Synchronize Microsoft Entra ID (formerly Azure AD) users or groups using SCIM - Identity as a Service

This document describes how to use the System for Cross-domain Identity Management (SCIM) protocol to synchronize users or groups from Microsoft Entra ID (formerly Azure Active Directory) to the Alibaba Cloud Identity as a Service (IDaaS) platform. This process automates user management, reducing manual tasks and improving efficiency.

Scope

Permissions: You have administrator permissions for both Alibaba Cloud IDaaS and Microsoft Entra ID.
Environment: You have a Microsoft Entra ID tenant and have created an EIAM instance for Alibaba Cloud IDaaS.

Step 1: Configure SCIM synchronization in an IDaaS application

Log on to the Alibaba Cloud IDaaS console. In the navigation pane on the left, click EIAM. In the instance list under the IDaaS tab, find the target instance and click Manage in the Actions column.
In the navigation pane on the left of the IDaaS page, choose Application Management > Applications. Find the target application (Standard Protocols or Custom Applications) and go to its details page. To create a Standard Protocols or Custom Applications, see Create an application.
On the application details page, configure the settings. For more information, see Account synchronization between IDaaS and applications.
Important
Ensure that IDaaS API is enabled in the IDaaS application.
On the application details page, obtain the following information:
- Bearer Token: On the Provisioning > Synchronize Application to IDaaS tab, click View next to Bearer Token. Copy and record the displayed token.
- SCIM Base URL: On the Provisioning > Synchronize Application to IDaaS tab, copy and record the URL displayed in the SCIM Base URL field.

Step 2: Enable SCIM synchronization in Microsoft Entra ID

Create an application

Log on to the Azure portal as an administrator.
In the search box at the top of the homepage, search for Microsoft Entra ID, and in the search results, click Microsoft Entra ID.
On the overview page, click Add > > Enterprise application.
On the Browse Microsoft Entra Gallery page, click Create your own application.
Enter an application name, select Integrate any other application you don't find in the gallery (Non-Gallery), and then click Create.

Assign users and groups

In the navigation pane on the left, choose Manage > > Users and groups.
On the Users and groups page, click Add user/group to go to the Add Assignment page.
On the Add Assignment page, click Users and groups > > None selected. In the pane that appears on the right, select the users and groups to synchronize. Then, click Select at the bottom of the pane. Finally, click Assign in the lower-left corner of the page.

Configure connection information

In the navigation pane on the left, choose Manage > > Provisioning to go to the Overview (Preview) page.
Click New configuration > > Connect your application and configure the following parameters.
1. Authentication method: Select Bearer authentication.
2. Tenant URL: Enter the SCIM Base URL that you obtained from IDaaS in Step 1.
3. Secret Token: Enter the Bearer Token that you obtained from IDaaS in Step 1.
Test the connection. If a message indicating that the Connection test for "xxx" was successful appears in the upper-right corner of the page, the current configuration is correct.
Click Create.

Configure mapping attributes

In the navigation pane on the left, choose Manage > > Attribute mapping (Preview).
Click Provision Microsoft Entra ID Users. On the user Attribute mappings page, complete the following steps.
Synchronize basic attributes
In the Attribute Mappings list, delete all mappings not shown in the following figure. To do this, click the Delete button in the corresponding row.
Synchronize other attributes (optional)
Note
Configure these settings as needed. The following example shows how to synchronize the streetAddress field of a Microsoft Entra ID user to the Extended Fields User Address in IDaaS.
1. Add an Extended Fields in IDaaS.
  1. In the IDaaS IDaaS, choose Account > Field Management > Extended Fields, and click Create Field.
  2. Configure the field information.
    Field Display Name: The name displayed on pages, such as the user information page, for easy viewing and management. For example: User Address.
    Field ID: The unique identifier used by the system. For example: user_address.
    Field Type: The input type for the field. For example: Input Box.
  3. On the IDaaS application details page, click Provisioning > Synchronize Application to IDaaS > Show Advanced Settings, and configure the following settings.
    Custom Field Namespace: Enter urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User.
    Sync Target Field: You can set one or more target fields for synchronization, such as User Address (user_address).
  4. Click Save.
2. Configure Attribute mappings in Microsoft Entra ID.
  1. Below the Attribute mappings list, click Show advanced options > > Edit attribute list for Customappsso.
  2. At the bottom of the Edit Attribute List, add a new attribute and configure the following settings. When you are finished, click Save in the upper-left corner.
    Name: Enter the Custom Field Namespace and Field ID that you configured in the IDaaS application, connected by a colon (:). For example: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:user_address.
    Type: Select a data type that is compatible with the extension field in the IDaaS application. For example: String.
  3. Below the Attribute mappings list, click Add new mapping.
  4. On the Edit attribute page, configure the following settings:
    Mapping type: Select Direct.
    Source attribute: Select the attribute to synchronize. For example: streetAddress.
    Target attribute: Select the attribute you added in the previous step. For example: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:user_address.
  5. Click OK at the bottom.
After the configuration is complete, click Save in the upper-left corner.

