Skip to main content

Configure SCIM provisioning in Entra

This procedure explains how to configure system for cross-domain identity management (SCIM) provisioning between Entra and DigiCert​​®​​ account.

SCIM provisioning allows Entra to automatically create, update, and deactivate users and groups in DigiCert​​®​​ account. User access is managed through Entra groups and synced using the SCIM protocol.

SCIM provisioning and single sign-on (SSO) are configured using separate Entra applications. If you’re also using SSO, you must configure the SSO and SCIM applications independently.

Before you begin

To finish this setup, you need administrative access in both DigiCert and Microsoft Entra:

  • Account admin user group required in DigiCert account.

    How do I check my user group?

  • Application Administrator or equivalent role required in Entra.

Step 1: Enable SCIM provisioning in DigiCert® account

Before configuring Entra, you must enable SCIM provisioning in DigiCert® account and generate the connection details required by Entra.

  1. In DigiCert​​®​​ account, select Accounts () > Identity and access.

  2. In the User lifecycle section, select Automated user provisioning with SCIM.

  3. In the Enable users and group sync section, switch to enable SCIM provisioning.

  4. Under SCIM base URL, select Copy.

  5. Select Generate token.

    1. Select how long the token should remain valid.

    2. Select Generate token.

    3. Under Token, select Copy.

    4. Select Done.

Tip

Keep the SCIM base URL and token available. You use them when configuring SCIM in Entra.

Step 2: Create and configure a SCIM application in Entra

Your SSO application in Entra can’t be used to configure SCIM, you must create a separate application for SCIM:

  1. Sign in to the Microsoft Entra admin center.

  2. In the left pane, select Microsoft Entra ID.

  3. In the left pane of Microsoft Entra ID, select Manage > Enterprise apps.

  4. Select + New application.

  5. Select Create your own application.

  6. In the What's the name of your app? field, enter an app name that specifies SCIM. Example: Example, Inc (SCIM)

  7. Select Create.

Step 3: Enable provisioning actions

When the SCIM application for DigiCert​​®​​ account is saved, enable the following provisioning actions to allow Entra to manage the full user lifecycle in DigiCert​​®​​ account.

  1. In the left pane of the SCIM app you created, select the Provisioning tab.

  2. Select + New configuration.

  3. In the Select authentication method field, select Bearer authentication.

  4. Finish the following fields:

    1. Tenant URL

      Enter the SCIM base URL copied from DigiCert® account in Step 1.4.

    2. Secret token

      Enter the token generated in DigiCert® account in Step 1.5.c.

  5. Select Test connection.

    Expected message: Connection test for 'app name' was successful.

  6. Select Create.

Step 4 : Assign groups to the SCIM application

User access in DigiCert® account is managed using Entra groups.

  1. In the left pane of the SCIM app you created, select the Users and groups tab.

  2. Select +Add user/group.

  3. Select the Users and groups tab.

  4. Select checkbox next to the groups you want to provision.

  5. Select Select.

  6. Verify that you’ve selected the correct groups.

  7. Select Assign.

Tip

If SSO is enabled for DigiCert® account, assign the same user groups to both the SSO application and the SCIM application in Entra for consistency.

Step 5: Start provisioning

To start provisioning:

  1. In the left pane of the SCIM app you created, select Overview (Preview).

  2. Select Start provisioning.

  3. In the confirmation pop-up, select Yes.

    Note

    Changes made in Microsoft Entra ID may take up to 40 minutes to appear in your DigiCert account.

Step 6: Verify provisioning in DigiCert® account

After 40 minutes, users and groups you’ve assigned in step 4 should also show in your DigiCert account.

  1. In DigiCert​​®​​ account, select Access ().

  2. Select Users to view a consolidated list of all your users, this includes manually created users and users provisioned through SCIM.

  3. Select Groups to view a consolidated list of groups:

    1. The Managed by column displays DigiCert for default DigiCert groups.

    2. The Managed by column displays Identity provider for groups provided by your IdP.

Step 7: Assign roles to groups in DigiCert® account

Users in the IdP group are assigned the roles that you define in DigiCert account.

Caution

If a user was manually assigned user roles before SCIM, to prevent breaking existing workflows, these roles remain, in addition to the roles assigned to the SCIM group. To solely rely on SCIM groups for user role management, manually remove user roles.

  1. In DigiCert​​®​​ account, select Access ().

  2. Select Groups to assign user roles:

  3. Select the name of a SCIM group.

    The Managed by column shows Identity provider for groups provided by your IdP.

  4. Select Group access.

  5. Select Update group access.

  6. In the Services field, select the checkbox next to all the DigiCert Service this user group should have access to.

  7. In the User roles section of each service, select the check box of the user roles that this user group should have.

  8. Select Assign access.

Review Entra logs

To see activities that Entra did, and information was requested and sent to your DigiCert account:

In the left pane of the SCIM app you created, select the Provisioning logs tab.

In this section: