Sync users and groups from Microsoft Entra ID using SCIM
Cedar.AI supports System for Cross-domain Identity Management (SCIM) to automatically provision and de-provision users and groups from Microsoft Entra ID (formerly Azure Active Directory). This allows you to manage user access centrally within your identity provider.SCIM requires enrollment in Admin v2. You’ll create a SCIM connection in the Cedar.AI Admin Portal, then use the generated client credentials in Azure provisioning.
Prerequisites
Cedar.AI Admin Access
You must be able to log in to the Cedar.AI Admin Portal and create a SCIM mapping to get client credentials.
Azure AD Admin Access
You need permissions to create Enterprise Applications in your Microsoft Entra ID tenant.
Configuration Steps
Create a SCIM connection in the Cedar.AI Admin Portal (Admin v2)
- Obtain your Microsoft Entra ID (Azure AD) Tenant ID.
- In the Cedar.AI Admin Portal, go to Advanced → SCIM.
- Click New mapping.
- Enter the Entra Tenant ID and associate it with an Organization or a Carrier.
- Click Create.
- From the newly created SCIM connection, copy the Client ID and Client Secret (you’ll use these in Azure provisioning).
Create an Enterprise Application in Azure
- Log in to the Microsoft Entra Admin Center.
- Navigate to Identity > Applications > Enterprise applications.
- Click New application.
- Click Create your own application.
- Enter a name for your application (e.g., “Cedar.AI SCIM”).
- Select Integrate any other application you don’t find in the gallery (Non-gallery).
- Click Create.
Configure provisioning
- In your newly created application, go to the Provisioning blade in the left menu.
- Click Get started.
- Set the Provisioning Mode to Automatic.
Enter SCIM endpoints and credentials
Cedar.AI uses the OAuth 2.0 Client Credentials grant flow for SCIM authentication.Expand the Admin Credentials section and enter the values below.
Replace Authentication Method: Ensure Azure provisioning is set to use OAuth 2.0 Client Credentials Grant (if available in your connector options) or follow the workflow prompted by Azure.You will need:
- SCIM testing
- SCIM production
| Field | Value |
|---|---|
| Tenant URL | https://api-k.arms-staging.cedarai.com/scim/<your_tenant_id>/ |
| Token Endpoint | https://auth.accounts-staging.cedarai.com/oauth2/token |
<your_tenant_id> with your specific Azure Tenant ID.Use the same environment for your Tenant URL and Token Endpoint, and use the Client ID/Secret you generated in the Admin Portal SCIM connection.
- Client Identifier: (from the Admin Portal SCIM connection)
- Client Secret: (from the Admin Portal SCIM connection)
If the standard Azure “Non-gallery” SCIM connector only requests a “Secret Token”, you may need to generate a long-lived bearer token using the client credentials or contact Cedar.AI support for the appropriate configuration pattern for your tenant.
Test connection and save
- Click Test Connection to ensure Azure can communicate with the Cedar.AI SCIM endpoint.
- Once the test passes, click Save.
Assign users and groups
Azure AD only provisions users and groups that are explicitly assigned to the application.
- Go to the Users and groups blade for your application.
- Click Add user/group.
- Select the users and groups you want to sync to Cedar.AI.
- Groups: Assigning a group provisions the group itself and its direct members. Nested groups are not supported by the standard SCIM connector (flattening may be required).
- Users: Users must be assigned directly or through a group to be provisioned.
- Click Assign.
Start provisioning
- Under Mappings, review the user and group attribute mappings to ensure they align with your requirements.
- Go back to the Provisioning overview.
- Set the Provisioning Status to On.
- Click Save.
Azure AD will start an initial synchronization cycle, followed by periodic incremental cycles (typically every 40 minutes). You can monitor progress in the Provisioning logs.
Important Considerations
Scope
Scope
By default, Azure AD provisions only assigned users and groups. Ensure “Sync only assigned users and groups” is selected in the Provisioning settings unless you intend to sync your entire directory.
De-provisioning
De-provisioning
When a user is unassigned from the application or disabled in Azure AD, a SCIM disable (soft delete) request is sent to Cedar.AI. The user will lose access immediately.
Group Updates
Group Updates
Renaming a group in Azure AD will update the group name in Cedar.AI. Removing a user from a group in Azure AD will remove them from the corresponding group in Cedar.AI.