Share via

How to implement SCIM in .NET Core for automatic user provisioning with Azure AD multi-tenant setup?

Shripad Godse 25 Reputation points
2023-12-12T07:21:17.8766667+00:00

I am looking for assistance with implementing SCIM in .NET Core for automatic user provisioning with Azure AD multi-tenant setup. Specifically, I am seeking answers to the following questions:

  1. Will the SCIM application API be triggered when a new user is added to a configured tenant?
  2. If yes, what are the default API endpoints and payloads for updating the SCIM application?
  3. I have a multi-tenant Azure AD application and I'm allowing multiple client tenants to use our tenant to sign into my web application. If I add user provisioning to my multi-tenant app, will it add clients users in my SCIM app, or every client needs to add user provisioning into their respective tenants?

I posted this question previously here where I received a repository link to refer to, but I still have some questions. I added a comment on that stream but did not get a response, so I created this new question here with the same list of questions.

Developer technologies ASP.NET ASP.NET Core
Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-12-12T08:26:17.41+00:00

    Hi @Shripad Godse ,

    Thanks for reaching out and apologies for delay in response in earlier thread.

    1. Will the SCIM application API be triggered when a new user is added to a configured tenant?

    You need to configure your application to automate user provisioning in Micrsoft Entra ID and you need to define the users or groups you like to provision to your application.

    If you sync all users and groups, then SCIM API automate the provisioning for all users and groups.

    1. If yes, what are the default API endpoints and payloads for updating the SCIM application?

    SCIM 2.0 is a standardized definition of two endpoints: a /Users endpoint and a /Groups endpoint. It uses common REST API endpoints to create, update, and delete objects. The SCIM consists of a predefined schema for common attributes like group name, username, first name, last name and email.

    Refer all the request/response -https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#scim-protocol-requests-and-responses

    1. I have a multi-tenant Azure AD application and I'm allowing multiple client tenants to use our tenant to sign into my web application. If I add user provisioning to my multi-tenant app, will it add clients users in my SCIM app, or every client needs to add user provisioning into their respective tenants?

    If you add user provisioning to your multi-tenant app, this will allow you to provision users and groups from any tenant that has consented to your application. However, each client tenant will need to configure user provisioning settings in their own tenant, such as the mapping of attributes and the scope of users and groups to be provisioned.

    Refer - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/isv-automatic-provisioning-multi-tenant-apps

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.