Skip to main content

Configure System for Cross-domain Identity Management (SCIM) with Microsoft Entra ID

How to set up Stack Internal Enterprise for Entra ID SCIM 2.0 provisioning.

Joel Bradley avatar
Written by Joel Bradley
Updated over 3 weeks ago

PDF VERSION

Tags | Provisioning | Azure | SCIM | Security | Entra ID |

Applies to: Enterprise

ADMIN PRIVILEGES REQUIRED

This documentation is for Stack Internal Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.

Overview

System for Cross-domain Identity Management (SCIM) is an open API for securely sharing user information between online systems. In Stack Internal Enterprise, SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0, which passes user information only at login, SCIM sends updates whenever they occur. This provides Stack Internal Enterprise near-real-time updates to user status and role as changes happen at the IdP.

NOTE: Enabling SCIM support does not disable user management options within Stack Internal Enterprise. This means a user may have an active status in the IdP, yet be deactivated in Stack Internal Enterprise through the admin user management settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.

This article covers integrating Microsoft Entra ID and your Stack Internal Enterprise site with SCIM. For a better understanding of using SCIM with Stack Internal Enterprise, read our SCIM 2.0 support article.

NOTE: Before you can configure SCIM for Entra ID, you must have an Entra ID Enterprise application for your Stack Internal Enterprise site. If you haven't yet configured a SAML Entra ID Enterprise application, follow the instructions in the SSO with Microsoft Entra ID article.

When setting up SCIM, you'll configure Entra ID and your Stack Internal Enterprise site in a back-and-forth process. We recommend having a browser tab open to each site.

THIS ARTICLE APPLIES TO STACK INTERNAL ENTERPRISE ONLY.
Other Stack Internal users should read this article instead. Find your plan.

Configure SCIM on Stack Internal Enterprise

  1. As a Stack Internal Enterprise admin, click Admin Settings in the left-hand menu. Click SCIM under the "ACCESS MANAGEMENT" heading.

  2. Configure the following settings:

    • SCIM Set to On to enable SCIM.

    • SCIM authorization bearer token Create a token (password) you'll later enter into the SCIM configuration on Entra ID. You can enter any string of characters, but be sure to follow best practices for creating a strong password. Stack Internal Enterprise hides the value by default. Click Show password to view and copy the value.

    • Allow Moderator Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and moderator roles.

    • Allow Admin Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and admin roles.

  3. Click Save settings.

Configure Entra ID

  1. On Entra ID, open your Stack Internal Enterprise application.

  2. Click Provisioning in the left-hand menu, then Get started.

  3. Set Provisioning Mode to Automatic.

  4. Enter the following for Admin Credentials:

    • Tenant URL Set to https://[your_site].stackenterprise.co/api/scim/v2.

    • Secret Token Paste the authorization bearer token you created on the Stack Internal Enterprise SCIM page.

  5. Click Test Connection. A green checkmark will appear in Tenant URL if the connection is successful.

  6. Click Save.

Configure Entra ID SCIM user mapping

User mapping lets you define which Stack Internal Enterprise users SCIM will affect.

  1. Go to the Entra ID application's "Mappings" page. Set mapping at the user level by clicking Provision Azure Active Directory Users. Entra ID SCIM does not support user group management.

  2. On the provisioning configuration page, under the "Target Object Actions", check Update. You can optionally check Create to provision Stack Internal Enterprise users automatically.

  3. Configure the following attributes:

    • userName Set this to the Display Name Assertion from your Stack Internal Enterprise SAML 2.0 authentication settings (check this value by clicking Admin Settings, then Authentication, then Configure SAML 2.0 in Stack Internal Enterprise).

    • active (true/false) Determines whether the user should be deactivated or reactivated in Stack Internal Enterprise.

    • Other required fields for SCIM (Entra ID usually maps these automatically):

      • name.givenName

      • name.familyName

      • emails

    • stackUserType (optional) Allows you to change a user's role on your Stack Internal Enterprise site. Values are Registered, Moderator, or Admin.

    • department (optional) Allows you to update the user's department on your Stack Internal Enterprise site.

    • title (optional) Allows you to update the user’s title on your Stack Internal Enterprise site.

  4. Click Save.

NOTE: Adding the optional user department and job title fields allows you to use Stack Internal Enterprise's connectivity reporting feature. Learn more in the Connectivity article.

Did this answer your question?