Synchronize Microsoft Entra ID (formerly Azure AD) users or groups using SCIM - Identity as a Service

Use the System for Cross-domain Identity Management (SCIM) protocol to automatically sync users and groups from Microsoft Entra ID (formerly Azure Active Directory) to Alibaba Cloud Identity as a Service (IDaaS). Once configured, Entra ID pushes user lifecycle events—provisioning, updates, disabling, and deletion—to IDaaS without manual intervention.

Prerequisites

Before you begin, ensure that you have:

Administrator permissions for both Alibaba Cloud IDaaS and Microsoft Entra ID
A Microsoft Entra ID tenant
An EIAM instance created in Alibaba Cloud IDaaS

Step 1: Get the SCIM credentials from IDaaS

Log on to the Alibaba Cloud IDaaS console. In the left navigation pane, click EIAM. On the IDaaS tab, find your instance and click Console in the Actions column.
In the left navigation pane, choose Application Management > Applications. Find the target application (Standard Protocols or Custom Applications) and open its details page. If you haven't created an application yet, see Create an application.
On the application details page, configure account synchronization settings. For details, see Account synchronization between IDaaS and applications.
Important
Enable IDaaS API in the application settings before proceeding.
On the Provisioning > Synchronize Application to IDaaS tab, copy and save the following credentials—you'll need them in the next step:
- Bearer Token: Click View next to Bearer Token to reveal and copy the token.
- SCIM Base URL: Copy the URL shown in the SCIM Base URL field.

Step 2: Configure provisioning in Microsoft Entra ID

Create an enterprise application

Log on to the Azure portal as an administrator.
In the top search bar, search for Microsoft Entra ID and click it in the results.
On the overview page, click Add > Enterprise application.
On the Browse Microsoft Entra Gallery page, click Create your own application.
Enter an application name, select Integrate any other application you don't find in the gallery (Non-Gallery), and click Create.

Assign users and groups

In the left navigation pane, choose Manage > Users and groups.
Click Add user/group to open the Add Assignment page.
Click Users and groups > None selected. In the panel that appears, select the users and groups to sync, click Select at the bottom, and then click Assign.

Connect to IDaaS

In the left navigation pane, choose Manage > Provisioning to open the Overview (Preview) page.
Click New configuration > Connect your application and set the following parameters:
Parameter Value
Authentication method Bearer authentication
Tenant URL The SCIM Base URL from Step 1
Secret Token The Bearer Token from Step 1
Click Test connection. If you see a "Connection test for 'xxx' was successful" message in the upper-right corner, the connection is configured correctly.
Click Create.

Parameter	Value
Authentication method	Bearer authentication
Tenant URL	The SCIM Base URL from Step 1
Secret Token	The Bearer Token from Step 1

Configure attribute mappings

In the left navigation pane, choose Manage > Attribute mapping (Preview).
Click Provision Microsoft Entra ID Users to open the Attribute mappings page.

Keep the required basic attributes

In the Attribute Mappings list, delete all rows not shown in the following figure. Click Delete in each row you want to remove.

Sync custom attributes (optional)

To sync additional Entra ID fields to IDaaS extended fields, follow the steps below. The example shows how to sync the streetAddress field to an IDaaS extended field called User Address.

Custom SCIM attribute naming pattern

Custom SCIM extension attributes follow this pattern:

urn:ietf:params:scim:schemas:extension:<CustomExtensionName>:2.0:User:<FieldID>

Where:

<CustomExtensionName>: The custom namespace identifier configured in your IDaaS application
<FieldID>: The field ID you define in IDaaS

Full example: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:user_address

Add an extended field in IDaaS

In the IDaaS console, choose Account > Field Management > Extended Fields, and click Create Field.
Configure the field:
Setting Description Example
Field Display Name Name shown on the user information page User Address
Field ID Unique system identifier user_address
Field Type Input type for the field Input Box
On the IDaaS application details page, click Provisioning > Synchronize Application to IDaaS > Show Advanced Settings and configure:
- Custom Field Namespace: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User
- Sync Target Field: Select the extended field you created, for example, User Address (user_address)
Click Save.

Setting	Description	Example
Field Display Name	Name shown on the user information page	`User Address`
Field ID	Unique system identifier	`user_address`
Field Type	Input type for the field	`Input Box`

Add the attribute mapping in Microsoft Entra ID

Below the Attribute Mappings list, click Show advanced options > Edit attribute list for Customappsso.
At the bottom of the Edit Attribute List, add a new attribute:
- Name: Enter the full custom attribute name using the pattern above, for example: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:user_address
- Type: Select a data type compatible with your IDaaS extended field, for example, String
Click Save in the upper-left corner.
Below the Attribute Mappings list, click Add new mapping.

On the Edit attribute page, configure the mapping:

Setting	Value
Mapping type	Direct
Source attribute	The Entra ID field to sync, for example, `streetAddress`
Target attribute	The custom attribute you added, for example, `urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:user_address`

Click OK, then click Save in the upper-left corner.

Start syncing users

Entra ID supports two sync modes:

Automatic sync (recommended)

In the left navigation pane, click Overview (Preview), then click Start provisioning. Entra ID syncs automatically every 40 minutes. This interval is fixed and cannot be changed.

On-demand sync

To sync a specific user or group immediately:

In the left navigation pane, click Provision on demand.
In the Select a user or group search box, enter the name of the user or group and select it.
Click Provision at the bottom of the page.

Step 3: Verify the sync results

Log on to the Alibaba Cloud IDaaS console, find your instance, and click Console.
To verify users: In the left navigation pane, choose Account > Accounts and Orgs. Synced users appear in the Account list with Source set to SCIM Import.
To verify groups: In the left navigation pane, choose Account > Group. Synced groups appear in the Group list with Source set to SCIM Import.
To verify extended field values: Click a synced user's Username to open the User Details page. Check the Account Information > Extended Field area for the synced values.

User lifecycle sync behavior

The following table shows how Entra ID user lifecycle events map to IDaaS:

Entra ID event	What Entra ID sends	IDaaS result
User disabled	`active: false` via SCIM	User marked as Disabled
User re-enabled	`active: true` via SCIM	User status returns to Normal
User removed from app assignment	Disable instruction	User disabled in IDaaS
User deleted from app, moved to Deleted Users	Disable instruction (next sync cycle)	User disabled in IDaaS
User permanently deleted from Deleted Users	Delete instruction (next sync cycle)	User deleted from IDaaS

Important

Test deletion behavior in a non-production environment before running large-scale delete operations.

FAQ

How do I re-enable a disabled Entra ID user?

Log on to the Azure portal.
In the top search bar, search for Users and click Services > Users.
Find and click the disabled user.
Under Account Status, click Edit, select Account Enabled, and click Save.

The account will be reactivated.