Azure AD/ Entra ID SCIM provisioning

Set up Azure AD/ Entra ID to provision your team or district’s SCIM (System for Cross-domain Identity Management).

Only admins can enable, configure, and change their organisation's Security and SSO settings.

Supported provisioning features

  • Create users - Users in Azure AD/ Entra ID assigned to the Colloquial App are added as members of the organisation in Colloquial.
  • Update user attributes - Updates made to the user's profile through Azure AD/ Entra ID will be pushed to Colloquial.
  • Deactivate users - Deactivating the user through Azure AD/ Entra ID will lock the user in Canva.
  • Assign or update roles - Roles assigned to users through Azure AD/ Entra ID will be pushed to Colloquial.

Step 1: Configure Azure AD/ Entra ID SAML

Azure’s built-in Colloquial application only supports SAML. To set up SCIM, complete the setup instructions Using Colloquial SAML Single Sign-On with Azure AD/Entra ID.


Step 2: Get Colloquial's SCIM provisioning API token

  1. Log in to your Colloquial account.
  2. On the upper corner of the homepage, click the cog icon to go to Settings
  3. From the side menu, select Security and SSO.
  4. Under SCIM, select Generate Token.
  5. Copy the access token.
    Colloquial > Settings > Security & SSO > SCIM provisioning

    Step 3: Configure SCIM provisioning in Azure AD/ Entra ID

    1. Open the Colloquial app you’ve set up in Azure AD/ Entra ID.
    2. From the side menu under Manage, select Provisioning.
    3. Next to Provisioning Mode, select Automatic from the dropdown.
    4. Under Admin Credentials, input the following:
      1. Tenant URL: https://app.colloquial.io/scim_v2/?aadOptscim062020
      2. Secret Token: Enter Colloquial's access token from Step 2
    5. To verify the connection, click Test Connection.
    6. On top of the settings window, click Save.

    If you need to test automated provisioning for a small number of users before rolling out to everyone, we recommend configuring scoping filters for users and groups first. See Scoping users or groups to be provisioned with scoping filters for instructions.

    Configure Attribute Mappings

    Users

    1. Under the Mappings, select Provision Azure Active Directory/ Entra ID Users.
    2. Under the Target Object Actions, make sure to only select Create and Update.
    3. Under Attribute Mappings, configure them as follows:

    It’s important that the SAML nameId attribute matches the SCIM userName attribute above. Ensure that in the Single sign-on configuration, the Unique User Identifier is mapped to user.userprincipalname, like below:

    Azure AD/Entra ID Attributes & Claims
    1. Click Save.

    Enabling Role Management

    Step 1: Configure App Registration Roles

    If you have the latest Colloquial App Registration from the Azure Gallery the following roles will be configured. If you have used a Custom App please configure the app as follows.

    1. Open App Registrations.
    2. Select the Colloquial App Registration (you may have used a custom name).
    3. Under App Roles, configure them as follows (use Create app role):
    Display name Description Value
    Admin Users can manage user access and systems settings such as integration. admin
    Curator Users can create and modify Groups, Templates and Views. curator
    Contributor Users can modify Fact Cards and Facts, including Tags and Groups. contributor
    Consumer Users can add new Fact Cards and Facts. consumer
    Read Only Users can read all data but not make any modifications. read_only

    See the example configuration.

    Step 2: Configure Users and Groups

    1. Open Enterprise Applications.

      Select the Colloquial Enterprise Application (you may have used a custom name).

      Under Users and groups, select Add user/group:

      Using the Add Assignment options:

      Add assignment screen
      1. Under Users and groups click None Selected, and select your configuration (follow your organisation's convention such as usr-sso-colloquial-curator)
      2. Click the Select button to complete the action.
      3. Under Select a role click None Selected, and select your desired role from the pane (note: it can take several minutes for new roles to appear).
      4. Click the Select button to complete the action.

    Once complete your list of Users and groups should look similar to below.

    Step 3: Configure SCIM Attribute Mapping

    1. Open the Colloquial app you’ve set up in Azure AD/ Entra ID.
    2. From the side menu under Manage, select Provisioning.
    3. Select Admin Credentials, and ensure the following:
      1. Tenant URL: https://app.colloquial.io/scim_v2/?aadOptscim062020

    1. Select Mappings, and click the Provision Azure Active Directory Users.
      1. Scroll down until you see Show advanced options and select this option.
      2. Click the newly available Edit attribute list for customappsso or Edit attribute list for Colloquial (this is determined if you used the published Azure App or created a custom Enterprise App).
      3. Add a new entry at the bottom of your list
        1. Name is roles
        2. Type is String
        3. Multi-Value? is checked
      4. Click Save
      5. Select Add New Mapping
        1. Mapping Type: Expression
        2. Expression: AssertiveAppRoleAssignmentsComplex([appRoleAssignments])
        3. Default value: empty
        4. Target attribute: roles
        5. Match objects using this attribute: No
        6. Apply this mapping: Always
      6. Click Save.


    1. Review Attribute Mappings to match below. Press Save.

    You will now see roles populated and synced to Colloquial based on a schedule.

    Still need help? Contact Us Contact Us

    Related Articles