Azure Entra ID SCIM Sync - Infisical

Prerequisites:

Set up and add secrets to Infisical Cloud
Create an Azure Entra ID Connection
Have an existing Enterprise Application in Azure Entra ID with SCIM provisioning already configured

How It Works

The Azure Entra ID SCIM Sync lets you manage SCIM provisioning tokens for your Azure Entra ID Enterprise Applications through Infisical. Each sync manages the token for a single Enterprise Application — if you use SCIM provisioning across multiple apps, you'll need a separate sync for each one.

Example workflow:

You have an Enterprise Application (e.g., ServiceNow) in Azure Entra ID with SCIM provisioning already configured.
You obtain the SCIM bearer token from the third-party service (e.g., from ServiceNow's admin panel) and store it as a secret in Infisical.
You create an Azure Entra ID SCIM Sync that points to this secret and targets the Enterprise Application.
Infisical pushes the token value to Azure, keeping your SCIM provisioning credentials in sync.
When the third-party service rotates the token, you update the secret in Infisical — the new value is automatically synced to Azure.

<Warning> The selected secret's value **must** be a valid SCIM bearer token obtained from the third-party service. When a sync runs, it overwrites the existing SCIM token on the Enterprise Application with the secret's current value. If the secret contains an incorrect value, it will break SCIM provisioning for that application. </Warning> <Tabs> <Tab title="Infisical UI"> <Steps> <Step title="Add Sync"> Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.

            ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
        </Step>
        <Step title="Select 'Azure Entra ID SCIM'">
            ![Select Azure Entra ID SCIM](/images/secret-syncs/azure-entra-id-scim-token/select-option.png)
        </Step>
        <Step title="Configure source">
            Configure the **Source** from where the secret should be retrieved, then click **Next**.

            ![Configure Source](/images/secret-syncs/azure-entra-id-scim-token/configure-source.png)

            - **Environment**: The project environment to retrieve the secret from.
            - **Secret Path**: The folder path to retrieve the secret from.
            - **Secret**: The secret containing the SCIM bearer token obtained from the third-party service. This value will be pushed to the Enterprise Application's SCIM configuration in Azure.
        </Step>
        <Step title="Configure destination">
            Configure the **Destination** to where the SCIM token should be deployed, then click **Next**.

            ![Configure Destination](/images/secret-syncs/azure-entra-id-scim-token/configure-destination.png)

            - **Azure Entra ID Connection**: The Azure Entra ID Connection to authenticate with.
            - **Service Principal**: The Enterprise Application service principal to sync the SCIM token to.
        </Step>
        <Step title="Configure sync options">
            Configure the **Sync Options** to specify how the sync should behave, then click **Next**.

            ![Configure Sync Options](/images/secret-syncs/azure-entra-id-scim-token/configure-sync-options.png)

            - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync. For SCIM token syncing, only **Overwrite Destination** is supported since import is not available. Please note that this will overwrite your current token with the selected secret value.
            - **Auto-Sync Enabled**: If enabled, the SCIM token will automatically be synced when the source secret changes. Disable to enforce manual syncing only.
        </Step>
        <Step title="Configure details">
            Configure the **Details** of your Azure Entra ID SCIM Sync, then click **Next**.

            ![Configure Details](/images/secret-syncs/azure-entra-id-scim-token/configure-details.png)

            - **Name**: The name of your sync. Must be slug-friendly.
            - **Description**: An optional description for your sync.
        </Step>
        <Step title="Review configuration">
            Review your Azure Entra ID SCIM Sync configuration, then click **Create Sync**.

            ![Review Configuration](/images/secret-syncs/azure-entra-id-scim-token/review-configuration.png)
        </Step>
        <Step title="Sync created">
            If enabled, your Azure Entra ID SCIM Sync will begin syncing the secret to the destination service principal.

            ![Sync Created](/images/secret-syncs/azure-entra-id-scim-token/sync-created.png)
        </Step>
    </Steps>
</Tab>
<Tab title="API">
    To create an **Azure Entra ID SCIM Sync**, make an API request to the [Create Azure Entra ID SCIM Sync](/api-reference/endpoints/secret-syncs/azure-entra-id-scim/create) API endpoint.

    ### Sample request

    ```bash Request
    curl    --request POST \
    --url https://app.infisical.com/api/v1/secret-syncs/azure-entra-id-scim \
    --header 'Content-Type: application/json' \
    --data '{
        "name": "my-azure-scim-sync",
        "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "description": "an example SCIM token sync",
        "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "environment": "dev",
        "secretPath": "/my-secrets",
        "isEnabled": true,
        "syncOptions": {
            "initialSyncBehavior": "overwrite-destination",
            "secretKey": "MY_SCIM_TOKEN"
        },
        "destinationConfig": {
            "servicePrincipalId": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
        }
    }'
    ```

    ### Sample response

    ```json Response
    {
        "secretSync": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "name": "my-azure-scim-sync",
            "description": "an example SCIM token sync",
            "isEnabled": true,
            "version": 1,
            "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "createdAt": "2023-11-07T05:31:56Z",
            "updatedAt": "2023-11-07T05:31:56Z",
            "syncStatus": "succeeded",
            "lastSyncJobId": "123",
            "lastSyncMessage": null,
            "lastSyncedAt": "2023-11-07T05:31:56Z",
            "importStatus": null,
            "lastImportJobId": null,
            "lastImportMessage": null,
            "lastImportedAt": null,
            "removeStatus": null,
            "lastRemoveJobId": null,
            "lastRemoveMessage": null,
            "lastRemovedAt": null,
            "syncOptions": {
                "initialSyncBehavior": "overwrite-destination",
                "secretId": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
            },
            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "connection": {
                "app": "azure-entra-id",
                "name": "my-azure-entra-id-connection",
                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
            },
            "environment": {
                "slug": "dev",
                "name": "Development",
                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
            },
            "folder": {
                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
                "path": "/my-secrets"
            },
            "destination": "azure-entra-id-scim",
            "destinationConfig": {
                "servicePrincipalId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
                "servicePrincipalDisplayName": "My SCIM App"
            }
        }
    }
    ```
</Tab>

</Tabs>