> ## Documentation Index > Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt > Use this file to discover all available pages before exploring further. # Setup SCIM > Enable real-time user and group provisioning from Microsoft Entra ID to Bifrost Enterprise using SCIM 2.0. SCIM (System for Cross-domain Identity Management) keeps Bifrost in sync with Entra in real time - new users are provisioned, deactivated users are suspended, and group memberships are updated without waiting for the next login or background sync. Complete [SSO using OIDC](./oidc) before setting up SCIM. SCIM runs as a **separate** provisioning job alongside your existing OIDC integration. *** ## Step 1: Enable SCIM in Bifrost In your Bifrost dashboard, go to **Governance** → **User Provisioning** and open your configured Microsoft Entra provider. Bifrost Microsoft Entra provider dashboard showing connection details and attribute mappings

Bifrost Microsoft Entra provider dashboard showing connection details and attribute mappings

Click the settings icon to open **Provider Configuration**. Toggle on **Enable SCIM Provisioning** and click **Save & Enable**. Bifrost Provider Configuration with Enable SCIM Provisioning toggle turned on

Bifrost Provider Configuration with Enable SCIM Provisioning toggle turned on

After saving, Bifrost shows a **Setup Complete** dialog with: * **SCIM Endpoint URL** - the base URL Entra will send provisioning requests to * **Provisioning Token** - the bearer token Entra uses to authenticate Copy both values now - you will need them in [Step 2](#step-2-configure-entra-provisioning). Bifrost Setup Complete dialog displaying the SCIM Endpoint URL and one-time Provisioning Token

Bifrost Setup Complete dialog displaying the SCIM Endpoint URL and one-time Provisioning Token

The provisioning token is only shown once. Store it somewhere safe before closing this dialog. You can always rotate it later, but the previous token will immediately become invalid. *** ## Step 2: Configure Entra provisioning In the [Azure Portal](https://portal.azure.com), go to **Microsoft Entra ID → Enterprise applications → Bifrost Enterprise**. Open the **Provisioning** tab and click **Get started**. Microsoft Entra Enterprise Application Provisioning tab with Get started button

Microsoft Entra Enterprise Application Provisioning tab with Get started button

Set **Provisioning Mode** to **Automatic**. Under **Admin Credentials**, enter: | Field | Value | | ---------------- | -------------------------------------------------------------------- | | **Tenant URL** | The SCIM Endpoint URL from [Step 1](#step-1-enable-scim-in-bifrost) | | **Secret Token** | The Provisioning Token from [Step 1](#step-1-enable-scim-in-bifrost) | Click **Test Connection** to verify, then **Save**. Entra Provisioning admin credentials form with Tenant URL and Secret Token fields filled in and Test Connection button highlighted

Entra Provisioning admin credentials form with Tenant URL and Secret Token fields filled in and Test Connection button highlighted

Expand **Mappings** to review or adjust how Entra user and group attributes are mapped to SCIM fields that Bifrost receives. The default mappings cover standard fields (name, email, active status, groups). Skip this step unless you need to sync custom attributes. To include a custom attribute in the SCIM payload Entra sends to Bifrost: 1. Under **Mappings**, click **Provision Microsoft Entra ID Users** 2. Click **Add New Mapping** 3. Set the **Source attribute** to the Entra user property (e.g. `employeeId`, `department`) 4. Set the **Target attribute** to the corresponding SCIM attribute name (e.g. `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber`) 5. Click **Ok** and **Save** Entra provisioning attribute mapping dialog showing Source attribute and Target attribute dropdowns

Entra provisioning attribute mapping dialog showing Source attribute and Target attribute dropdowns

Back in Bifrost, go to **Attribute Mapping** in the provider setup and add a **SCIM Attribute** entry using the same attribute name. The name must match exactly - including case. Back on the main Provisioning settings page, set **Provisioning Status** to **On** and click **Save**. Entra Provisioning settings page with Provisioning Status toggle set to On

Entra Provisioning settings page with Provisioning Status toggle set to On

*** ## Step 3: Assign users and groups Go to **Enterprise applications → Bifrost Enterprise → Users and groups**. Click **Add user/group** and select the users or groups you want to provision into Bifrost. Entra Enterprise Application Users and groups page with Add user/group button highlighted

Entra Enterprise Application Users and groups page with Add user/group button highlighted

Only users and groups explicitly assigned to the application are provisioned when the provisioning scope is set to **Sync only assigned users and groups** (the default). Set scope to **Sync all users and groups** only if you want to provision your entire directory. Assigned users are pushed to Bifrost during the next provisioning cycle (typically within 40 minutes). When a user is unassigned or disabled in Entra, Bifrost deactivates them in real time. To provision a specific user immediately without waiting for the next cycle, go to the **Provisioning** tab and click **Provision on demand**. Search for the user, select them, and click **Provision**. Entra Provision on demand screen with a user selected and Provision button

Entra Provision on demand screen with a user selected and Provision button

*** ## Step 4: Verify in Bifrost Once provisioning is active, confirm everything is syncing correctly. * Go to **Governance** → **Users** to see provisioned users and their assigned roles * Go to **Governance** → **Teams** to see teams populated from synced groups * Go to **Governance** → **Business Units** to see business units resolved from group or attribute mappings Changes in Entra - new assignments, group membership updates, deactivations - will reflect in Bifrost within the provisioning cycle (typically 40 minutes for incremental cycles, up to 4 hours for the initial cycle). *** ## How sync works **Initial cycle** - on first enable, Entra performs a full sync of all in-scope users and groups. This can take up to 4 hours for large directories. **Incremental cycles** - after the initial sync, Entra pushes only changes (new users, deactivations, attribute updates, group membership changes) every \~40 minutes. **Background reconciliation** - Bifrost also runs a full reconciliation from the Microsoft Graph API every 24 hours to catch anything the SCIM push may have missed. *** ## Troubleshooting **Test Connection fails** - verify the Tenant URL has no trailing slash and the Secret Token matches exactly what Bifrost generated. Rotate the token in Bifrost and update Entra if needed. **Users are provisioned but have no role** - SCIM provisions the user record; role assignment comes from attribute mappings in the OIDC provider. Confirm your Attribute-to-Role mappings are configured and the relevant claims are present in the JWT at login time. **Custom attribute is not arriving in Bifrost** - confirm the SCIM attribute name in Entra's mapping and Bifrost's SCIM Attribute setting match exactly (case-sensitive). Verify the mapping was saved under **Provision Microsoft Entra ID Users**. **Group membership is not syncing** - groups must be assigned to the Enterprise Application and provisioning scope must include groups. Check that **Provision Microsoft Entra ID Groups** is enabled under **Mappings**. **Users are stuck in "Pending"** - this is normal during the initial cycle for large directories. Check the **Provisioning logs** under **Monitoring** in the Provisioning tab for per-user status and any errors.