Azure AD User and Group provisioning via SCIM protocol


  • Administrative access to senhasegura to create an access provider;
  • Communication from senhasegura to Azure;
  • Communication from Azure to senhasegura for token request and user provisioning in the SCIM API;
  • Having a business application in Azure;
  • Azure groups must have exactly the same name as senhasegura USER groups. Do not include spaces in the name;
  • Azure roles must have exactly the same name as senhasegura roles. Do not include spaces in the name;
  • senhasegura must have a DSN with a valid certificate published;
  • Change the system URL.

Base document:

1. Create an “Identity Management” provider.

In the “Authentication” tab, enter the allowed source IPs. In this demo we will cover everything. Validate this in your production environment.

After creating the provider, collect the Client ID and Secret data.

2. Create a business application if you don’t already have one.

2.1 Access “Microsoft Entra ID”.


2.2 Create the business application.

3. Access the “Provisioning” tab of your business application and click on “introduction” to create your provisioning.

Select the provisioning mode and expand the Admin Credentials tab.

In Tenant URL, enter the “Base URL” value obtained when clicking on the provider details insenhasegura.

In the “Secret Token” field, the “Access Token” must be inserted based on the Client ID and Client Secret
also obtained from the provider’s details insenhasegura. I use a tool like Postman to obtain the token.


Copy the contents of the highlighted token.


Using the access token, test the connection tosenhasegura. At this point, Azure will send a request tosenhasegura.

Click “Save”.

4. Configure the Group mappings.

After completing step 3, expand the “Mappings” option and click on “Provision Azure Active Directory Groups”.

Configure as below and save:

4.1 Configure User mappings.

After completing step 4, click on “Provision Azure Active Directory Users”.

Only the attributes below are required:

If the “SingleAppRoleAssignment([appRoleAssignments])” attribute does not exist, it will need to be created.
To do this, click on “Show advanced options” and “Edit attribute list for customappsso”.

Add a new attribute as below and save.

After that, go back to the Mapping screen and click on “Add New Mapping”.

Change the “Mapping type” to “Expression” and in the respective field enter:


Em “Target attribute” selecione “entitlements.value” e salve.

Save the Provisioning Mappings and return to the initial provisioning configuration screen.

5. Enable provisioning.

From this moment on, provisioning will be performed and will synchronize users from Azure AD to senhasegura.

About synchronization: The user group in Azure must have the same name as thesenhasegura User Group, without spaces and accents.

About roles: The role assigned to the user in Azure AD must have the same name as a Role insenhasegura, without spaces and accents.

In order for the Azure user to authenticate withsenhasegura, it will be necessary to create a new integration with SAML. To do this, follow the step-by-step instructions below.