Questions? We have answers.

Implement user provisioning from Azure Active Directory using SCIM

  • Updated


Azure AD can automatically create users in your MindBridge tenant using an outbound SCIM integration. SCIM is a protocol for automatically creating, disabling, and deleting users.


First, go through the steps in Implement Single Sign-On (SSO), including the section on implementing additional security restrictions. In particular, all your users should be able to sign in using the Microsoft button.

All users should have an email address associated with their Azure AD account.

You should set up a security group in Azure AD for regular MindBridge users, and a second one for MindBridge app admins. Populate the groups with a few users for testing. Each MindBridge user should only be in one of these groups.

  • Nested groups are not supported by Azure AD provisioning; all users must be direct members of one of these groups.
  • Dynamic groups are supported. 

Contact your CSM to have API access enabled for your MindBridge tenant.

Review the Microsoft guidance on application provisioning for background information.

Creating an API token for SCIM

  1. Sign into your MindBridge tenant as an app admin.
  2. In the sidebar ( Sidebar_open-close_icon.svg ) on the left, select Admin ( Admin_icon.svg ) then go to the API tab.
  3. Select Create token.mceclip7.png

  4. Give the token a name, like SCIM 2023-06-30.
  5. Select an expiration date.
  6. Under Permissions, select SCIM.mceclip8.png

  7. Select Create token, and copy the token to your password manager. You'll need it in the next step.
Tip: We recommend you create a group calendar reminder to renew the token. You can include a link to this article in the event description.

Creating an enterprise application for provisioning

  1. In Azure AD, go to Enterprise applications > Add > Enterprise application.
  2. Choose the option to Create your own application. mceclip4.png

  3. Enter a name like "MindBridge provisioning" and choose the non-gallery integration option.
  4. Click Create.
  5. After it’s created, under Manage (on the left), go to Provisioning and select Get started.mceclip6.png

  6. Change the provisioning mode to Automatic.
  7. Set the Tenant URL to the URL of your MindBridge tenant, plus /scim/v2.
    For example, if your tenant URL is, use
  8. Set the Secret Token to the token you generated in the previous step.mceclip9.png
  9. Select Test Connection.

  10. Save.
    Two new sections for Mappings and Settings will appear on the same screen.

Disabling group provisioning

  1. Expand Mappings.mceclip11.png

  2. Disable the option to Provision Azure Active Directory Groups by selecting it and changing the Enabled toggle to No.
  3. Save the attribute mapping.mceclip14.png

  4. Click the close button to return to the provisioning edit screen.
    The mappings should show as follows:mceclip15.png

Configuring user provisioning

  1. Edit the settings for "Provision Azure Active Directory Users" to delete the displayName attribute mapping. It is not used by MindBridge.mceclip17.png

  2. At the bottom of the screen, select the checkbox to Show advanced options.
  3. Click the Edit attribute list for customappsso link.mceclip18.png

  4. At the bottom of the page, use the input field to add a new attribute.
    • Name: roles
    • Type: String
  5. Leave all checkboxes unchecked.mceclip0.png

  6. Save, and you will return to the main attribute mapping page for "Provision Azure Active Directory Users."
  7. Click the Add New Mapping link.
    • Mapping type: Expression
    • Expression: SingleAppRoleAssignment([appRoleAssignments])
    • Default value if null: leave blank
    • Target attribute: roles
    • Match objects using this attribute: No (default)
    • Apply this mapping: Always (default)
  8. Click Ok to save and close the attribute mapping.
  9. Save, then click the close button to return to the provisioning edit screen. 

Finalizing provisioning settings

  1. Under Settings, select first the checkbox to enable email notifications for failures, then supply an email address.
  2. Select the second checkbox to enable prevention of accidental deletion with a suitable threshold (for example, 10 users).
    If the provisioning system believes it needs to delete more than 10 users at once, it will go into a quarantine status for approval first.
  3. Leave the Scope field on the default setting, to sync only assigned users and groups.
  4. Leave the Provisioning Status toggle Off for now.
  5. Save and close.


Hiding the provisioning application from users

The provisioning application is not used for SSO and should not appear in the O365 app launcher. In the enterprise application, go to Properties and change the Visible to users toggle to No, then save.


Defining roles

Role definitions are set up under App registrations, not Enterprise applications. To set up the roles, go to Azure AD > App registrations > All applications, and search for the MindBridge provisioning app.


Inside the app registration, go to App roles, Create app role.

  • Display name: ADMIN
  • Allowed member types: Users/Groups
  • Value: ADMIN
  • Description: MindBridge App Admins
  • Enable role: Checked (default)

Repeat to add another role:

  • Allowed member types: Users/Groups
  • Description: MindBridge users with permission to create new organizations.
  • Enable role: Checked (default)

Repeat for a third role:

  • Display name: USER
  • Allowed member types: Users/Groups
  • Value: USER
  • Description: MindBridge users who cannot create new organizations.
  • Enable role: Checked (default)


Assigning groups to the provisioning application

  1. Return to the enterprise application. In Azure AD, go to Enterprise applications and search for the MindBridge provisioning app.
  2. In the enterprise application, go to Users and Groups > Add user/group.
  3. Select your MindBridge app admins group.
  4. For role, select ADMIN, then Assign.
  5. Add another assignment.
  6. Select your MindBridge users group.
  7. For role, select one of the following options (all uppercase):
    • ORGANIZATION_CREATOR, if all users should be able to create new organizations (recommended);
    • USER, if users should not be able to create new organizations.mceclip26.png
  8. Review your assignments.mceclip27.png


Before proceeding, confirm that you have:

  • Created groups for MindBridge app admins and regular users. The group memberships must be mutually exclusive (each user can only be in one of them). The groups cannot have nested groups.
  • Created an enterprise application.
  • Tested the connection with "Test Connection".
  • Disabled "Provision Azure Active Directory Groups".
  • Configured "Provision Azure Active Directory Users":
    • Deleted the displayName attribute mapping.
    • Added an attribute for "roles".
    • Added an attribute mapping for "roles".
  • Created app roles in the app registration.
  • Assigned groups to the enterprise application.
  • Made the application invisible under Properties.

Enabling provisioning

  1. Go to Provisioning > Edit provisioning.
  2. Change the provisioning status to On, then save.mceclip28.png
  3. Close to return to the main provisioning page.
  4. Wait a few seconds, then click Refresh.
    A successful provisioning cycle should have run.

  5. Use the option to view provisioning logs to investigate any failures.
  6. Check the user roles in MindBridge (open the sidebar, click Admin ( Admin_icon.svg ), then go to the User Management tab to ensure the correct roles have been assigned.

Continuing group population

Populate your MindBridge user and app admin groups with the remaining users. Ensure each user is only in one of these groups.

The provisioning cycle runs periodically at the interval displayed on the Provisioning page. Check the logs after the next cycle to confirm your users have been provisioned.

Anything else on your mind? Chat with us or submit a request for further assistance.

Was this article helpful?