Skip to main content
SCIM (System for Cross-domain Identity Management) keeps Bifrost in sync with Entra in real time - new users are provisioned, deactivated users are suspended, and group memberships are updated without waiting for the next login or background sync.
Complete SSO using OIDC before setting up SCIM. SCIM runs as a separate provisioning job alongside your existing OIDC integration.

Step 1: Enable SCIM in Bifrost

1

Open your Entra provider

In your Bifrost dashboard, go to GovernanceUser Provisioning and open your configured Microsoft Entra provider.
Bifrost Microsoft Entra provider dashboard showing connection details and attribute mappings
2

Enable SCIM provisioning

Click the settings icon to open Provider Configuration.Toggle on Enable SCIM Provisioning and click Save & Enable.
Bifrost Provider Configuration with Enable SCIM Provisioning toggle turned on
3

Copy the SCIM credentials

After saving, Bifrost shows a Setup Complete dialog with:
  • SCIM Endpoint URL - the base URL Entra will send provisioning requests to
  • Provisioning Token - the bearer token Entra uses to authenticate
Copy both values now - you will need them in Step 2.
Bifrost Setup Complete dialog displaying the SCIM Endpoint URL and one-time Provisioning Token
The provisioning token is only shown once. Store it somewhere safe before closing this dialog. You can always rotate it later, but the previous token will immediately become invalid.

Step 2: Configure Entra provisioning

1

Open the Provisioning tab

In the Azure Portal, go to Microsoft Entra ID → Enterprise applications → Bifrost Enterprise.Open the Provisioning tab and click Get started.
Microsoft Entra Enterprise Application Provisioning tab with Get started button
2

Set the provisioning mode and credentials

Set Provisioning Mode to Automatic.Under Admin Credentials, enter:
FieldValue
Tenant URLThe SCIM Endpoint URL from Step 1
Secret TokenThe Provisioning Token from Step 1
Click Test Connection to verify, then Save.
Entra Provisioning admin credentials form with Tenant URL and Secret Token fields filled in and Test Connection button highlighted
3

Configure attribute mappings (optional)

Expand Mappings to review or adjust how Entra user and group attributes are mapped to SCIM fields that Bifrost receives.The default mappings cover standard fields (name, email, active status, groups). Skip this step unless you need to sync custom attributes.
To include a custom attribute in the SCIM payload Entra sends to Bifrost:
  1. Under Mappings, click Provision Microsoft Entra ID Users
  2. Click Add New Mapping
  3. Set the Source attribute to the Entra user property (e.g. employeeId, department)
  4. Set the Target attribute to the corresponding SCIM attribute name (e.g. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber)
  5. Click Ok and Save
Entra provisioning attribute mapping dialog showing Source attribute and Target attribute dropdowns
Back in Bifrost, go to Attribute Mapping in the provider setup and add a SCIM Attribute entry using the same attribute name. The name must match exactly - including case.
4

Enable provisioning

Back on the main Provisioning settings page, set Provisioning Status to On and click Save.
Entra Provisioning settings page with Provisioning Status toggle set to On

Step 3: Assign users and groups

1

Assign users or groups to the application

Go to Enterprise applications → Bifrost Enterprise → Users and groups.Click Add user/group and select the users or groups you want to provision into Bifrost.
Entra Enterprise Application Users and groups page with Add user/group button highlighted
Only users and groups explicitly assigned to the application are provisioned when the provisioning scope is set to Sync only assigned users and groups (the default). Set scope to Sync all users and groups only if you want to provision your entire directory.
Assigned users are pushed to Bifrost during the next provisioning cycle (typically within 40 minutes). When a user is unassigned or disabled in Entra, Bifrost deactivates them in real time.
2

Trigger an on-demand sync (optional)

To provision a specific user immediately without waiting for the next cycle, go to the Provisioning tab and click Provision on demand.Search for the user, select them, and click Provision.
Entra Provision on demand screen with a user selected and Provision button

Step 4: Verify in Bifrost

Once provisioning is active, confirm everything is syncing correctly.
  • Go to GovernanceUsers to see provisioned users and their assigned roles
  • Go to GovernanceTeams to see teams populated from synced groups
  • Go to GovernanceBusiness Units to see business units resolved from group or attribute mappings
Changes in Entra - new assignments, group membership updates, deactivations - will reflect in Bifrost within the provisioning cycle (typically 40 minutes for incremental cycles, up to 4 hours for the initial cycle).

How sync works

Initial cycle - on first enable, Entra performs a full sync of all in-scope users and groups. This can take up to 4 hours for large directories. Incremental cycles - after the initial sync, Entra pushes only changes (new users, deactivations, attribute updates, group membership changes) every ~40 minutes. Background reconciliation - Bifrost also runs a full reconciliation from the Microsoft Graph API every 24 hours to catch anything the SCIM push may have missed.

Troubleshooting

Test Connection fails - verify the Tenant URL has no trailing slash and the Secret Token matches exactly what Bifrost generated. Rotate the token in Bifrost and update Entra if needed. Users are provisioned but have no role - SCIM provisions the user record; role assignment comes from attribute mappings in the OIDC provider. Confirm your Attribute-to-Role mappings are configured and the relevant claims are present in the JWT at login time. Custom attribute is not arriving in Bifrost - confirm the SCIM attribute name in Entra’s mapping and Bifrost’s SCIM Attribute setting match exactly (case-sensitive). Verify the mapping was saved under Provision Microsoft Entra ID Users. Group membership is not syncing - groups must be assigned to the Enterprise Application and provisioning scope must include groups. Check that Provision Microsoft Entra ID Groups is enabled under Mappings. Users are stuck in “Pending” - this is normal during the initial cycle for large directories. Check the Provisioning logs under Monitoring in the Provisioning tab for per-user status and any errors.