Configure provisioning

This guide walks you through configuring automatic user and group provisioning from Azure Entra ID to nullplatform using SCIM 2.0.

Prerequisites

• Azure tenant admin access: Global Administrator or Application Administrator role
• API key: a nullplatform API key for Bearer token authentication
• Network connectivity: Azure Entra ID must be able to reach https://api.nullplatform.com

Steps

Step 1: Add a new enterprise application

1. Sign in to the Azure portal as a Global Administrator or Application Administrator.
2. Navigate to Enterprise applications.
3. Click New application.
4. Search for SCIM or select Create your own application.
5. Choose Integrate any other application you don't find in the gallery.
6. Name the application (e.g., "nullplatform SCIM") and click Create.

Step 2: Configure SCIM connectivity

1. In the new application, go to Provisioning in the left sidebar.
2. Click Get started.
3. Set Provisioning Mode to Automatic.
4. Under Admin Credentials, configure:
   • Tenant URL: https://api.nullplatform.com/scim/v2
   • Secret Token: your API secret key (Bearer token)

Step 3: Test the connection

1. Click Test Connection.
2. Azure Entra ID will attempt to reach the SCIM ServiceProviderConfig endpoint.
3. If successful, you'll see a green checkmark.

If the test fails:

• Verify the Tenant URL is correct and includes /scim/v2.
• Confirm the Secret Token is valid.
• Ensure https://api.nullplatform.com is reachable from Azure.
• Check firewall rules and network access.

Step 4: Configure attribute mappings

Attribute mappings define how Azure Entra ID user attributes map to SCIM user attributes.

1. In Provisioning, click Edit attribute mappings.
2. Review the default mappings. Common mappings include:

Azure Entra ID Attribute	SCIM Attribute	Required
mail	userName	Yes
displayName	displayName	No
givenName	name.givenName	No
surname	name.familyName	No
userPrincipalName	externalId	No
accountEnabled	active	No

3. Customize mappings as needed for your use case.
4. Click Save.

Example mapping for email-based provisioning:

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "john.doe@example.com",
  "displayName": "John Doe",
  "name": {
    "givenName": "John",
    "familyName": "Doe"
  },
  "emails": [
    {
      "value": "john.doe@example.com",
      "primary": true
    }
  ],
  "active": true
}

Step 5: Enable group provisioning (optional)

If you want group membership from Azure Entra ID to drive role assignments in nullplatform:

1. In Provisioning, scroll to Mappings.
2. Click Provision Azure Active Directory Groups to enable group sync.
3. Assign the relevant groups to the application.

Azure sends group membership information via SCIM. The actual mapping from groups to nullplatform roles is configured server-side in nullplatform. See Group membership and role mapping for details.

info

Ensure group-to-role mappings are configured in nullplatform before enabling provisioning so that role assignments take effect from the first sync.

Step 6: Enable provisioning

1. Back in Provisioning, set Provisioning Status to On.
2. Click Save.

Azure Entra ID will immediately begin provisioning users and groups to nullplatform.

Next steps

• Monitor provisioning activity
• Troubleshooting