How To Setup SCIM with MS Entra
2 min read
This page will guide you through the setup for the connection from MS Entra to Unique AI.
1. Creating the SCIM Enterprise Application
These screenshots will guide you through the process of creating an Enterprise Application for SCIM.
1.1. Microsoft Entra ID resource
Open Micosoft Entra ID resource
1.2. Enterprise Application
Switch to “Enterprise applications”
1.3. New Enterprise Application
Click “New application”
1.4. Own Application
Click “Create your own application”
1.5. Name and Type
Name the application and choose “Non-gallery” and click “Create”
1.6. Finished
Now the Enterprise Application for SCIM has been created
2. Adding Users/Groups to the Application
In this step you define which users or groups are getting synced with Unique AI.
2.1. Adding users/groups
Select “Users and groups” and “Add user/group” in your created Enterprise Application
2.2. Selecting users/groups
Select the Users or Groups and click “Assign”
2.3. Assigned users/groups
The users/groups are now assigned
3. Setup the Connection
To be able to connect Microsoft Entra ID to Unique AI an API-Key is required. A user with the “Chat.Admin.All” role is able to run the following curl. This will create a key, which is authorised to access the SCIM endpoints of Unique AI for the organisation the user belongs to.
curl --location 'https://gateway.<baseUrl>/scope-management/graphql' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <your-access-token>' \
--data '{"query":"mutation ScimKeyCreate {\n scimKeyCreate {\n id\n key\n }\n}","variables":{}}'In the response you will find the key attribute. Store this in a save place you will not be able to get it again.
Contact your Customer Success representative to help you regarding this SCIM Key creation if needed.
3.1. Switch to Provisioning
Switch to “Provisioning” on the Enterprise Application
3.2. Add Configuration
Click “New configuration”
3.3. Fill URL and Token
Insert the “Tenant URL” and key as “Secret token”
The <API-URL> is the base API URL on which the Unique AI backend services are available. Normally its something similar like: https://gateway.xxx.unique.app. But especially for customer managed tenant this can vary.
3.4. Test and create
After successful test connection click “Create“
4. Provisioning Options
Here we will adjust the attributes. What EntraID field gets mapped to what Unique user attribute.
4.1. Adjust the attribute mapping
Switch to the User Attribute Mapping “Provision Microsoft Entra ID Users“
4.2. Modify externalId to ObjectId
Please verify the user mapping. Especially the mapping from externalId → objectId.
If you want to send custom user Metadata, then also check out this guide with its metadata mapping: User and Group metadata provisioning via SCIM
Modify the mapping according to screenshot. Especially externalId → objectId
5. Validate and Start the Provisioning
5.1 Validation
It is recommended to first test the setup using the “Provision on demand” feature on Microsoft Entra ID. Chose a single user that gets provisioned into Unique’s IAM system (Zitadel) and verify if the user was correctly created. In case of incorrect provisioning: delete the user in Zitadel, adjust the configuration in Entra ID and try again.
Your Customer Success representative is happy to support you during this process if needed.
On Demand Provisioning of a single entity
As soon as a first user was successfully provisioned, the provisioning of users can be enabled in Entra ID (see section below).
5.2 Starting Provisioning
Now start with the provisioning of the users and groups