Generating the SCIM token

1. Access your Diggspace portal with a Global Admin account
   
2. Go to Global Setting > SCIM Provisioning
   
3. Click the button "Generate Token" and save the token generated for later
   

You need Global Admin permissions to do this. If the Entra ID admin is not a Global Admin in Diggspace, please share the generated token with them

Setting up SCIM in Entra ID

1. Sign in to the Azure portal with an Entra ID Admin account.
   
2. Browse to Microsoft Entra ID > Manage > Enterprise applications.
   
   
3. Click + New Application.
   
4. In the Browse Microsoft Entra Gallery, select + Create your own application.
   
5. In the new panel:
   
1. Enter the name for the application (e.g. Diggspace SCIM) and then, choose the option "Integrate any other application you don't find in the gallery".
   
2. Select Add to create an app object.
   
6. In the app management screen, select Provisioning, under the Manage section in the left panel.
   
7. In the Provisioning page, perform the following configurations:
   
1. In Provisioning Mode, select Automatic.
2. Expand the Admin Credentials section:
1. In Tenant URL, insert "<your-tenant-url>/cms/scim/v2/".
   
2. In Secret Token, insert the SCIM token generated by Diggspace in the section above.
   
3. Click the Test Connection button to have Azure AD attempt to connect to the SCIM endpoint. If the attempt fails, an error warning is displayed.
   
4. If the connection succeeds, then select Save to save the admin credentials.
   
   
   
   
3. Expand the Mappings section (if you can't see it, or it is disabled, wait a few minutes with the page open):
1. Click on the Provision Azure Active Directory Groups link:
   
1. In Enabled, select No. Only user provisioning is currently fully supported.
   
2. Select Save
   
2. Click on the Provision Azure Active Directory Users link:
   
1. In Enabled, select Yes.
2. In Target Object Actions, check the Create, Update and Delete options, if not already checked.
   
3. In the Attributes Mappings, delete all but the following mappings (these are the fields that will be synced):
   

   Azure Active Directory Attribute (Source attribute)	customappsso Attribute (Target attribute)
   userPrincipalName	userName
   Switch([IsSoftDeleted], , "False", "True", "True", "False")	active
   displayName	displayName
   mail	emails[type eq "work"].value
   givenName	name.givenName
   surname	name.familyName
   telephoneNumber	phoneNumbers[type eq "work"].value
   mobile	phoneNumbers[type eq "mobile"].value
   objectId	externalId
   department	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
   manager	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
   jobTitle	title

5. Select Add New Mapping link, under the mappings table. In the Edit Attribute page:
1. In Mapping type, select Direct.
   
2. In Source attribute, select companyName.
   
3. In Target attribute, select urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization.
   
4. In Match objects using this attribute, select No.
   
5. In Apply this mapping, select Always.
   
6. Click the Ok button, at the bottom of the page.
   
6. Select Save.
   
8. Select Users and groups, under Manage. This tab will display a list of users and groups to be synced
   
1. Select + Add user/group
   
2. Click on the None Selected link, under Users and groups.
   
3. In the new tab, check the users and/or groups to be provisioned. You can create new groups or use existing ones.
   ⚠️Please note that guest users will also be provisioned by Entra ID. If you don't intend for that to happen, it is best to create a new group without guest users
4. When you're done, click on the Select button, and then the Assign button.
   
9. To test user provisioning, select Provision on demand in the left panel:
   
1. In Select user or group, search for a user by name.
   
2. Select the intended user in the search results and click the Provision button, at the bottom of the page.
   
3. Entra ID will attempt to sync the user with app. If all steps displayed in the screen were a success, then provisioning is working.
   
1. If not, click View Details link to see more information, and also verify the Provisioning logs (in the Monitor section in the left panel) as well.
   NOTE: It is best to start by provisioning a user without a manager, if possible. When provisioning a user without a manager, Entra ID will skip this field when syncing, because the manager's user was not previously provision
   
   
10. To automate the provisioning of all users, select Overview.
    
1. Select Start provisioning.
   
2. In the Current cycle status, the provisioning status can be consulted.
   Provisioning usually runs every 40 minutes by default, when on.
3. To see logs, select Provisioning logs, in the Monitor section in the left panel.