Explore automatic user creation

  • 2 minutes

Diagram of the process flow for auto user provisioning in Microsoft Entra ID. Auto provision users and groups.

Components of SCIM (System for Cross-Domain Identity Management)

  • HCM system - Applications and technologies that enable Human Capital Management process and practices that support and automate HR processes throughout the employee lifecycle.
  • Microsoft Entra Provisioning Service - Uses the SCIM 2.0 protocol for automatic provisioning. The service connects to the SCIM endpoint for the application, and uses the SCIM user object schema and REST APIs to automate provisioning and deprovisioning of users and groups.
  • Microsoft Entra ID - User repository used to manage the lifecycle of identities and their entitlements.
  • Target system - Application or system that has SCIM endpoint and works with the Microsoft Entra provisioning to enable automatic provisioning of users and groups.

Why use SCIM?

System for Cross-Domain Identity Management (SCIM) is an open standard protocol for automating the exchange of user identity information between identity domains and IT systems. SCIM ensures that employees added to the Human Capital Management (HCM) system automatically have accounts created in Microsoft Entra ID or Windows Server Active Directory. User attributes and profiles are synchronized between the two systems, updating, or removing users based on the user status or role change.

The key is keeping your identity systems up to date. If a user can be automatically deprovisioned from Microsoft Entra ID as soon as they're removed from your HR systems, you have less worry about a possible breach.

API-driven inbound provisioning

Not all HR systems expose a SCIM endpoint. For these scenarios, Microsoft Entra ID supports API-driven inbound provisioning, which reached general availability in March 2024. Instead of requiring the source system to push data via SCIM, any automation tool, or script can retrieve workforce data from any system of record and send it to the Microsoft Entra provisioning API. Supported authoritative sources include Workday, SAP SuccessFactors, and any custom HR system integrated via the API. This approach gives organizations flexibility to automate identity lifecycle management regardless of their HR platform's native integration capabilities.