How to configure Microsoft Entra ID integration via SCIM

Modified on Thu, 26 Feb at 2:07 PM

If you are using Microsoft Entra ID, you can connect your directory to Systam Studio, eliminating the need to manually create Systam Visit hosts. This guide describes how to enable automatic user synchronization from Microsoft Entra ID.

Note!

This is a paid extension and requires activation. Please contact our customer support at support@systam.io.

Once the setup is complete, Microsoft Entra ID:

Creates users in Systam.
Updates users in Systam (including primary workspace, name, emails, phone numbers, and active state).
Removes (Hard Delete) users in Systam when they do not require access anymore.
Keeps user attributes synchronized between Microsoft Entra ID and Systam.

For important details on what this service does, how it works, and frequently asked questions, see What is automated app user provisioning in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

Important things to note

Prerequisites

Before configuration, you need to have the following prerequisites:

A Microsoft Entra tenant.
A user account in Microsoft Entra ID with permission to configure provisioning (for example, Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator).
A Systam organization account.
A user account in Systam with Admin permissions.

Important Considerations

Organization Owners: Users designated as "Organization Owners" in Systam are protected. Any attempt to update or delete these users via SCIM will result in a [object Object] error in the provisioning logs. This is expected behavior.
No Soft Delete: Systam does not support a suspended or "soft-deleted" state. When a user is removed from scope or disabled in Entra ID (sending [object Object]), Systam permanently deletes the user account. If the user returns to the scope later, they will be re-created as a new user.
Matching Logic: If a user already exists in Systam with the same email address, provisioning links that account to the SCIM [object Object] for this tenant; otherwise, a new user is created.
Groups: Systam does not currently support group provisioning.

Step 1: Plan your provisioning deployment

Learn about how the provisioning service works.
Determine who will be in scope for provisioning.
Determine what data to map between Microsoft Entra ID and Systam.

Step 2: preparation and actions in Systam Studio

Preparation

Go to Systam Studio → Extensions → Microsoft Entra ID and click "Enable".
Copy the Tenant URL and Secret Token shown in Studio. You will need these for the Entra ID configuration (see Step 5).
You may also enter your organization’s Tenant ID, which will help us in possible troubleshooting situations.

Set synchronization settings

In Systam Studio, choose how employees will be added to workspaces. You can decide whether employees are added to only one workspace in the organization or to all workspaces. Select the option that suits your organization before starting provisioning.

Primary workspaces
- Synchronize hosts to only one workspace.
All workspaces
- Synchronize hosts to all workspaces.

Note!
If you later change the setting to Primary workspaces, hosts will not be automatically removed from other workspaces.

Define primary workspaces (if using Primary workspaces)

If you use the Primary workspaces setting, you must define workspace-specific Entra values.

You can assign employees to different workspaces by defining a workspace and its corresponding Entra value.

Follow these steps:

Click Add configuration.
Select the workspace.
Define the corresponding Entra value.

Note!
The Entra value must exactly match the value defined in the Entra ID attribute mapping (see Step 5).

Step 3: Add Systam as a Non-Gallery Application

Since Systam is a custom integration, you must add it as a non-gallery application.

Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Identity > Applications > Enterprise applications > New application.
Select Create your own application.
Enter a name for your application (e.g., "Systam").
Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.

Step 4: Define who is in scope for provisioning

The Microsoft Entra provisioning service allows you to scope who is provisioned based on assignment to the application or based on attributes of the user or group. If you choose to scope who is provisioned to your app based on assignment, you can use the following steps to assign users and groups to the application.

Start small. Test with a small set of users and groups before rolling out to everyone.
When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app.

Step 5: Configure automatic user provisioning to Systam

This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in Systam.

Part A: Admin Credentials

In the Systam application in Entra ID, select the Provisioning tab.
Under "Manage", select Provisioning and set the Provisioning Mode to Automatic.
Under the Admin Credentials section, input the values from Systam Studio:
- Tenant URL: [object Object]
- Secret Token: Enter the Bearer Token provided by Systam.
Select Test Connection to ensure Microsoft Entra ID can connect to Systam. If the connection fails, ensure your Token is valid and try again.
Continue to part B.

