Skip to content
Logo probo
Get compliant
About The people and vision powering Probo Blog The latest news from Probo Stories Hear from our customers Changelog Latest product updates Docs Documentation for Probo GitHub Explore our open-source compliance tools

Microsoft 365 (Entra ID) SCIM

This guide walks you through setting up direct SCIM provisioning from Microsoft Entra ID (formerly Azure Active Directory) to automatically synchronize users into Probo.

Prerequisites

Section titled “Prerequisites”
  • Microsoft Entra ID administrator access (Global Administrator or Application Administrator)
  • Probo organization administrator access
  • A Microsoft 365 subscription with Entra ID P1 or higher (required for automatic provisioning)

How It Works

Section titled “How It Works”

Microsoft Entra ID pushes user changes to Probo’s SCIM 2.0 endpoint in real time. When you assign users or groups to the Probo enterprise application in Entra ID, it automatically:

  • Creates Probo accounts for newly assigned users
  • Updates user attributes when they change in Entra ID
  • Deactivates Probo accounts when users are unassigned or disabled
  • Deletes Probo accounts when users are permanently removed (if configured)

Mapped Attributes

Section titled “Mapped Attributes”

Core User attributes:

Entra ID FieldSCIM AttributeNotes
userPrincipalNameuserNameRequired, unique
displayNamedisplayName
givenNamename.givenName
surnamename.familyName
ImmutableIdname.formatted
honorificPrefixname.honorificPrefix
honorificSuffixname.honorificSuffix
mailNicknamenickName
accountEnabledactive
mailemails[type eq "work"].valueMulti-valued
telephoneNumberphoneNumbers[type eq "work"].valueMulti-valued
streetAddress, city, state, postalCode, countryaddressesMulti-valued, with streetAddress, locality, region, postalCode, country sub-attributes
jobTitletitle
userTypeuserType
preferredLanguagepreferredLanguage
usageLocationlocale
preferredDataLocationtimezone
mysiteUrlprofileUrl

Enterprise User Extension attributes:

Entra ID FieldSCIM Attribute
employeeIdenterprise:employeeNumber
companyNameenterprise:organization
departmententerprise:department
divisionenterprise:division
costCenterenterprise:costCenter
managerenterprise:manager.value

Step 1: Generate SCIM Credentials in Probo

Section titled “Step 1: Generate SCIM Credentials in Probo”

  1. Log in to Probo as an organization administrator

  2. Go to Organization Settings > Authentication > Auto-Provisioning

  3. Click Add Connector and select SCIM

  4. Copy the SCIM Endpoint URL and Bearer Token

Step 2: Create an Enterprise Application in Entra ID

Section titled “Step 2: Create an Enterprise Application in Entra ID”

  1. Sign in to the Microsoft Entra admin center

  2. Go to Identity > Applications > Enterprise applications

  3. Click + New application > Create your own application

  4. Enter the following:

    FieldValue
    NameProbo
    What are you looking to do?Integrate any other application you don't find in the gallery (Non-gallery)

  5. Click Create

Step 3: Configure Provisioning

Section titled “Step 3: Configure Provisioning”

  1. In the Probo enterprise application, go to Provisioning in the left sidebar

  2. Click Get started

  3. Set Provisioning Mode to Automatic

  4. Under Admin Credentials, enter:

    FieldValue
    Tenant URLYour Probo SCIM endpoint URL (e.g. https://your-probo-domain.com/api/connect/v1/scim/2.0)
    Secret TokenThe bearer token from Step 1

  5. Click Test Connection to verify Entra ID can reach the Probo SCIM endpoint

  6. Click Save

Step 4: Configure Attribute Mappings

Section titled “Step 4: Configure Attribute Mappings”

The default attribute mappings work for most setups. To review or customize them:

  1. In the Provisioning page, expand Mappings
  2. Click Provision Microsoft Entra ID Users
  3. Review the attribute mappings — the defaults map to Probo’s supported SCIM attributes
  4. Adjust mappings if needed (e.g. map employeeId to urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber)
  5. Click Save

Step 5: Assign Users and Groups

Section titled “Step 5: Assign Users and Groups”
  1. In the Probo enterprise application, go to Users and groups
  2. Click + Add user/group
  3. Select the users or groups you want to provision into Probo
  4. Click Assign

Only assigned users (or members of assigned groups) will be provisioned. This gives you fine-grained control over who gets a Probo account.

Step 6: Start Provisioning

Section titled “Step 6: Start Provisioning”
  1. Go back to Provisioning
  2. Set Provisioning Status to On
  3. Click Save
  4. Entra ID will start an initial provisioning cycle — this may take a few minutes depending on the number of users

After the initial cycle, Entra ID runs incremental sync approximately every 40 minutes to push any changes.

Step 7: Verify Provisioning

Section titled “Step 7: Verify Provisioning”
  1. In Entra ID, go to Provisioning > Provisioning logs to see the sync activity
  2. In Probo, go to Organization Settings > Members to verify users have been provisioned
  3. Check Organization Settings > Authentication > Auto-Provisioning > Event Log for detailed SCIM events

Troubleshooting

Section titled “Troubleshooting”

Test Connection Fails

Section titled “Test Connection Fails”
  • Cause: The SCIM endpoint URL or bearer token is incorrect, or a firewall is blocking the connection
  • Solution: Verify the endpoint URL includes the full path (ending in /scim/2.0). Re-generate the bearer token in Probo if needed. Ensure your network allows outbound HTTPS from Entra ID to your Probo instance.

Users Not Being Provisioned

Section titled “Users Not Being Provisioned”
  • Cause: Users or groups are not assigned to the enterprise application, or provisioning is not turned on
  • Solution: Check that the users are assigned under Users and groups and that Provisioning Status is set to On

Provisioning Errors in Logs

Section titled “Provisioning Errors in Logs”
  • Cause: Attribute mapping conflicts or missing required attributes
  • Solution: Check the Provisioning logs in Entra ID for specific error messages. Ensure userName is mapped to a unique, non-empty value (typically userPrincipalName or mail)

Users Not Deactivated After Removal

Section titled “Users Not Deactivated After Removal”
  • Cause: Entra ID may still be processing the change, or the user was soft-deleted
  • Solution: Check the provisioning logs for the deprovisioning event. Entra ID processes changes during the next sync cycle (approximately every 40 minutes). For immediate effect, trigger a manual sync by clicking Restart provisioning in the Provisioning page.

Duplicate Users

Section titled “Duplicate Users”
  • Cause: The userName in Entra ID doesn’t match an existing Probo user’s email
  • Solution: Ensure the attribute mapped to userName matches the email format used in Probo. You may need to adjust the mapping to use mail instead of userPrincipalName.

Combining with SSO

Section titled “Combining with SSO”

For the best experience, combine SCIM provisioning with SAML SSO:

  1. SCIM provisioning handles user lifecycle — creating and deactivating accounts automatically
  2. SAML SSO handles authentication — users sign in with their Microsoft credentials

This means users get automatic Probo accounts when they join your organization and lose access when they leave, with no manual account management needed.

SCIM Overview Learn more about SCIM features and direct provisioning
SSO Overview Set up SAML SSO alongside SCIM provisioning