SCIM with Entra ID

SCIM (System for Cross-Domain Identity Management) is a standard protocol that helps automate user management between systems. In TB Authentication Manager, we added SCIM API endpoints to allow user provisioning and synchronization from external directories.

This guide explains how to connect Microsoft Entra ID (formerly Azure AD) to TrustBuilder using SCIM. It shows how to automatically create, update, and delete user accounts.

Support for other identity providers may be added later.

Refer to Microsoft documentation - Integrate SCIM endpoints with the Microsoft Entra provisioning service to get more information.

Provisioning from Entra ID via SCIM

Microsoft Entra ID will act as the source directory. This means that user data is managed in Entra ID and automatically synchronized with TrustBuilder through SCIM.

As a result, user attributes should not be modified in the TrustBuilder admin console. Any changes made there will be overwritten during the next synchronization. Always make updates (such as name, email, or status) directly in Entra ID.

✅ Prerequisites

The SCIM endpoint for your TrustBuilder MFA environment: https://kiwi.myinwebo.com/auth/v1/customer/services/scim
A valid Bearer token for the TrustBuilder service you want to synchronize users with (User management with REST API | API-token).
An Application Administrator role in Microsoft Entra ID

Step 1: Create an Enterprise app in Microsoft

Sign in to the Microsoft Entra admin center.
Browse to Entra ID > Enterprise apps.
A list of all configured apps is shown.
Select + New application > + Create your own application.
1. Enter a name for your application (e.g: SCIM app)
2. Choose the option "Integrate any other application you don't find in the gallery (Non-gallery)".
3. Select Create to create an app.

The new app is added to the list of enterprise applications.

Step 2: Configure the Enterprise app in Microsoft

Once the app is created:

Navigate to Identity > Applications > Enterprise Applications.
Select your SCIM app.
Go to Provisioning section in the left panel.
Click on + New configuration.
In Admin Credentials:
1. Enter the Tenant URL to TrustBuilder SCIM endpoint and the Secret token (without “Bearer” prefix).
  See Prerequisites above.
2. Click on Test connection. If the attempt fails, error information is displayed.
Click on Create if the attempt to connect to the application succeeded.
Go to Attribute mapping in the left panel.
Set:
- Provision Microsoft Entra ID Groups → Disabled (group sync is not supported)
- Provision Microsoft Entra ID Users → Enabled
Click on Provision Microsoft Entra ID Users to configure the attributes that are synchronized from Microsoft Entra ID to your app.
Keep the attributes supported by TrustBuilder which are the following:

Customappsso Attribute	Microsoft Entra ID Attribute	Comment
`userName`	`userPrincipalName`	Mandatory `login` in TrustBuilder
`active`	`Switch([IsSoftDeleted], , "False", "True", "True", "False")`	`false` = blocked `true` = not blocked ⚠️ Do not confuse it with the following status: activate / pending activation / inactive
`emails[type eq "work"].value`	`mail`	Mandatory if you want to send an activation email to users `mail` in TrustBuilder
`preferredLanguage`	`preferredLanguage`	Optional - Used for email language. Set via Microsoft Graph API only. Default is 'en'. `language` in TrustBuilder
`name.givenName`	`givenName`	Optional `first name` in TrustBuilder
`name.familyName`	`surname`	Optional `last name` in TrustBuilder
`externalId`	`mailNickname`	Optional - `mailNickname` is an example. You can sync another login here, such as `samAccountName` or anything else. `login2` in TrustBuilder

Delete attributes that are not in the table above. ⚠️ Mapping unsupported attributes may cause the sync operation to fail.

Click on Save.

Step 3: enable activation email sending (optional)

You can enable activation email sending to users at creation:

In TrustBuilder MFA admin console, go to Service Parameters tab.
In SCIM section, set the Send activation email on creation parameter:
- If enabled and the user has an email address → They get a pending activation status and receive an activation email with a code (valid for 3 weeks).
- If disabled or no email is set → The user has a not activated status and no email is sent

Step 4: Provision users

You can either provision users by assigning them manually to the app or using scoping filter.

Group synchronization from Entra ID is not supported. You can use Scoping filters.

Assigning users manually to the app

In Microsoft Entra admin center, in the left menu, select Enterprise applications.
Click on your SCIM application.
Go to Provisioning in the left panel then Provisioning.
In Settings, choose the scope: Sync only assigned users and groups.
Click on Save.
Click Users and groups > + Add user/group.
Click on None Selected.
Select the users to provision and click Select.
Click on Assign.

Provisioning occurs every 40 minutes. Once completed, you can verify that users have been created in the TrustBuilder MFA Admin console.

Using scoping filters

A scoping filter allows you to include or exclude any users who have an attribute that matches a specific value. It can be used to determine which users are in scope for provisioning.
See Microsoft documentation

In Microsoft Entra admin center, in the left menu, select Enterprise applications.
Click on your SCIM application.
Go to Provisioning in the left panel then Provisioning.
In Settings, choose the scope: Sync all users and groups.
Click on Save.
Go to Attribute Mapping (Preview).
Click on Provision Microsoft Entra ID Users.
At Source Object Scope, click on All records.
Click on + Add new filter group.
Define a clause by selecting a source Attribute Name, an Operator and an Attribute Value to match against. See Microsoft documentation
In Scoping Filter Title, add a name for your scoping filter.
Click OK then OK again on the Scoping Filters screen.
Select Save on the Attribute Mapping screen.

Once the filter is applied, only users matching its condition are provisioned into TrustBuilder MFA.

Users out of scope

If a user no longer matches the scoping filter (after a department change for example) they still exist in TrustBuilder but are automatically blocked at the next synchronization.

Provisioning occurs every 40 minutes. Once completed, you can verify that users have been created in the TrustBuilder MFA Admin console.

Limitations

Groups sync not supported	Group synchronization from Entra ID is not supported. If you need to automate user selection, we suggest using Scoping Filters. See Step 4: Provision users - Using scoping filters
Unsupported characters	TrustBuilder does not support all characters or lengths allowed in Microsoft Entra ID. This may lead to errors when editing provisioned users. ✅ Supported in both Entra ID and TrustBuilder: `A–Z a-z 0–9 . - _ @` Max length (login/UPN): UPN in Entra ID → 64 characters before “@iwproduct.onmicrosoft.com” login in TrustBuilder → 255 characters total ❌ Allowed only in Entra ID (not supported in TrustBuilder): UPN with `' ! # ^ ~`. ❌ Allowed only in TrustBuilder (not supported in Entra ID): login with backslash `\` and spaces.
User deletion	Microsoft Entra ID handles user deletion in two steps, and TrustBuilder reacts differently to each: Soft-deleted user in Entra: The user is moved to the "Deleted users" section (trash). Their UPN is changed (Object ID + previous UPN, if the UPN is mapped with the login). In TrustBuilder: The user is not deleted. The user is blocked (administratively disabled). The login is updated if UPN is mapped → may cause issues. Hard-deleted user in Entra The user is permanently deleted from Entra. In TrustBuilder, the user is deleted.
Provisioning ID conflict	IWDS and SCIM should not be used together. Both use the same provisioning ID in TrustBuilder. One source can overwrite the other.