Synchronize users and groups with SCIM 2.0
SCIM Integration in Flow Connect
Flow Connect supports System for Cross-domain Identity Management (SCIM) 2.0, an industry-standard protocol for automating the exchange of user and group information between identity providers (IdPs) and cloud applications.
With SCIM enabled, organizations can centrally manage user accounts and group memberships directly from their identity provider—such as Microsoft Entra ID (Azure AD) — without needing to manually create or update users inside Flow Connect.
The SCIM integration ensures that:
User provisioning and deprovisioning happen automatically when changes occur in the IdP.
Group assignments are synchronized, simplifying access management to applications in Flow Connect.
Security and compliance are improved through consistent, automated identity lifecycle management.
Once configured, Flow Connect will act as a SCIM 2.0 service provider, exposing secure endpoints for your IdP to connect to. This integration streamlines administration, reduces manual errors, and keeps user data up to date across your organization.
How SCIM provisioning works in Flow Connect
Groups and users configured for provisioning will automatically be created in Flow Connect. New users will not receive an invitation email and will not need to go through the sign-up process. Instead, they can immediately sign in with their Microsoft account. They will be created with the status Pending and automatically changed to Active after their first login. If a user already exists with the same email address in the organization, the user will be kept as is but marked as SCIM-managed. Users created through SCIM who are later removed from provisioning will be set to Inactive in Flow Connect. If they are added back to provisioning, they will be changed back to Active. If users are deleted from the Entra directory, they will also be deleted from Flow Connect. Users can be added to non-SCIM-managed groups in Hub, both end-user groups and admin groups.
Groups added for provisioning and later removed will be deleted from Flow Connect. If the same group is added back to provisioning, it will be created as a new group and will not restore any permissions from the previously deleted group. Memberships for SCIM-managed groups can only be updated through SCIM provisioning; users who are not SCIM-managed cannot be added to these groups in Hub. Groups are only created as end-user groups. Admin groups can only be managed in Hub.
Configure Microsoft Entra ID
Create a new Enterprise Application
Sign in to the Microsoft Entra admin center with at least a Cloud Application Administrator role.
Navigate to Identity > Applications > Enterprise applications > All applications.
Click on New application.
Click on Create your own application.
Enter Flow Connect SCIM 2.0 as the name, select Integrate any other application you don’t find in the gallery, and then click Create.
Configure application
The application has been created and needs to be configured for Flow Connect. Click Connect your application.
To connect your application to your Flow Connect organization, you need to retrieve the required information from the organization page in Hub.
Set the authentication method to Bearer authentication.
Create tenant URL and generate secrete token
The Edit Organization Metadata permission is required to configure the SCIM provisioning.
Open the Organization page and select the Create Tenant URL button. Enter the tenant ID for the Entra directory from which you want to synchronize users and groups.
Generate a new token.
Make sure you save the token in a secure place. You will not be able to read it after the screen is closed.
The token will be valid for one year. After that, you need to generate a new token and update the connection in Entra.
After pasting the tenant URL and the secret token, click Test connection.
After successfully testing the connection, click Create.
Update attribute mapping
To successfully create new users in Flow Connect, you need to update the default attribute mapping for ExternalId.
Select Provisioning from the side menu.
Select Attribute mapping, then select Provision Microsoft Entra ID Users.
Change the attribute mapping for externalId by clicking Edit.
Change the value of the source attribute to objectId.
Save the updated configuration.
Configure provisioning
Configure the groups that should be provisioned to Flow Connect. This means that the groups added will automatically be created, and the users who are members of those groups will also be created and added to the groups in Flow Connect.
Individual users can also be included in the provisioning if necessary.
Select Users and groups, then click Add user/group. Add the groups you want to synchronize with Flow Connect.
Only end-user groups can be managed through SCIM provisioning. Group memberships for admin groups can only be managed in the Hub.
When all groups have been added, select Provisioning from the side menu.
Click Start provisioning to begin synchronizing users and groups with Flow Connect. Synchronization runs every 40 minutes.
Once the job has finished, you will find the users and groups in Flow Connect that were created by the SCIM integration.
Last updated
Was this helpful?