Configure SCIM Provisioning with Microsoft Entra ID

Michael Julian

Updated June 26, 2026 18:14

This guide explains how to configure SCIM user provisioning for Oktopost using Microsoft Entra ID (formerly Azure Active Directory).

SCIM provisioning allows Microsoft Entra ID to automatically create, update, and deactivate users in Oktopost based on assignments and changes made in your identity provider.

This setup supports either (but not both):

Oktopost platform users (app.oktopost.com)
Oktopost Advocacy board users (board.oktopost.com)

Important: If you use an EU-hosted account any URLs you see in this article should instead have eu- placed in front, for example https://app.oktopost.com/scim/v2 would become https://eu-app.oktopost.com/scim/v2.

Requirements

Before starting, ensure you have:

Administrator access to Microsoft Entra ID
Administrator access to Oktopost
Permission to create Enterprise Applications in Microsoft Entra

Microsoft recommends using either the Cloud Application Administrator role or a higher-level administrator role to configure SCIM provisioning.

Features Supported

The following provisioning actions are supported:

Create Users - Creates users automatically in Oktopost when assigned in Microsoft Entra.
Update User Attributes - Updates supported user attributes automatically when changes are made in Microsoft Entra.
Deactivate Users - Automatically deactivates users in Oktopost when they are unassigned or disabled in Microsoft Entra.

Before You Begin

You should first decide whether you are provisioning:

Oktopost platform users
Oktopost Advocacy users

The SCIM endpoint differs depending on which environment you want to provision.

Environment	SCIM Endpoint
Oktopost Platform	`https://app.oktopost.com/scim/v2`
Oktopost Advocacy	`https://board.oktopost.com/scim/v2`

Configuration Steps

Step 1 — Create a Custom Enterprise Application

Sign in to the Microsoft Entra admin center.
Navigate to:

Identity → Applications → Enterprise applications
Click:

New application
Select:

Create your own application
Enter a name for the application (example: Oktopost SCIM)
Select:

Integrate any other application you don't find in the gallery (Non-gallery)
Click:

Create

Microsoft Entra will create a custom Enterprise Application for Oktopost provisioning.

Step 2 — Configure SAML Single Sign-On

In the Enterprise Application menu, select:

Single sign-on
Choose:

SAML
Under Basic SAML Configuration, click Edit
Configure the following values:

Field	Value
Identifier (Entity ID)	`https://app.oktopost.com`
Reply URL (ACS URL)	`https://app.oktopost.com/auth/acs`
Sign-on URL (optional)	`https://app.oktopost.com/auth/login`

Save the configuration.

Step 3 — Download SAML Information for Oktopost

After configuring SAML:

Download the Certificate (Base64)
Copy the following values:
- Login URL
- Microsoft Entra Identifier

These values will be required when configuring SSO inside Oktopost by going to Settings > Security > Single Sign-On. Click to enable SSO.

SAML endpoint: Enter the Login URL you copied
Issuer URL: Enter the Microsoft Entra Identifier you copied
X.509 Certificate: click "Select File" and upload the Certificate you downloaded.

Step 4 — Configure SCIM Provisioning

In the left-hand menu, select:

Provisioning
Click:

Get started
Change the Provisioning Mode from:

Manual → Automatic

Step 5 — Enter SCIM Admin Credentials

You must now configure Microsoft Entra to communicate with Oktopost's SCIM endpoint.

Tenant URL

Use the appropriate SCIM endpoint:

Oktopost Platform Users

https://app.oktopost.com/scim/v2

Oktopost Advocacy Users

https://board.oktopost.com/scim/v2

Secret Token

Retrieve the SCIM provisioning token from Oktopost:

Settings → Security → Provisioning

Copy the token and paste it into the Secret Token field in Microsoft Entra.

Step 6 — Test the Connection

Click:

Test Connection
Confirm Microsoft Entra can successfully communicate with Oktopost.
Once successful, click:

Save

Step 7 — Configure Provisioning Actions

After saving the configuration:

Open:

Provisioning → Edit provisioning
Enable the following options:

Create Users
Update User Attributes
Deactivate Users

Save your changes.

Step 8 — Assign Users and Groups

Provisioning only applies to users or groups assigned to the Enterprise Application.

To assign users:

Navigate to:

Users and groups
Click:

Add user/group
Select the users or groups you want provisioned into Oktopost.
Click:

Assign

Microsoft Entra will begin provisioning assigned users during the next synchronization cycle.

Supported User Attributes

Oktopost currently supports the following SCIM user attributes:

SCIM Attribute	Supported
`userName`	Yes
`name.givenName`	Yes
`name.familyName`	Yes
`emails[type eq "work"]`	Yes

Important

The user's Username and Email must remain identical.

Mismatched values between Username and Email may cause provisioning failures.

Provisioning Behavior Notes

Existing Users

If a user already exists in Oktopost with the same email address:

Microsoft Entra may fail to provision the user
Manual reconciliation may be required

License Limits

If your Oktopost account reaches its user license limit:

Additional users cannot be provisioned
Provisioning errors may appear in Microsoft Entra logs

Synchronization Timing

Microsoft Entra provisioning does not occur instantly.

Typical synchronization intervals are approximately every 20–40 minutes depending on tenant size and provisioning load.

Troubleshooting

Test Connection Fails

Verify:

The Tenant URL is correct
The SCIM token is valid
The provisioning token was copied correctly from Oktopost by clicking "Generate Token". The value that appears after that window closes is NOT the token, and the token is only visible once. If you're unsure if you have the right token, generate a new token, as there is no reason you'll need the old one if you're troubleshooting.
Your firewall or proxy is not blocking outbound SCIM requests

Users Are Not Provisioning