Microsoft Entra ID Setup for System for Cross-domain Identity Management (SCIM)

To enable System for Cross-domain Identity Management (SCIM) provisioning to Flexera One, you need to create an application in Microsoft Entra ID (formerly Azure AD). Follow the steps below to set up the application.

Sign in to the Azure portal using your credentials.
Go to Enterprise Applications > New Application > Create your own application.
Enter the Name and select Integrate any other application you don't find in the gallery (Non-gallery), then click Create.
From the left menu panel, go to Manage > Provisioning.
Change the Provisioning Mode from Manual to Automatic.
Click Admin Credentials to expand the section:

a. Change the Authentication Method from Bearer Authentication to OAuth2 Client Credentials Grant.

b. Enter the Tenant URL using the format https://api.flexera.{TLD}/scim/v2/orgs/{ORG_ID}. Replace {ORG_ID} with your actual organization ID and {TLD} with the appropriate top-level domain for your Flexera One region (com, eu, or au). For example: https://api.flexera.com/scim/v2/orgs/12345.

c. Enter the Token Endpoint using the format https://login.flexera.{TLD}/oidc/token. Replace {TLD} with the appropriate top-level domain for your Flexera One region (com, eu, or au). For example: https://login.flexera.com/oidc/token.

d. Enter the Client ID and Client Secret that you generated and saved during Flexera Setup for SCIM.

e. Click Test Connection. This may take a few minutes and will display a success message if the credentials are correct.
Click Mappings to expand the section.
Click Provision Microsoft Entra ID Groups:

a. Select all checkboxes under Target Object Actions (Create, Update, Delete).

b. Keep Enabled as Yes and click Save.

c. Modify Attribute Mappings as follows and delete the remaining default attributes. To modify attributes, click Edit and select the correct Source and Target Attribute as shown in the table below:

Source Attribute Target Attribute
displayName displayName
members members

info
If you previously used Group Sync functionality, map displayName to objectId instead to ensure SCIM works with your existing groups. For more information, see Migrating Existing Users and Groups to SCIM.

Source Attribute	Target Attribute
`displayName`	`displayName`
`members`	`members`

Click Provision Microsoft Entra ID Users:

a. Keep Enabled as Yes.

b. Select all checkboxes under Target Object Actions (Create, Update, Delete).

c. Modify Attribute Mappings as follows and delete the remaining default attributes. To modify attributes, click Edit and select the correct Source and Target Attribute as shown in the table below:

Source Attribute	Target Attribute	Notes
`userName`	`userPrincipalName`	User's email is the user name
`active`	`Switch([IsSoftDeleted], , "False", "True", "True", "False")`
`emails[type eq "work"].value`	`mail`
`name.givenName`	`givenName`
`name.familyName`	`Join(" ", [givenName], [surname])`

info

If you previously used Just-in-Time (JIT) provisioning, map userName to user.mail instead to ensure SCIM works with your existing users. For more information, see Migrating Existing Users and Groups to SCIM.

Configure Settings:

a. (Optional) Add an email address for failure notifications.

b. Change Scope to Sync only assigned users and groups.
Click Save.