Microsoft Entra ID SCIM Integration
This guide walks through configuring Microsoft Entra ID provisioning for AxonFlow Enterprise.
Before You Start
You need:
- Microsoft Entra ID admin access
- a SCIM token created in the AxonFlow customer portal
- the actual enterprise hostname for the AxonFlow environment
Use this pattern for the tenant URL:
https://YOUR_PORTAL_OR_ENTERPRISE_DOMAIN/scim/v2
Step 1: Create the Enterprise Application
- open the Azure portal
- go to Enterprise applications
- create a non-gallery application for AxonFlow
- name it after the environment you are provisioning into
Clear environment naming matters if your company runs staging and production tenants in parallel.
Step 2: Configure Provisioning
Under Provisioning:
| Field | Value |
|---|---|
| Provisioning mode | Automatic |
| Tenant URL | https://YOUR_PORTAL_OR_ENTERPRISE_DOMAIN/scim/v2 |
| Secret token | your AxonFlow SCIM token |
Unlike Okta's header-auth template flow, Entra ID usually wants the token value itself in the secret field rather than the full Bearer ... string.
Step 3: Test the Connection
Run the built-in connection test before enabling wider rollout.
If the test fails:
- verify the tenant URL points to the right environment
- confirm the token was copied correctly
- confirm the token has not expired or been revoked
- validate the same URL and token manually against
/scim/v2/Users
Step 4: Review User Attribute Mappings
The exact source attributes can vary by tenant setup, but the core target fields still matter:
| Entra ID attribute | AxonFlow SCIM attribute |
|---|---|
userPrincipalName | userName |
mail | emails[type eq "work"].value |
givenName | name.givenName |
surname | name.familyName |
objectId | externalId |
Do not assume the defaults are right for every tenant. Review them with a real pilot user.
Step 5: Scope the Rollout
For most enterprise teams, the safer initial scope is:
- only assigned users and groups
That keeps the first rollout controlled and makes troubleshooting materially easier.
Step 6: Validate with Provision on Demand
Before waiting on full sync cycles, use Entra ID's per-user provisioning test flow if available in your tenant.
That lets you validate:
- connection
- mapping shape
- create behavior
- update behavior
without waiting for a broad background provisioning cycle.
Step 7: Enable Group Sync Carefully
If you plan to use IdP groups to support enterprise access control in AxonFlow:
- enable group provisioning only after user provisioning is stable
- start with one pilot group
- confirm the group lands in the correct tenant
- then align synced groups to your AxonFlow role model
Common Entra ID Issues
Connection test fails
Check:
- the tenant URL includes
/scim/v2 - the hostname is correct for the target environment
- the token is current
- outbound connectivity from Entra ID to the AxonFlow endpoint is not blocked
Provisioning stays pending
Check:
- whether you are waiting on a background cycle instead of using on-demand provisioning
- whether the provisioning job is enabled
- whether the users or groups are in scope
Attributes do not land correctly
Check:
- whether
mailis populated for the pilot user - whether the chosen
userNamevalue is stable and unique - whether a custom expression is producing an unexpected value
Unexpected conflicts
Check:
- whether the user already exists in AxonFlow under a different identifier
- whether another IdP app or manual workflow already provisioned the same account
Recommended Enterprise Rollout Pattern
- create the non-gallery app
- configure tenant URL and token
- test the connection
- provision one pilot user
- validate update and deactivation
- provision one pilot group
- rotate credentials if needed and expand scope