Part B: Configure Custom Attributes (Crucial)

Systam requires a custom attribute [object Object] to be sent during user creation. You must add this to the schema before mapping it.

Within the same page, open Mappings.
Under Mappings, select Provision Microsoft Entra ID Users.
Scroll to the bottom of the page and check Show advanced options.
Click Edit attribute list for Systam.
At the bottom of the attribute list, enter the following new attribute:
- Name: [object Object]
- Type: [object Object]
Click Save.

Part C: Attribute Mappings

Systam uses a focused set of user attributes from Microsoft Entra ID for provisioning.

The attribute mappings are configured on the Provisioning tab of the Systam Visit enterprise application.

Identity and status

[object Object]
Unique identifier for the user in Systam.
This is taken from the source attribute you configure in the [object Object] mapping (typically the user’s sign-in name, such as UPN or email address).
[object Object]
Indicates whether the user account should exist in Systam.
The value is determined by the expression you configure in the active mapping.

Contact details

Systam uses contact details from Microsoft Entra ID only when the type is set to [object Object] or [object Object]. Any other types used in the mappings are rejected and cause provisioning to fail for those users.

Email addresses
- The value mapped as "work" email attribute (for example [object Object]) is used as the user’s primary email address in Systam.
- A "work" email address is required. If a user does not have a "work" email, provisioning for that user will fail.
Phone numbers
- If you choose to map phone numbers, the value mapped as the "work" phone attribute (for example [object Object]) is used as the user’s primary phone number in Systam.
- A "work" phone number is required if any phone numbers are mapped.
  - If you do not want to manage phone numbers in Systam, leave phone numbers unmapped.
  - If you do map phone numbers, make sure every in-scope user has a "work" phone number, or provisioning for those users will fail.

In practice:

The "work" email address is always the main email used for the user in Systam.
When phone numbers are mapped, the "work" phone number is the main number used for the user in Systam.

Part D: Custom Attribute mapping

Systam requires a custom [object Object] attribute that defines the user’s primary workspace.

The value mapped to [object Object] is used as the user’s main workspace in Systam.
[object Object] is required. If this attribute is not provided for a user, provisioning for that user will fail.
The value must match one of the workspace identifiers configured in Systam. If the value does not match any existing workspace, provisioning for that user will fail.
If the [object Object] value changes in Microsoft Entra ID, the change is applied to the user in Systam on the next provisioning cycle.

Back in the Attribute Mapping blade, review the default mappings.
Add the Workspace Mapping:
- Scroll to the bottom of the mapping list and click Add New Mapping.
- Source attribute: Select the attribute in Entra ID, that will be used to determine the employees primary physical location (e.g., [object Object], [object Object], [object Object], [object Object], or an extension attribute).
- Target attribute: Select the custom attribute you added in Part B: [object Object].
- Click OK.
Select Save to commit the changes.

The following table shows an example of a possible mapping configuration:

Systam Attribute	Microsoft Entra ID Attribute (examples)	Required
userName	userPrincipalName	Yes
active	Switch([IsSoftDeleted], , "False", "True", "True", "False")	Yes
name.givenName	givenName	Yes
name.familyName	surname	Yes
emails[type eq "work"].value	Coalesce(mail, userPrincipalName)	Yes (user must have at least single email address mapped)
emails[type eq "other"].value	first([otherMails])	No
phoneNumbers[type eq "work"].value	mobile	No
phoneNumbers[type eq "other"].value	telephoneNumber	No
preferredLanguage	preferredLanguage	No
urn:ietf:params:scim:schemas:extension:systam:2.0:User:primaryWorkspace	department	Yes

Step 6: Test and start provisioning

Test with on-demand provisioning
- Select Provision on demand, choose a test user that is in scope, and run the operation.
Enable automatic provisioning
- Set Provisioning status to On and choose the desired scope for provisioning.
Monitor provisioning
- Use the provisioning logs to determine which users have been provisioned successfully
- Check the progress bar to see the status of the provisioning cycle.