Skip to main content
Skip table of contents

SCIM: Implementing the Azure Entra ID connection

Read this article in: Deutsch, Français, Dutch

We have implemented an interface according to SCIM2 standard to connect Active Directories. Users and groups can be synchronized between Azure Entra ID and SoSafe. For this purpose, Microsoft compares the stored data with your SoSafe user data base and sends updates to our interface. Which users, groups and data are shared can be configured in Azure Entra ID and our SoSafe Manager.

You can set up our interface using the Azure "Enterprise Applications".

We are listed as an enterprise application in the Azure Entra ID catalogue.

Supported functions are:

  • Creating users and groups in SoSafe

  • Removing users from SoSafe groups

  • Synchronizing users and groups in SoSafe

  • Provision of groups and group membership of SoSafe

  • Listing in the Azure App Catalogue 

Functions not currently supported 

  • Nested groups


  • An Azure Entra ID client

  • A user account in Azure Entra ID with permission to configure staging

  • An administrator account with SoSafe

  • We are working on providing you with the client URL and access token directly in the SoSafe manager, at the moment these are still created manually


  • Please tell your Implementation Manager your Azure Tenant ID.

  • Please tell your Implementation Manager, whether you want to group your users through Azure Groups or through attributes.


Set-up instructions

Step 1: Create your own application

Log in to the Azure portal. Select "Enterprise applications" and then "All applications" and click on "New application". Now you can select "SoSafe" application from the shop.


Step 2: Deploying users and groups

Add users and groups you want to synchronize to the application


We recommend starting small. Test your deployment with a small group of users and groups before you share it with everyone. If the staging area is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. If the scope is set to all users and groups, you can specify an attribute-based scope filter.

Step 3: Setting up user provisioning

  1. Select the Provisioning tab and click Get started.

  • You will receive the client URL and the access token later in our manager, at the moment a SoSafe technician will support you with the set up.

  1. Set the Provisioning mode to automatic and insert the client URL, the Access Token and the notification mail.


Step 4: Checking the attribute assignment

  1. Check the attribute assignment of users.

  1. You can remove all but the assignments shown here.


(instead of Switch, there is a possibility that your Azure Version shows Not([IsSoftDeleted]))

  • We support the exchange of all attributes of the standard assignment as well as user-defined assignments. These must be entered accordingly in SoSafe Manager.

  • However, we actively use only the fields shown here plus academic title and salutation/gender, which can be transferred via user-defined fields.

  • Please leave the Target Object Actors (Create, Update, Delete) activated, so you can change Attributes in the SoSafe Manager.

  1. Here you can check the group attributes. However, if you want to use your security groups as SoSafe user groups, all three attributes are required.

If instead you are using a user attribute to establish your SoSafe user groups, you can disable provisioning of the security groups altogether.


Step 5: Start provisioning

  1. Once you start the provisioning, you can check the synchronization in the manager.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.