User provisioning with Microsoft Entra ID (Azure AD) and SCIM

How does user provisioning with Microsoft Entra ID and SCIM work?

Integrating Microsoft Entra ID (previously Azure AD) with SafetyCulture via System for Cross-domain Identity Management (SCIM) provisioning automates user management, ensuring accurate and efficient user synchronization. It uses the SCIM protocol to automatically provision and update SafetyCulture users based on identity data from Microsoft Entra ID.

This integration helps administrators by:

• Reducing manual account updates.
• Maintaining consistency across platforms.
• Streamlining access control.

For example, when your organization hires a new employee, SCIM automatically creates their SafetyCulture account with predefined fields like job role, department, or location. By leveraging this integration, administrators can improve onboarding, minimize errors, and enforce standardized user access.

📘

SafetyCulture only supports one-way syncing from Microsoft Entra ID by importing users. Data in SafetyCulture cannot be sent back to Microsoft Entra ID.

Requirements

• Microsoft Entra ID (Azure AD) account
• SafetyCulture Premium Plan or Enterprise Plan
• Web app
• "Platform management: Organization" permission
• API token
• User fields

📘

During setup, administrators will need to switch between SafetyCulture and Microsoft Entra ID to configure provisioning settings, map attributes, and enable synchronization.

1. Create an application

1. Log in to Microsoft Azure Portal.
2. Click Enterprise applications.
3. Click New application.
4. Click Create your own application.
5. On the side panel, enter the application name.
6. Select Integrate any other application you don’t find in the gallery (Non-gallery).
7. Click Create. Once created, the application will serve as the bridge between Microsoft Entra ID and SafetyCulture.

2. Configure user provisioning to SafetyCulture

1. In Microsoft Entra ID, click Manage, and then select Provisioning from the menu on the left-hand side.
2. Under Provisioning Mode, click the dropdown menu, and select Automatic.
3. Under Admin Credentials, enter the following details:

• Tenant URL: Enter the SCIM endpoint, which allows Microsoft Entra ID to communicate with SafetyCulture for user provisioning. For example, https://api.safetyculture.com/accounts/scim/v2.
• Secret Token: Generate an API token via the SafetyCulture web app, and enter the token in this field.

4. Click Test Connection and verify that the connection is successful.
5. Click Save at the top of the page. After saving, Mappings appears below Admin Credentials.

3. Configure attribute mappings

1. Under Mappings, click Provision Azure Active Directory Users.
2. Delete attributes that are not needed.
3. Click Save at the top of the page.
4. Select Show advanced options at the bottom of the page.
5. Click Edit attribute list for customappsso.
6. Delete attributes that are not needed. If you've already mapped attributes to SafetyCulture, any changes made on this page will automatically update those mappings.
7. Click Save at the top of the page.

4. Map custom user fields

📘

Before mapping custom fields, create your user fields in SafetyCulture. Otherwise, these will not be synced. SCIM can only populate fields that already exists. You can map any of the supported data types (text, date, user, and multiple choice).

1. In the SafetyCulture web app, copy the user field ID.
2. In the Microsoft Azure Portal, add a new attribute in Edit attribute list for customappsso.

• Use the SafetyCulture user field ID as the attribute name. The format must be urn:ietf:params:scim:schemas:extension:safetyculture_attributes:2.0:User:{custom field id}.
• The type must be String.
• For date fields, use the RFC3339 format. For example, 1996-12-19T16:39:57-08:00 or 1985-04-12T23:20:50.52Z.
• For multiple choice fields, the value must be the string value of any of the predefined options.

3. Click Save on the upper-left of the page.
4. In the pop-up window, click Yes.
5. At the bottom of the page, click Add New Mapping.
6. Edit the following attribute details:

• Mapping type: This field determines how values are assigned to the target attribute. Select Direct to map the attribute directly from Entra ID to SafetyCulture, or Constant to assign a fixed value.
• Constant value: The specific fixed value assigned for attributes with a constant mapping type.
• Target attribute: Select the attribute name of the field in the dropdown menu, ensuring it corresponds to the correct field in SafetyCulture.

7. Click Ok.
8. Click Save on the upper-left of the page.
9. In the pop-up window, click Yes.

5. Turn provisioning on

1. Click your Enterprise application for SafetyCulture.
2. Click Overview from the menu on the left-hand side.
3. Click Provision on demand.
4. Select a user you want to provision.
5. Click Provision at the bottom of the page. After verification, the attributes for the selected user appears on the side panel.
6. In the SafetyCulture web app, click your organization name on the lower-left corner of the page and select Users.
7. The newly provisioned user will appear in the user list.
8. Click the user to verify that the fields you mapped are added.

🪄

Turn the Provisioning Status on in Microsoft Entra ID to enable automatic provisioning, which periodically syncs all users. To learn more about user provisioning with Microsoft Entra ID and SCIM, refer to their guide for details.

Best practices

Custom attributes and field mapping

• Before mapping custom fields, ensure they are created in SafetyCulture. Otherwise, these will not be synced.
• Use the correct SCIM attribute format to avoid sync failures.

Testing and monitoring

• Always test the provisioning connection before enabling auto-sync.
• Use the Provision on-demand feature for a single user test.
• Check Microsoft Entra ID logs and SafetyCulture user profiles to confirm that the data syncs correctly.

Troubleshooting

Related article

📌 What are user fields?