Connect MS Entra ID with SCIM

Owned by Michael Dreher
Last updated: Jan 07, 2025
4 min read

Introduction

Unique Finance GPT provides SCIM compliant endpoints to be able to connect an IDP via the SCIM protocol. This protocol defines a standard for managing groups and users across multiple applications. An IDP is therefore able to sync its users and groups with other applications which supports this standard protocol.
The SCIM integration has been tested thoroughly with Microsoft Entra ID. This documentation guides through the setup process for Microsoft Entra ID.

Setup

This setup guide leads you through the process of connecting the Microsoft Entra ID application with Unique Finance GPT

The service user which until now synced the changes from Zitadel (events) with Unique FinanceGPT requires now more privileges (IAM Org Viewer & IAM User Manager). This service user now needs to also be able to create, modify and delete users from any organisation on Zitadel via API (IAM User Manager). But also fetch information about Organisations to be able to assign roles and IDPs to new created users (IAM Owner Viewer).

[MS Portal] Creating the SCIM Enterprise Application

These screenshots will guide you through the process of creating an Enterprise Application for SCIM.

  1. Microsoft Entra ID resource

 

Screenshot 2024-12-27 at 16.37.27.png
Open Micosoft Entra ID resource

  1. Enterprise Applications

 

Screenshot 2024-12-27 at 16.37.56.png
Switch to “Enterprise applications”

  1. New Enterprise Application

 

  1. Own Application

 

  1. Name and Type

 

  1. Finished

 

 

[MS Portal] Adding Users/Groups to the Application

In this step you define which users or groups are getting synced with Unique FinanceGPT.

  1. Adding users/groups

 

  1. Selecting users/groups

 

 

  1. Assigned users/groups

 

 

[Unique API] Creating the SCIM key

To be able to connect Microsoft Entra ID to Unique FinanceGPT an API-Key is required. A user with the “Chat.Admin.All” role is able to run the following curl. This will create a key, which is authorised to access the SCIM endpoints of Unique FinanceGPT for the organisation the user belongs to.

curl --location 'http://gateway.<baseUrl>/scope-management/graphql' \ --header 'Content-Type: application/json' \ --header 'Authorization: <your-access-token>' \ --data '{"query":"mutation ScimKeyCreate {\n scimKeyCreate {\n id\n key\n }\n}","variables":{}}'

In the response you will find the key attribute. Store this in a save place you will not be able to get it again but you can create a new one and delete old ones. The key will be used for the next step “[MS Portal] Connecting the Provisioning“.

 

[MS Portal] Connecting the Provisioning

With generating an API-key to access the SCIM endpoints of Unique FinanceGPT (created in the step before “[Unique API] Creating the SCIM key“) it is possible to connect now the Microsoft Entra ID with Unique FinanceGPT.

  1. Switch to Provisioning

 

 

  1. Add Configuration

 

  1. Fill URL and Token

 

The <API-URL> is the base API URL on which the Unique FinanceGPT backend services are available. Normally its something similar like: https://gateway.xxx.unique.app. But especially for customer managed tenant this can vary.

  1. Test and create

 

  1. Adjust the attribute mapping

 

  1. Modify externalId to ObjectId

 

  1. Start Provisioning

 

 

Author

@Adrian Gugger

© 2024 Unique AG. All rights reserved. Privacy PolicyTerms of Service