Before you start
Ensure your Auth0 tenant is connected to Azure AD using the Microsoft Azure AD connection type.This integration will require two applications to be registered in Azure AD: the OpenID Connect integration and the SCIM integration. To streamline this setup process for your customers, consider publishing your app in the Azure Active Directory app gallery.
Configure SCIM settings in Auth0
- In your Auth0 Dashboard, go to Authentication > Enterprise > Microsoft Azure AD > [your-connection] > Settings.
- Ensure that User ID Attribute Type is set to Pairwise Subject Identifier (sub) and the Use Common Endpoint toggle is Disabled.
- Select the Provisioning taband enable both Sync user profile attributes at each login and Sync user profiles using SCIM.
- On the Mapping tab, ensure the SCIM attribute containing the User ID setting is set to externalId.
- Review the Additional Mappings to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes. See attribute mapping for details.
Retrieve SCIM endpoint URL and token
This section uses the , but you can also complete these steps with the . See the Deployment Guidelines section for best practices.- In the Auth0 dashboard, navigate to the SCIM Setup tab and copy the SCIM Endpoint URL. Make note of this URL as you will need to provide it in a future step.
- Generate SCIM token by clicking Generate New Token and set an expiration date for the token if desired.
- Select the following scopes: get:users,patch:users, anddelete:users.
Configure SCIM in Azure AD for OIDC Apps
- Confirm that an OpenID Connect application has already been registered for your app in the Microsoft Entra ID > App registrations section of the Azure portal.
- Next, register a new Non-gallery application in the Azure portal by browsing to Microsoft Entra ID > Enterprise applications > New application > Create your own application, entering an application name, and selecting Create.
- Go to the Users and Groups tab and assign the Azure AD users and groups who currently have access.
- Select the Provisioning tab, select Get started, and choose Automatic as the Provisioning Mode.
- 
Select Admin Credentials, then enter the SCIM Endpoint URL value you saved earlier as the Tenant URL. At the end of the URL, add the ?aadOptscim062020query parameter to fix known Azure AD issues.
- Paste the token value into the Secret Token field and select Save.
- 
Go to Mappings and select Provision Azure Active Directory Users, then find Provision Azure Active Directory Users and deselect Create under Target Object Actions.
 
- 
Go to Attribute Mappings and edit the attributes of the line containing externalIdandmailNickname
- On the Edit Attribute screen, change Source attribute to objectId, then choose OK.
- 
Return to Attribute Mappings and select the line containing emails[type eq "work"].valueandmail
- 
On the Edit Attribute screen, change Match objects using this attribute to Yes, thenset Matching precedence to 2 and choose OK.
 
- 
Choose Save to save the attribute mappings. The following view appears:
 
- Select X in the upper-right corner to return to the Provisioning screen.
Testing
- On the Enterprise application overview screen, select Manage > Provisioning and then Provision on Demand to test the SCIM connection.
- Go to Select a user or group and type the name of a user that you assigned to the application, then select the user and choose Provision. If the user is not present in the Auth0 tenant, you receive an error. If the user is present in the Auth0 tenant, a message confirms that the user has been updated.
- Turn on provisioning by following Microsoft’s instructions to set the Provisioning Status to On.