Auth
Setting up SCIM with Microsoft Entra
Microsoft Entra ID (formerly Azure Active Directory) supports SCIM 2.0 for automatic user provisioning. This guide walks you through connecting Entra to 21RISK so that users and groups are automatically synced. Let's get started ✅
Prerequisites: Before setting up SCIM, make sure you have:
- An active SSO connection between 21RISK and Microsoft Entra. See Setting up SSO with Microsoft Entra .
- IT admin permissions in 21RISK.
- Admin access to Microsoft Entra ID.
Step 1 — Create a SCIM connection in 21RISK Step 1 — Create a SCIM connection in 21RISK
Log in to 21RISK and navigate to Settings → Advanced .
Scroll down to the SCIM card and click Create SCIM connection .
After creating the connection, you will be taken to the SCIM connection details page. Here you will find two important pieces of information you'll need for Entra:
- Tenant URL — displayed on the page (e.g.
https://21risk.com/scim/v2/scim_conn_...) - Bearer Token — you will generate this next
Step 2 — Generate a Bearer Token Step 2 — Generate a Bearer Token
On the SCIM connection details page, click Create Bearer Token .
A token will be generated and displayed once. Copy the token immediately — you will not be able to see it again, as 21RISK only stores a hash of the token.
Important: Store the Bearer Token securely. If you lose it, you will need to rotate (regenerate) it, which will invalidate the previous token and require updating the configuration in Entra.
Step 3 — Configure provisioning in Microsoft Entra Step 3 — Configure provisioning in Microsoft Entra
Now switch to the Azure portal. Navigate to Microsoft Entra ID → Enterprise applications and find the 21RISK application you created for SSO.
In the left sidebar, click Manage → Provisioning .
Click Connect your application to begin configuring provisioning.
This should take your to a page called "New provisioning configuration".
- Tenant URL — paste the Tenant URL from 21RISK (e.g.
https://21risk.com/scim/v2/scim_conn_...) - Secret Token — paste the Bearer Token you copied earlier
Click Test Connection to verify that Entra can connect to 21RISK's SCIM endpoint. If the test succeeds, click Save .
After successfull connection test, click "Create". This should take you back to the Overview.
Step 4 — Configure attribute mappings Step 4 — Configure attribute mappings
After saving, expand the Mappings section. You will see two mappings:
- Provision Microsoft Entra ID Groups — syncs groups to 21RISK
- Provision Microsoft Entra ID Users — syncs users to 21RISK
The default mappings are usually sufficient. 21RISK expects the following user attributes:
| Entra Attribute | SCIM Attribute | Required |
|---|---|---|
| userPrincipalName | userName | Yes |
| emails[type eq "work"].value | Yes | |
| givenName | name.givenName | No |
| surname | name.familyName | No |
| displayName | displayName | No |
| Switch([IsSoftDeleted], , "False", "True", "True", "False") | active | Yes |
Tip: You generally don't need to modify the default mappings. If you need to customize them, consult your IT team or reach out to support@21risk.com .
Step 5 — Assign users and groups Step 5 — Assign users and groups
Before turning on provisioning, you need to decide which users and groups will be synced. In the left sidebar of your Enterprise application, click Manage → Users and groups .
Click Add user/group and select the users or groups you want to provision to 21RISK.
Please consult 21RISK if you are in doubt about the users to sync.
Tip: We recommend assigning groups rather than individual users. This way, when someone is added to or removed from a group in Entra, their 21RISK access is automatically updated.
Step 6 — Start provisioning Step 6 — Start provisioning
Go back to the Provisioning page and set the Provisioning Status to On . Click Save .
Entra will start an initial provisioning cycle, which may take a few minutes depending on the number of users and groups. Subsequent sync cycles occur approximately every 40 minutes.
You can monitor the provisioning progress in the Provisioning logs section.
Verify provisioning in 21RISK Verify provisioning in 21RISK
Once the initial cycle completes, provisioned users should appear on the SCIM page.
Note: If no users are showing up, you might need to wait up to 40 minutes. You can also provision on-demand to test it without waiting.
Users in 21RISK Users in 21RISK
SCIM provisioning in 21RISK is a two-step process :
-
Step 1 — Staging: Microsoft Entra pushes users and groups to 21RISK's SCIM API. These are stored in a staging layer (the "SCIM Users" and "SCIM Groups" tables on the connection page). At this point, the users are not yet active in 21RISK — they are simply staged.
-
Step 2 — Sync to 21RISK: A separate sync process picks up staged users and provisions them as real 21RISK accounts. This process creates the user, adds them to the correct tenant, assigns them to internal user groups, and calculates their permissions and site access.
Sync schedule: The sync runs automatically every hour between 06:00 and 18:00 UTC, Monday to Friday . You can also trigger a sync manually at any time by clicking the Sync to 21RISK button on the SCIM connection page.
For a user to be synced from the staging layer into 21RISK, the following conditions must be met:
- The user must not be marked as deleted in the SCIM staging layer (i.e., they must be active in Entra).
- The user's email must match one of your organization's SSO domains configured in 21RISK.
- The user must not already exist as a member of the tenant in 21RISK.
You can monitor the sync history on the SCIM connection page under Sync History .
Each sync run shows its status (completed, failed, or in-progress), how many users were provisioned, and when it started and finished. Click a sync ID to see the detailed step-by-step log.
Rotating the Bearer Token Rotating the Bearer Token
If you need to rotate the Bearer Token (for example, as part of a regular security rotation), navigate to the SCIM connection details page in 21RISK and click Rotate Bearer Token . This will invalidate the old token immediately.
After rotating, update the Secret Token in Microsoft Entra under Provisioning → Admin Credentials and click Save .
Deleting the SCIM Connection Deleting the SCIM Connection
To stop SCIM provisioning, first disable provisioning in Microsoft Entra by setting the Provisioning Status to Off . Then, in 21RISK, navigate to the SCIM connection details page and click Delete in the Danger Zone.
Warning: Deleting the SCIM connection cannot be undone. Existing users that were provisioned via SCIM will retain their current access — they will not be automatically removed.
Troubleshooting Troubleshooting
| Issue | Solution |
|---|---|
| Test Connection fails | Verify the Tenant URL and Bearer Token are correct. Ensure there are no extra spaces. |
| Users not appearing in 21RISK | Check the provisioning logs in Entra for errors. Confirm the users are assigned to the Enterprise application. |
| Token expired or lost | Rotate the Bearer Token in 21RISK and update it in Entra. |
| Deactivated users still have access | The sync process runs periodically. Allow some time, or contact support@21risk.com if the issue persists. |
For additional help, contact support@21risk.com .