Skip to main content

Automatic user provisioning with SCIM and MS Entra

User provisioning via SCIM helps the IT administrator add and remove user accounts from Teamdash automatically.

Written by Karl-Sander Erss

Automatic user provisioning is available to all accounts with the SCIM add-on enabled.

Setting up the API key in Teamdash

  1. Log in as admin user

  2. Click the settings button in the top-right corner (the cog)

  3. In the left-hand menu, choose API

  4. Create a new Key with the Manage users permission

Teamdash also supports provisioning users from multiple Microsoft tenants in parallel (multiple SCIM providers). Please ask your CSM to enable this when needed. When this feature is enabled, the process for obtaining the API key differs slightly.

  1. Log in as admin user

  2. Click the settings button in the top-right corner (the cog)

  3. In the left-hand menu, choose User Provisioning (SCIM)

  4. There will be one default SCIM provider. (You can add more by clicking Create SCIM Provider)

  5. When you click Edit, you can go to the API tab and copy the key

Setting up the Enterprise Application in Microsoft Entra

To enable user provisioning from Microsoft Entra, you need to add an enterprise application entry in Microsoft Entra. The application needs to be configured correctly to connect to the Teamdash instance. The map attributes need to be in an expected manner.

Adding an enterprise application

  1. Log in

  2. Open the New Enterprise Application menu

  3. Add an enterprise application entry for Teamdash user provisioning

  4. Click + Create your own application

  5. Choose a name, e.g., "Teamdash User Provisioning."

  6. Choose "Integrate any other application you don't find in the gallery (Non-gallery)."

  7. Click Create

Configuring the enterprise application

  1. Click Provisioning in the left-hand menu twice

  2. Choose the provisioning mode Automatic

  3. Enter the URL https://{yourcompany}.teamdash.com/scim/v2

    1. When you are using Multi SCIM, you can go to the SCIM provider edit view in Teamdash and copy the URL from there.

  4. Paste the API key you obtained earlier into the Secret Token

  5. Test connection

  6. Save

Configuring SCIM attribute mapping

Microsoft Entra users and Teamdash users are matched using the contact email field of Microsoft users. If you wish to map a Microsoft user to a pre-existing Teamdash user, then the Microsoft user's contact email must be the same as the Teamdash user's email.

In Microsoft Entra, the default user mapping configuration must be changed such that the user's contact email (which maps to the emails[type eq "work"].value SCIM attribute) is the only value used for matching users.

  1. Go to Attribute Mapping from the left menu

  2. Pick Provision Microsoft Entra ID Users

  3. Click Edit on the row which maps "mail" to "emails[type eq "work"].value".

  4. Set Match objects using this attribute to Yes and Matching precedence to 2

  5. Press OK

  6. Click Edit on the row that maps "user principal name" to "userName."

  7. Set Match objects using this attribute to No

  8. Press OK

  9. Save

Assigning users to automatic user provisioning

To include Microsoft users in the automatic provisioning, they must be added to the enterprise application in Microsoft Entra. You can choose which users or groups are included. It's often not necessary to provision every single user and group in your Microsoft Entra tenant.

  1. Go to Users & Groups from the left menu

  2. Click Add user/group

  3. Select the users and groups you wish to include in the automatic provisioning system

  4. Click Assign

Starting the automatic provisioning system

Once the enterprise application has been correctly configured and all relevant users/groups have been added to it, you can start the automatic provisioning system. This can be done by clicking the Start provisioning button in the provisioning/overview page. Once the process has started, users/groups will be synced every 20–40 minutes.

If you are using user provisioning from multiple Microsoft tenants in parallel (multiple SCIM providers), the configuration process must be done for each tenant separately.

Managing multiple SCIM providers in Teamdash

If you're using user provisioning from multiple Microsoft tenants in parallel (multiple SCIM providers), then it's necessary to choose which Teamdash users are managed by which SCIM provider. This is necessary to avoid conflicts between SCIM providers; a user can only belong to one SCIM provider.

The structure of which user belongs to which SCIM provider is managed through Teamdash teams. Every SCIM provider manages some set of teams (and by extension, every member of those teams). To set this system up, it's necessary to assign teams to SCIM providers.

  1. Log in as admin user

  2. Click the settings button in the top-right corner (the cog)

  3. In the left-hand menu, choose User Provisioning (SCIM)

  4. When you click Edit

    1. Teams tab - you can choose which team is managed by which SCIM

A few notes about provisioning

  • The links between existing users and Identity Provider (IdP) accounts are created based on email addresses

  • Non-linked accounts can still exist on Teamdash (TD)

  • When an IdP account is removed from provisioning, it is deactivated in TD

  • When an IdP account is removed from the IdP tenant, it is deactivated in TD

  • All created user accounts have the limited role.

Did this answer your question?