SCIM with Entra ID

SCIM (System for Cross-Domain Identity Management) is a standard protocol that helps automate user management between systems. In TB Authentication Manager, we added SCIM API endpoints to allow user provisioning and synchronization from external directories.

This guide explains how to connect Microsoft Entra ID (formerly Azure AD) to TrustBuilder using SCIM. It shows how to automatically create, update, and delete user accounts.

Support for other identity providers may be added later.

Provisioning from Entra ID via SCIM

Microsoft Entra ID will act as the source directory. This means that user data is managed in Entra ID and automatically synchronized with TrustBuilder through SCIM.

As a result, user attributes should not be modified in the TrustBuilder admin console. Any changes made there will be overwritten during the next synchronization. Always make updates (such as name, email, or status) directly in Entra ID.

✅ Prerequisites

• The SCIM endpoint for your TrustBuilder MFA environment: https://kiwi.myinwebo.com/auth/v1/customer/services/scim

• A valid Bearer token for the TrustBuilder service you want to synchronize users with (User management with REST API | API-token).

• An Application Administrator role in Microsoft Entra ID

Step 1: Create an Enterprise app in Microsoft

1. Sign in to the Microsoft Entra admin center.

2. Browse to Entra ID > Enterprise apps.

3. A list of all configured apps is shown.

4. Select + New application > + Create your own application.

   1. Enter a name for your application (e.g: SCIM app)

   2. Choose the option "Integrate any other application you don't find in the gallery (Non-gallery)".

   3. Select Create to create an app.

      

The new app is added to the list of enterprise applications.

Step 2: Configure the Enterprise app in Microsoft

Once the app is created:

1. Navigate to Identity > Applications > Enterprise Applications.

2. Select your SCIM app.

3. Go to Provisioning section in the left panel.

   

4. Click on + New configuration.

   

5. In Admin Credentials:

   

   1. Enter the Tenant URL to TrustBuilder SCIM endpoint and the Secret token (without “Bearer” prefix).
      See Prerequisites above.

   2. Click on Test connection. If the attempt fails, error information is displayed.

6. Click on Create if the attempt to connect to the application succeeded.

7. Go to Attribute mapping in the left panel.

8. Set:

   • Provision Microsoft Entra ID Groups → Disabled (group sync is not supported)

   • Provision Microsoft Entra ID Users → Enabled

     

9. Click on Provision Microsoft Entra ID Users to configure the attributes that are synchronized from Microsoft Entra ID to your app.

   

10. Keep the attributes supported by TrustBuilder which are the following:

Delete attributes that are not in the table above. ⚠️ Mapping unsupported attributes may cause the sync operation to fail.

12. Click on Save.

13. Go to Provisioning in the left panel.

14. In Settings, choose Sync only assigned users and groups.

    

15. Click on Save.

Step 3: enable activation email sending (optional)

You can enable activation email sending to users at creation:

1. In TrustBuilder MFA admin console, go to Service Parameters tab.

2. In SCIM section, set the Send activation email on creation parameter:

   

   • If enabled and the user has an email address → They get a pending activation status and receive an activation email with a code (valid for 3 weeks).

   • If disabled or no email is set → The user has a not activated status and no email is sent

Step 4: Assign user to the app

1. In Microsoft Entra admin center, in the left menu, select Enterprise applications.

2. Click on your SCIM application.

3. Click Users and groups > + Add user/group.

4. Click on None Selected.

   

5. Select the users and click on Select.

6. Click on Assign.

Provisioning runs automatically every 40 minutes. You can also click Provision on demand for immediate sync.

Once the provisioning is done, you can check that the user has been created on TrustBuilder MFA Admin console.

Limitations

Groups sync not supported	Group synchronization from Entra ID is not supported. If you need to automate user selection, we suggest using “Scoping Filters” → https://learn.microsoft.com/en-us/entra/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts?pivots=app-provisioning
Unsupported characters	TrustBuilder does not support all characters or lengths allowed in Microsoft Entra ID. This may lead to errors when editing provisioned users. ✅ Supported in both Entra ID and TrustBuilder: A–Z a-z 0–9 . - _ @ Max length (login/UPN): UPN in Entra ID → 64 characters before “@iwproduct.onmicrosoft.com” login in TrustBuilder → 255 characters total ❌ Allowed only in Entra ID (not supported in TrustBuilder): UPN with ' ! # ^ ~. ❌ Allowed only in TrustBuilder (not supported in Entra ID): login with backslash \ and spaces.
User deletion	Microsoft Entra ID handles user deletion in two steps, and TrustBuilder reacts differently to each: Soft-deleted user in Entra: The user is moved to the "Deleted users" section (trash). Their UPN is changed (Object ID + previous UPN, if the UPN is mapped with the login). In TrustBuilder: The user is not deleted. The user is blocked (administratively disabled). The login is updated if UPN is mapped → may cause issues. Hard-deleted user in Entra The user is permanently deleted from Entra. In TrustBuilder, the user is deleted.
Provisioning ID conflict	IWDS and SCIM should not be used together. Both use the same provisioning ID in TrustBuilder. One source can overwrite the other.

More information: Microsoft documentation - Integrate TrustBuilder SCIM endpoints with the Microsoft Entra provisioning service.