What is SCIM?

Cross-domain Identity Management (SCIM) standard for enabling automatic provisioning of users and groups from Azure AD or Okta Universal Directory to another SaaS application (e.g. Salesforce, Concur…)

SSO and User Provisioning in Azure AD

Every time a new user is added to an Azure AD group (which, recall, is associated with individual Enterprise Apps that the group has access to), that user most likely needs to be provisioned in the corresponding SaaS application’s user directory as well.

Azure AD has a Provisioning Feature that allows you to configure the attributes etc. required to

Azure AD and SCIM?

A prominent use case is auto provisioning of users from AD to AAD (also see AAD Connect versus AAD Sync)

Real Time Provisioning or Batch (Intermittent) Provisioning?

There is no real time user provisioning in AAD User Provisioning. It is all based on incremental batches.

DeProvisioning Users – User Hard Delete versus Soft Delete

Depending on the SaaS app’s SCIM endpoint implementation, the deprovisioning may involve a HARD delete or a SOFT delete (disabling of user only).




Need an experienced AWS/GCP/Azure/DevSecOps Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.