Hi Artur Gulbicki,
In the workaround you mentioned, one registration needs to be via an App Registration for the OIDC authentication, and another should be a non-gallery Application via the Enterprise Applications blade for the SCIM provisioning. However, this should really only be done for internal use, and if you are building an app for use by other organizations, you need to get it listed in the Azure AD Gallery. Provisioning is only enabled when you go through enterprise applications to create the application. When you go into the gallery, there is an option to create a custom or non-gallery app. If you go through an app registration, this is correct for OIDC SSO, but provisioning won't be available
If this is an application that is used for multiple applications, you need to follow the process to get it listed in the app gallery. That will light up the provisioning UI. https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/howto-app-gallery-listing
In the two application scenario, the first one will be set up for OIDC-based SSO, and the second one will be marked as SAML but not have any SAML/SSO configured, but instead is just be used for the SCIM provisioning configuration.
Let me know if this helps. I'm also looping in @Danny Zollner in case he has any additional guidance to add, since he is a specialist in OIDC integrations.
If the information helped you, please Accept the answer. This will help us as well as others in the community who