Synchronize users

Enable automatic synchronization:
In the navigation pane on the left, click Overview (Preview). Then, click Start provisioning to enable automatic synchronization. The provisioning interval is 40 minutes by default and cannot be changed.
To synchronize immediately:
1. In the navigation pane on the left, click Provision on demand.
2. In the Select a user or group search box, enter the name of the target user or group and select it from the results.
3. Click Provision at the bottom of the page to start the synchronization.

Step 3: Verify the results

Log on to the Alibaba Cloud IDaaS console, click Manage for the target instance, and go to the IDaaS management page.
In the navigation pane on the left, choose Account > Accounts and Orgs. You can view the synchronized users in the Account list on the right. Their Source is displayed as SCIM Import.
Note
If you configured the synchronization of user information from Microsoft Entra ID to an Extended Fields in IDaaS, click a user's Username to go to the User Details page. You can view the information in the Account Information > Extended Field area.
In the navigation pane on the left, choose Account > Group. You can view the synchronized groups in the Group list on the right. Their Source is displayed as SCIM Import.

FAQ

How to enable the disabled status of AAD users?

Enable accounts through the Azure portal

Log on to the Azure portal.
In the top search bar, search for users. Click Services > Users.
Find the target disabled user.
Click the user to enter the product page, and then click Edit under Account Status.
Select Account Enabled. Click Save, and the account will be reactivated.

Can disabled users in AAD be synchronized to IDaaS?

The disabled status of Azure AD (AAD) users can be synchronized to Alibaba Cloud IDaaS, but you need to ensure that the SCIM configuration is correct. The following describes the specific mechanism:

Synchronization mechanism: AAD → IDaaS status mapping
1. When an AAD user is disabled, AAD sends the active: false attribute through the System for Cross-domain Identity Management protocol.
2. After IDaaS receives this, the user status will be marked as Disabled.
3. When the AAD account is re-enabled, the account status in IDaaS returns to Normal.

Does AAD synchronization to IDaaS support user deletion?

When synchronizing users from Azure AD (AAD) to IDaaS, it supports synchronizing the deletion operation to IDaaS after a user is deleted from AAD. The specific processing logic is as follows:

When a user is deleted from the AAD application:
1. AAD will move the user to Deleted Users for marking. In the next synchronization cycle, AAD will send a disable instruction to IDaaS, and IDaaS will execute the corresponding disable operation after receiving the instruction.
2. If you Permanently Delete a user from Deleted Users in AAD, AAD will synchronize the deletion operation to IDaaS in the next synchronization cycle, and IDaaS will execute the corresponding delete user operation after receiving the instruction.
When a user assignment is removed from the AAD application: When a user is Removed From Assignment in the AAD application integrated with IDaaS, AAD will send a user disable instruction to IDaaS, and IDaaS will disable the corresponding user according to the configuration.
Important
It is recommended that you verify the synchronization behavior in a test environment before performing large-scale deletion operations to ensure that it meets the expected security and compliance requirements.