Microsoft Entra Scim Sync Readme

Microsoft Entra + SCIM Sync Setup

Step-by-step guide for configuring Microsoft Entra with DeepIntShield SCIM Sync.

This version matches the current product behavior:

one shared DeepIntShield workspace can have many Microsoft Entra connections
each connection can belong to a different customer organization
login can be routed by email domain, explicit connection selection, or the default connection

Prerequisites

Microsoft Entra admin access for each customer organization
a deployed DeepIntShield URL
access to Governance -> SCIM Sync in DeepIntShield

Architecture

Use one Entra app registration per customer organization.

In DeepIntShield:

each Entra app becomes one SCIM Sync connection
each connection can be assigned to a customer
each connection can optionally define email domains such as acme.com
one enabled connection can be marked as the default fallback

If multiple Entra connections exist in one shared workspace:

users can be routed by email domain
users can choose a connection on the login screen
users without a matching domain fall back to the default enabled connection

1. Create an Entra app registration

Repeat this section once per customer organization.

Open Azure Portal.
Go to Microsoft Entra ID -> App registrations.
Click New registration.
Use:

Field	Value
Name	`DeepIntShield` or the customer name
Supported account types	`Accounts in this organizational directory only`
Redirect URI	`Web` -> use the `Redirect URI` shown in DeepIntShield SCIM Sync

Click Register.
Copy:
- Application (client) ID
- Directory (tenant) ID

2. Create Entra app roles

Open the app registration and create these roles:

Display Name	Value	Description
Admin	`admin`	Full platform access
Viewer	`viewer`	Read-only access

Keep the role values lowercase.

3. Create a client secret

Open Certificates & secrets.
Click New client secret.
Create the secret.
Copy the secret Value.

Use the secret value, not the secret ID.

4. Add API permissions

In API permissions, add delegated Microsoft Graph permissions:

openid
profile
email
offline_access

Grant admin consent if your tenant requires it.

5. Add group claims

If Entra groups should map into DeepIntShield teams:

Open Token configuration.
Click Add groups claim.
Select:
- Security groups, or
- Groups assigned to the application
Enable both ID and Access token claims.

6. Assign users and groups

Open Enterprise applications.
Select the DeepIntShield app.
Go to Users and groups.
Assign users or groups to:
- Admin
- Viewer

If a user has multiple roles, DeepIntShield uses the highest privilege role.

7. Create the connection in DeepIntShield

Open Governance -> SCIM Sync.
Click New.
Fill one connection for one customer Entra setup.

Use this mapping:

DeepIntShield Field	Value
Connection Name	Customer or organization label
Customer	Matching DeepIntShield customer, or `Shared workspace`
Enabled	`On`
Default	Enable only for the fallback connection
Cloud	Usually `Commercial`
Tenant ID	Entra `Directory (tenant) ID`
Client ID	Entra `Application (client) ID`
Client Secret	Secret value from Entra
Audience	Blank or Client ID
App ID URI	Optional, usually `api://{client-id}`
Email Domains	Customer email domains like `acme.com, acme.co.uk`
User Claim	`oid`
Role Claim	`roles`
Team Claim	`groups`
Auto Provision	`On`
Groups to Teams	`On` if Entra groups should create or map to teams
Deactivate Missing	`On` if removed users should be deactivated
Refresh Tokens	`On`

Use the Redirect URI, Issuer URL, and Discovery URL shown on the page as the source of truth.

8. Configure role mappings

Open the Role Mappings tab and keep these defaults unless your claims differ:

Source	Value	DeepIntShield Role
`app_role`	`admin`	`admin`
`app_role`	`viewer`	`viewer`

You can also map:

group
claim

Only admin and viewer are used as DeepIntShield roles in SCIM Sync. If your Entra tenant uses other source values, map them to either admin or viewer.

9. Save, test, and sync

For each connection:

Click Save.
Click Test.
Fix missing fields if reported.
Click Sync.
Click Refresh if needed.

10. Verify linked users

Open the Linked Users tab for that connection and verify:

users are linked to the expected Entra connection
the correct customer context is applied
roles are resolved correctly
teams appear if Groups to Teams is enabled

When multiple Entra connections are enabled in one shared workspace:

if the login email matches a configured domain, DeepIntShield routes to that Entra connection
if multiple connections are enabled, the login page can show connection selection
if no domain matches, the default enabled connection is used

Troubleshooting

Problem	Check
`AADSTS50011` reply URL mismatch	Use the exact `Redirect URI` shown in SCIM Sync
`AADSTS7000215` invalid client secret	Use the secret value, not the secret ID
Roles missing in token	Ensure Entra app roles exist and users or groups are assigned
Groups not syncing	Ensure the `groups` claim is enabled and `Groups to Teams` is on
Wrong user role	Keep mapped DeepIntShield roles as lowercase `admin` or `viewer`
Wrong connection selected	Check `Email Domains` and the `Default` flag

Notes

SCIM Sync is tenant-scoped, but supports many Entra connections inside one shared workspace
each connection can be customer-owned
Test validates the saved connection config
Sync refreshes DeepIntShield provisioning status for that connection