Configure SCIM in Microsoft Entra ID

After creating your integration in the NetFoundry console, follow these steps to configure Microsoft Entra to act as the SCIM client.

Part 1: Create the application

1. Sign in to the Microsoft Entra admin center.
2. Navigate to Identity > Applications > Enterprise applications.
3. Click New application.
4. Click Create your own application.
5. Provide a name for the app (e.g., "NetFoundry SCIM") and select Integrate any other application you don't find in the gallery (Non-gallery).
6. Click Create.

Part 2: Set up provisioning

1. From the application overview, click Provisioning in the left menu.

2. Click Get started.

3. Set the Provisioning Mode to Automatic.

4. Under Admin Credentials, enter your Tenant URL.

   important

   The default behavior of the Entra SCIM system is not fully compliant with the SCIM 2.0 specification. You must enable SCIM 2.0 compliance by appending the feature flag ?aadOptscim062020 to the end of your integration URL.

5. Enter your secret token (the authentication token generated in NetFoundry).

6. Click Test Connection to verify the link.

7. Click Save.

Part 3: Assign users and groups

1. Navigate to Users and groups in the left menu.
2. Click Add user/group.
3. Select the specific identities or groups you want to sync to your NetFoundry network and click Assign.

Part 4: Enable the sync

1. Return to the Provisioning tab.
2. Click Edit provisioning.
3. Toggle the Provisioning Status to On.
4. Click Save.

Important notes for Entra

• Sync timing: Changes to users and groups are typically synced every 40 minutes by Entra.
• Deactivation behavior: When a user is removed from the Entra application scope, Entra sends a disable command rather than a delete command. This results in the NetFoundry identity being disabled but remaining in the console for audit purposes.
• On-demand sync: If you need to sync a user immediately, use the Provision on demand feature within the Provisioning menu to bypass the 40-minute cycle.