Skip to navigationSkip to main contentSkip to footerScaleway DocsSparklesIconAsk our AI
SparklesIconAsk our AI
ProfileOutlineIcon Log inSign up

How to configure SCIM for Microsoft Entra ID

To use SCIM-based user provisioning with your Entra ID provider, you need to follow the steps below:

  1. Configure SCIM in Scaleway.
  2. Create an Entra ID application.
  3. Configure the Entra ID application.
  4. Configure the user mapping.
AlertCircleIcon
Important

Only SCIM user-related actions are currently supported by Scaleway. Group auto-provisioning is planned for availability in the coming months.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • The Cloud Application Administrator role in Microsoft Entra ID.

Configure SCIM in Scaleway

  1. Click Settings in the upper-right corner of the Organization Dashboard. Alternatively, click the avatar icon in the upper-right corner of the header navigation, then select Settings on the drop-down menu.

  2. Click Automatic user provisioning (SCIM), under Organization security, on the left-side navigation.

  3. Click Enable. A pop-up displays, informing you that a token creation is required to enable SCIM.

  4. Click Enable SCIM and create token. SCIM is now enabled for the Organization. Two fields appear — copy both before continuing:

    • SCIM token — used by your Identity Provider to authenticate with Scaleway. Treat this as sensitive and do not share it.
    • Base URL — used by your Identity Provider to locate your Scaleway account.
    AlertCircleIcon
    Important

    The SCIM token and base URL are only displayed once. Copy and store them securely before closing the pop-up, you will need both to configure SCIM on your Identity Provider.

  5. Click Close. The configuration is complete on the Scaleway side, but you now need to carry out the SCIM configuration on your Identity provider.

InformationOutlineIcon
Note

To ensure the correct SCIM configuration, you can perform actions such as changing a name or creating a user directly on your Identity Provider. You should then see:

AlertCircleIcon
Important

By default, SCIM manages users only if their usernames match between the Identity Provider and Scaleway. The federation compares users from both sources, and users not found in the Identity Provider are not impacted by SCIM configuration. If you wish to manage not-found users via SCIM, you must re-create them on the Identity Provider or change settings on the Identity Provider side.

Create an Entra ID application

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Enterprise applications and click New Application. Scaleway is not in the Entra app gallery, so you need to create your own application.
  3. Click Create your own application.
    1. Enter a name for the application.
    2. Select the option **Integrate any other application you don't find in the gallery (Non-gallery).
  4. Click Create.

Configure provisioning in the Entra ID application

  1. Click Provisioning under the Manage menu. Alternatively, click Provision User Accounts on the application overview page.
  2. Click Connect your application.
  3. Enter the following parameters:
    • Authentication method: Bearer authentication
    • Tenant URL: This is the Base URL value you got when you configured SCIM in Scaleway.
    • Bearer token: This is the SCIM token you got when you configured SCIM in Scaleway.

Configure the user mapping in the Entra ID application

Scaleway's SCIM implementation does not support all the default object and attribute values in Microsoft Entra ID. Configure the following parameters.

Disable group provisioning

InformationOutlineIcon
Note

Scaleway's SCIM implementation does not support groups.

  1. Click Attribute mapping under the Manage menu.
  2. Click Provision Microsoft Entra ID Groups.
  3. Select No for Enabled, then click Save.

Disable name.formatted

Scaleway does not use a name.formatted field, it constructs the display name by joining the first and last name with a space, identical to Entra's behavior. This mapping is redundant and should be removed.

  1. Click Attribute mapping under the Manage menu.
  2. Click Provision Microsoft Entra ID Users. This section controls how Entra ID attributes map to Scaleway SCIM fields.
  3. Click Delete for name.formatted.

Simplify generated usernames

By default, Entra generates Scaleway usernames in the format <username>@<domain>.onmicrosoft.com. To keep usernames short and practical, you can add a formatting rule that strips the domain suffix, leaving only <username>.

  1. In Provision Microsoft Entra ID Users, click Edit for userName.
  2. Select Expression in Mapping type.
  3. Enter the following expression: Item(Split([userPrincipalName], "@"), 1), then click Ok.
See Also
ArrowLeftIconHow to configure automatic user provisioning with SCIMHow to set and manage credential maximum durationArrowRightIcon
Still need help?

Create a support ticketArrowRightIcon
SearchIcon
No Results