Setting Up SCIM User Provisioning with Microsoft Entra ID
This guide explains how to configure SCIM-based user provisioning between Microsoft Entra ID and AdvaPACS.
SCIM provisioning allows Entra ID to automatically create, update, and deactivate users in AdvaPACS based on changes in your directory.
AdvaPACS currently supports user provisioning only.
Group provisioning must be disabled in Entra ID or provisioning will fail.
Prerequisites
Before you begin, ensure you have:
- Administrator access to Microsoft Entra ID
- The Manage Authentication permission in AdvaPACS
- An existing Entra ID Enterprise Application for AdvaPACS
Overview
The configuration process consists of the following steps:
- Create a SCIM configuration in AdvaPACS
- Copy the SCIM credentials from AdvaPACS
- Configure automatic provisioning in Entra ID
- Disable group provisioning
- Test user provisioning
Step 1: Create a SCIM Configuration in AdvaPACS
- Sign in to AdvaPACS as an administrator
- Navigate to: Admin → Settings → Authentication
- Select the SCIM tab
Permissions Required
You must have the Manage Authentication permission to view or modify SCIM configurations.
If you do not see the SCIM tab, verify your role permissions.
Add a SCIM Configuration
- Click Add SCIM Configuration
- Enter a Name to describe the configuration
- Example:
Entra ID
- Configure the default user settings
These settings will be applied to all users provisioned via SCIM.
They can be modified later on a per-user basis if required.
Save and Generate SCIM Credentials
- Click Save
- AdvaPACS will generate:
- SCIM URL
- Secret Token
Make note of both values — they will be required when configuring Entra ID.
Step 2: Configure Provisioning in Entra ID
- Sign in to the Microsoft Entra admin center
- Navigate to Enterprise applications
- Open your AdvaPACS application
- Select Provisioning
Set Provisioning Mode
- Click Get started
- Set Provisioning Mode to Automatic
Configure Admin Credentials
In the Admin Credentials section, enter:
| Entra ID Field | Value |
|---|---|
| Tenant URL | Paste the SCIM URL from AdvaPACS |
| Secret Token | Paste the Secret Token from AdvaPACS |
Click Test Connection.
If the connection is successful, click Save.
Step 3: Disable Group Provisioning (Required)
AdvaPACS does not currently support group provisioning.
You must disable group provisioning in Entra ID to prevent errors.
Disable Group Mappings
- In the Provisioning section, select Mappings
- Open Provision Microsoft Entra ID Groups
- Set Enabled to No
- Save the mapping
If group provisioning is enabled, Entra ID will return errors and user provisioning will stop.
Step 4: Configure User Mappings (Optional)
By default, Entra ID provisions users using standard SCIM attributes such as:
userNamegivenNamesurnameemails
You may adjust attribute mappings if required, but the default mappings are sufficient for most deployments.
If also using SAML and you do change mappings, ensure they align with the username the SAML configuration is expecting.
Step 5: Assign Users and Start Provisioning
- In Entra ID, navigate to: Enterprise applications → AdvaPACS → Users and groups
- Assign users who should be provisioned into AdvaPACS
Provisioning will run automatically on the Entra ID provisioning cycle.
Step 6: Verify Provisioning in AdvaPACS
- Return to AdvaPACS
- Navigate to the Users section
- Confirm users are being created or updated via SCIM
Provisioned users will inherit the default SCIM configuration settings unless overridden.
Troubleshooting
If provisioning fails:
- Confirm the SCIM URL and Secret Token are correct
- Ensure group provisioning is disabled
- Check Provisioning logs in Entra ID
- Verify assigned users have required attributes (email, username)