsoft Entra (formerly Azure Active Directory) enterprise application is the first step to integrate the SuperOffice SCIM endpoint with the Microsoft Entra provisioning service.

Pre-requisites:

  • A Microsoft Entra admin account.

  • Access to Microsoft Entra admin center with permissions to create an enterprise application of type non-gallery applicationMicrosoft Entra Premium (P1 or P2) required.

For testing, you can do a 30-day free trial of Microsoft Entra ID Premium. If you obtain a new license to Microsoft Entra ID, you might need to sign out and back in to activate the license.

Sign in and add the application

  1. In a browser, sign in to the Microsoft Entra admin center.
  2. From the left pane, select Enterprise applications.
  3. Add your own application:
    1. Click + New application.
    2. Select All.
    3. Click Create your own application.
    4. Enter a name.
    5. Select Integrate any other application you don’t find in the gallery (Non-gallery).
    6. Click Add.

For updated info from Microsoft, see their guide to build a SCIM endpoint and configure provisioning.

Turn on automatic provisioning from Microsoft Entra ID

  1. Go to the app management screen and select Provisioning from the left pane.

  2. Set Provisioning mode to Automatic.

    Microsoft Entra provisioning panel -screenshot

Configure admin credentials

  1. Expand the Admin Credentials settings block.

  2. Get the SCIM config from the SuperOffice Identity Manager.

  3. Copy the URL into the Tenant URL field.

  4. Copy the Token into the Secret Token field.

  5. Click Test Connection and verify the connection between Microsoft Entra ID and the SuperOffice SCIM endpoint.

  6. Click Save.

SCIM test connection from Microsoft Entra ID -screenshot

Configure mapping

The Microsoft Entra portal allows mapping to the id attribute. However, this is not supported by SCIM and should not be used.

  1. Expand the Mappings settings block.

  2. Customize the attribute mapping of **externalId** for user objects:

    1. Select the user attribute set.
    2. Change the default mapping of **externalId** from mailNickName to objectId.
    3. Enable the Match objects using this attribute option.
    4. Set Matching precedence to 2.
    5. Click OK.

    Mapping external ID -screenshot

  3. Change the attribute mapping for group objects to match on objectId rather than displayName:

    1. Select the group attribute set.
    2. Select the displayName attribute, change Matching precedence value to 2, and click OK.
    3. Select the objectId attribute, enable the Match objects using this attribute option, set Matching precedence value to 1, and click OK.

    Mapping groups -screenshot

  4. Click Save.

Start 1st synchronization and verify the result

  1. Scroll down to Settings.
  2. Select scope - do you want to sync all or only assigned users and groups?
  3. Set Provisioning status to On.
  4. Click Save to start the synchronization.
  5. Wait for the incremental cycle to complete.
  6. You can now preview the users in the SuperOffice Identity Manager.

Microsoft Entra provisioning settings -screenshot

Next steps