Introduction
SCIM (System for Cross-domain Identity Management) is a user provisioning solution. With SCIM, you synchronise users, groups and group memberships from Microsoft Entra ID to Workspace 365.
SCIM runs directly from Microsoft Entra ID. This means you do not need a separate machine. This is different from the Azure AD sync tool.
Each Workspace 365 environment is linked to its own Microsoft Entra ID tenant. That’s why you configure SCIM for each Workspace 365 environment. To create the connection, you generate an API key in Workspace 365. The SCIM application uses this key for authentication between Microsoft Entra ID and Workspace 365.
This article is for people who are responsible for user management, Microsoft Entra ID and automatically synchronising users and groups to Workspace 365.
Requirements
SCIM is only available to hosted partners and customers.
You need an Azure Global Administrator account with a Microsoft Entra ID Premium P1 or P2 licence to set up the SCIM application.
Users do not need a SCIM licence to be synchronised.
Users must have these details in Microsoft Entra ID:
First name.
Last name.
User Principal Name (UPN).
Groups must have a unique DisplayName in Microsoft Entra ID.
How does SCIM work?
The SCIM application uses REST API endpoints to create, update and delete users and groups.
For example, when you add a user, SCIM sends an HTTP POST with a JSON object to the user endpoint. Workspace 365 uses this object to create a new user.
The SCIM application uses a predefined Workspace 365 schema. This schema uses standard attributes, such as:
Group name.
UPN.
First name.
Last name.
Email address.
Use the article Azure SCIM client setup to set up SCIM.
Use the article Troubleshooting SCIM when you run into issues.
When you use SCIM, keep the following in mind:
The Workspace admin role is always managed from Workspace 365.
SCIM synchronises at a fixed interval of about 40 minutes.
You cannot change the synchronisation interval.
SCIM does not synchronise profile pictures.
Workspace 365 loads or changes profile pictures when users sign in.
For the phone number in the Workspace profile, Workspace 365 uses the Mobile phone field in Microsoft Entra ID.
Deleting users and groups
SCIM handles deletions in different ways.
Action | Result in Workspace 365 |
You remove a user from the SCIM scope. | The user is added to the list of deleted users. This is a soft delete. You can restore the user. |
You remove a group from the SCIM scope. | The group is permanently deleted from Workspace 365. This is a hard delete. |
You permanently delete a user in Microsoft Entra ID. | The user is permanently deleted from Workspace 365. This is a hard delete. |
You permanently delete a group in Microsoft Entra ID. | The group is permanently deleted from Workspace 365. This is a hard delete. |
Switching to SCIM
When you switch from the Azure AD sync tool, the SCIM scope must include all users and groups that you want to keep in Workspace 365. Users and groups are only kept when they are within the SCIM scope.
When you switch from manually imported users, SCIM links existing Workspace users to the matching users in Microsoft Entra ID.
Limitations
You can synchronise up to 100,000 users per Workspace 365 environment through SCIM.
You can synchronise up to 10,000 groups per Workspace 365 environment through SCIM.
Members of nested groups are not imported directly.
You cannot synchronise groups without a unique DisplayName in Microsoft Entra ID.
You cannot import users from distribution lists.
You cannot import users from mail-enabled security groups.