Leadcast
    • Custom App Registration
    • SCIM Provisioning with Microsoft Entra ID (Azure AD)

    SCIM Provisioning with Microsoft Entra ID (Azure AD)

    If you are an external tenant administrator and need to provision users into the app, you do not need to create your own App Registration or define app roles. The app roles are already defined on the existing multi-tenant app registration. By consenting to that app, an Enterprise Application (service principal) is automatically created in your tenant with all the pre-defined app roles.

    Prerequisites#

    Before you begin, request the following from the app administrator:
    ItemDescription
    Admin consent URLTest: https://login.microsoftonline.com/common/adminconsent?client_id=5297c3c4-1e1a-4d0f-9c71-c82dad658318 Production: https://login.microsoftonline.com/common/adminconsent?client_id=560f4554-4d0a-4cf3-8130-a684717912ba
    SCIM endpoint URLThe tenant-specific URL, e.g. https://your.leadcast.app/scim/v2
    API tokenA bearer token with SCIM permissions scoped to your tenant
    Available app rolesThe list of pre-defined role display names you can assign to users (optional)

    Step-by-step instructions#

    1. Grant admin consent to add the app to your tenant#

    1.
    Sign in to the Microsoft Entra admin center as a Global Administrator or Cloud Application Administrator
    2.
    Open the admin consent URL provided by the app administrator in your browser
    3.
    Review the requested permissions and click Accept
    4.
    This creates an Enterprise Application (service principal) in your tenant with the pre-defined app roles — you do not need to create anything manually
    Tip: After consenting, you can find the new Enterprise Application under Identity → Applications → Enterprise Applications.

    2. Configure provisioning#

    1.
    Open the Enterprise Application that was created by the consent step
    2.
    Go to Provisioning
    3.
    Click Get started
    4.
    Set Provisioning Mode to Automatic
    5.
    Under Admin Credentials, enter:
    Tenant URL — the SCIM endpoint URL provided by the app administrator
    Secret Token — the API token provided by the app administrator
    6.
    Click Test Connection to verify connectivity
    7.
    Click Save

    3. Configure attribute mappings (optional)#

    1.
    Under Provisioning → Mappings, click Provision Azure Active Directory Users
    2.
    Review the default attribute mappings — most fields (name, email, etc.) work out of the box
    3.
    To provision app roles, click Add New Mapping and configure:
    SettingValue
    Mapping typeExpression
    ExpressionSingleAppRoleAssignment([appRoleAssignments])
    Target attributeroles[primary eq "True"].value
    4.
    Click OK, then Save
    Important: Do not use Direct mapping type with appRoleAssignments — this sends the raw internal object instead of the role display name.
    Note: SingleAppRoleAssignment returns the display name of the assigned app role. If you need multiple roles per user, use AppRoleAssignmentsComplex([appRoleAssignments]) instead.

    4. Assign users and groups#

    1.
    In the Enterprise Application, go to Users and groups
    2.
    Click + Add user/group
    3.
    Select the users or groups to provision and assign them the appropriate app role (the roles from the original app registration are available here)
    4.
    Click Assign

    5. Start provisioning#

    1.
    Go back to Provisioning
    2.
    Click Start provisioning
    3.
    Entra ID will begin an initial provisioning cycle — this may take a few minutes
    You can monitor progress under Provisioning → Provisioning logs.
    Modified at 2026-05-26 10:50:11
    Previous
    Custom App Registration
    Built with