***

title: Set up Entra provisioning
description: >-
Learn how to configure SCIM provisioning for Unleash using Microsoft Entra ID
to automatically manage user accounts and access.
keywords:

* SCIM
* Entra
* Azure AD
* provisioning
* SSO
* user management
  'og:site\_name': Unleash Documentation
  'og:title': Set up Entra provisioning | Unleash
  max-toc-depth: 2
  slug: provisioning/how-to-setup-provisioning-with-entra

***

<Button small outlined href="/support/availability">
  v6.1
</Button>

<Button small href="https://www.getunleash.io/plans">
  Enterprise
</Button>

## Unleash Configuration

<Info>
  Before you begin, ensure that you have a strategy in place to prevent being [locked out of all admin accounts](/support/troubleshooting#got-locked-out-of-an-admin-account-after-configuring-scim).
</Info>

### Step 1: Navigate to Provisioning configuration

First you'll need to log in to Unleash as an admin user. Navigate to the Single Sign-On section and select the "SCIM" tab. The SCIM API URL will be shown in this section, you'll need this to configure Entra later.

<Frame background="subtle">
  ![Navigate to the SCIM Config](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/350dbf92c4e4a1649a6202d22fd34f57d7978a8caa55268cdaf134b1074fad66/assets/scim-config-1.png)
</Frame>

### Step 2: Enable Provisioning

Enable SCIM by turning on the toggle and keep the token Unleash provides you for the Entra setup below.

<Frame background="subtle">
  ![Enable the SCIM toggle](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/822b2545b78eba3ebb85ae994508b427e0523a8f1f0576e8770d2aa2f45c912b/assets/scim-config-2.png)
</Frame>

## Entra Configuration

### Step 1: Navigate to Provisioning in Entra

<Info>
  This guide assumes you already have an SSO application setup for Unleash. If you don't already have an application configured, please see our [guide](/single-sign-on/how-to-add-sso-azure-saml) on setting up SSO.
</Info>

**1) Navigate to "Enterprise Applications"**

<Frame background="subtle">
  ![Navigate to Enterprise Applications](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/08acf1ff44f6d0da0d5360767dfd434adfb08488c7a1cbc1b6ed1a92514122bd/assets/scim-entra-config-1.png)
</Frame>

**2) Navigate to your SSO Application**

<Frame background="subtle">
  ![Select your Application](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/633ba4ae94fecf9384857a1cda13f0ffb4c42b567506538594f717a87c714301/assets/scim-entra-config-2.png)
</Frame>

**3) Navigate to provisioning**

<Frame background="subtle">
  ![Navigate to the provisioning overview menu item](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/822935a92bf9e425745655e92a89ae0e7ef747816f756e462b833601b1361a2d/assets/scim-entra-config-3.png)
</Frame>

### Step 2: Connect Unleash to your Entra Application

**1) Navigate to the Provisioning overview**

**2) Set the Tenant URL**

This the SCIM API URL provided by the Unleash UI in the [configuring Unleash](how-to-setup-provisioning-with-entra#step-1-navigate-to-provisioning-configuration) section.\*\*

If you plan on deprovisioning users at any point with SCIM, you'll also need to enable the [SCIM compliance flag](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior) on Entra. This can be done by appending `?aadOptscim062020` to your URL.

**3) Set the Secret Token**

This was provided by the Unleash UI in the [configuring Unleash](how-to-setup-provisioning-with-entra#step-2-enable-provisioning) section.

**4) Save**

<Frame background="subtle">
  ![Setting up SCIM credentials](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/6441d39a1ea22964ea06c44b9c16194154fbfa2d08692182f69b8956d08e22fc/assets/scim-entra-config-4.png)
</Frame>

### Step 3: Configure Provisioning

**1) Expand the mappings tab**

**2) Navigate to "Provision Microsoft Entra ID Users"**

<Frame background="subtle">
  ![Navigate to user provisioning setup](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/2f7ea8771d86a39590f446829a4b07303f8826cff0d0cd816f793912041e5c1d/assets/scim-entra-config-5.png)
</Frame>

This was provided by the Unleash UI in the [configuring Unleash](how-to-setup-provisioning-with-entra#step-2-enable-provisioning) section.

<Frame background="subtle">
  ![Connect Unleash](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/2f7ea8771d86a39590f446829a4b07303f8826cff0d0cd816f793912041e5c1d/assets/scim-entra-config-5.png)
</Frame>

**3) Remove unneeded properties**

You should remove all unnecessary properties. This ensures that Entra will reach a steady state when synchronizing. The properties that you must retain are:

* userName
* displayName
* emails
* externalId

**4) Update the email property to "userPrincipleName"**

<Frame background="subtle">
  ![Update provisioning properties](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/2e07003ee9ba455b37b638ce061258a42d8f8fbfe6bcdb54598897aa2fcf17ba/assets/scim-entra-config-6.png)
</Frame>

**5) Save**

### Step 4: Enable Provisioning

**1) Enable provisioning**

<Frame background="subtle">
  ![Enable provisioning](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/d6109f22a9ceb2aa2e5fd07dd9e7ba10a59dfd31b36dcfb09fe402ae65a3206e/assets/scim-entra-config-7.png)
</Frame>

**2) Enable automatic provisioning**

<Frame background="subtle">
  ![Enable provisioning](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/ab3e7601943738b6e12e026ff33130bbe0e4412146503c1dcd11038793a37137/assets/scim-entra-config-8.png)
</Frame>