Skip to content
Users Admin
/
MS Entra User Provisioning
Last updated

MS Azure / Entra ID User Provisioning

This guide walks you through setting up user provisioning from Microsoft Entra ID (formerly Azure Active Directory) to Firstup using the SCIM protocol. It includes new customer setup, attribute mapping, and migration support.

Prerequisites

  • An active Microsoft Entra ID tenant.
  • Admin privileges: Application Administrator, Cloud Application Administrator, or Global Administrator.
  • Firstup SCIM API token (contact your Account Manager).

Workflow Summary

  1. Create an Enterprise Application.
  2. Attribute Mapping.
  3. Create Custom Attributes in Entra.
  4. Migrate Existing Customers.
  5. User Deprovisioning.

Create an Enterprise Application

Step 1: Create Your Application

  1. Sign into the Microsoft Entra Admin Center.
  2. Navigate to: Identity > Applications > Enterprise Applications > All applications
  3. Click New application.
  4. Select Create your own application.
  5. Name your app (e.g., Firstup Provisioning) and choose Non-gallery application.
  6. Click Create.

Step 2: Configure Provisioning

  1. Open your created app and go to Overview > Provision User Accounts.
  2. Click Get Started twice.
  3. Under Provisioning Mode, select Automatic.
  4. Enter the Tenant URL:
    • US1: https://partner.socialchorus.com/ms-azure-ad/scim/v2/
    • US2: https://partner.us2.onfirstup.com/ms-azure-ad/scim/v2/
    • EU: https://partner.onfirstup.eu/ms-azure-ad/scim/v2/
  5. Paste the SCIM Secret Token.
  6. Click Test Connection, then Save.

Attribute Mapping

Step 1: Remove Incompatible Defaults

  1. Remove: Join(" ", [givenName], [surname])
  2. Remove: country (Entra uses free text; Firstup expects a 2-digit ISO).

Step 2: Define Identifier Matching

Set the Source attribute based on your data:

  • userPrincipalName
  • employeeId
  • mail

Match this to userName in SCIM.

Step 3: Required Field Mappings

  • givenName → First Name
  • surname → Last Name
  • mail → Email Address

Entra SCIM only updates fields that contain values. If a field in Entra is empty, it will not overwrite the corresponding value in Firstup. Likewise, removing a value in Entra will not automatically clear it in Firstup.

Step 4 Optional: Custom Fields

Create Custom Attributes in Entra ID

Step 1: Add Attributes

  1. Navigate to Attribute Mapping > Show advanced options > Edit attribute list for customappsso.
  2. Add attributes in this format:
    • Standard: urn:ietf:params:scim:schemas:extension:SocialChorus:2.0:User:hireDate
    • Custom: urn:ietf:params:scim:schemas:extension:SocialChorus:2.0:User:customAttribute.country
  3. Click Save.

You can retrieve the correct custom attribute keys by querying the SCIM API:

GET {baseUrl}/ms-azure-ad/scim/v2/Users/{user_id}

Look inside the customAttributes object in the returned JSON for field keys.

Step 2: Map the New Attribute

  1. Go to Attribute Mapping > Add New Mapping.
  2. Set:
    • Type: Direct
    • Source: Entra Field
    • Target: Firstup SCIM Field
    • Match objects using this attribute: No This setting is No because the matching logic is handled by the userName field already.

For advanced attribute mapping, see Microsoft's official SCIM documentation.

Tips

  • Use Entra's on-demand provisioning to trigger updates.
  • Clean up default mappings before provisioning.
  • Use accurate matching logic to prevent user duplication.

User Deprovisioning

  • When users are removed from Entra or unlinked from the Enterprise App, they are automatically deprovisioned in Firstup.
  • Deprovisioning includes GDPR-compliant data deletion.
  • This runs during Entra's regular sync cycle.

Need help? Contact your Firstup Technical Consultant or Account Manager for guidance.

Previous page
Next page