# Set up SCIM with Microsoft Entra

> Automate the provisioning and deprovisioning of Entra users

## Prerequisites

Before you set up [System for Cross-domain Identity Management (SCIM)](/cloud/organizations/sso/scim.md) for Entra, ensure these requirements are met:

* You have set up single sign-on (SSO) for an organization in [Unity Cloud](https://cloud.unity.com/). You have added, to your SSO setup, the domains whose users you want to automate provisioning for. Unity has validated these domains. Read more about [creating an organization](/cloud/organizations/create-organization.md) and [setting up SSO](/cloud/organizations/sso/configure-sso.md).
* An Entra instance exists and manages these users.
* An existing Entra application is set up with Unity SSO.

## 1. Provision a service account

Before you configure SCIM, provision a Unity service account:

1. Go to the [Unity Dashboard](https://cloud.unity.com/).

2. To switch to the organization for which you want to set up SCIM, select your organization name, select **Switch organization**, and then select an organization.

3. Go to **Administration** > **Service accounts**.

4. To create a service account, select **New**.

5. Enter a name and a description for the service account, and then select **Create**.

   Unity creates a service account and displays its details.

6. Assign the SCIM Authenticator role to the account:

   1. In the **Organization Roles** section, select **Manage Organization Roles**.
   2. Set **Admin** to `SCIM Authenticator`, and then select **Save**.

7. Create a long-lived bearer token for the authentication and use of the service account:

   1. In the **Bearer tokens** section, select **Add bearer token**.
   2. Copy the bearer token and keep it.

      Your Identity Provider (IdP) service requires this information.

Read more about [creating a Unity service account](https://services.docs.unity.com/docs/service-account-auth/#create-a-service-account) in the Unity Services documentation.

## 2. Fetch the SCIM connector URL for your organization

1. On a new tab, go to the [Unity Dashboard](https://cloud.unity.com/).
2. Switch to the organization for which you want to set up SCIM.
3. Go to **Administration** > **Single sign on**.
4. In the **SCIM** section, locate the field for the SCIM base connector URL and copy the value.

   Your IdP service requires this information.

## 3. In Entra, turn on SCIM for the provisioning of users

1. On a new tab, sign in to your Microsoft Entra admin instance with an admin account.

2. Go to **Entra ID** > **Enterprise Apps**, and then select your Unity SSO application.

3. On the **Overview** tab, select **Provision User Accounts**.

4. Select **Create configuration** > **Connect your application**.

5. Set this configuration:

   * Select authentication method: bearer authentication
   * Tenant URL: the value of the SCIM base connector URL that you have copied from Unity Cloud
   * Secret token: the long-lived bearer token that you have generated for your service account

6. Select **Test Connection**.

   Entra verifies the setup and informs you of any errors.

7. Select **Start provisioning**.

   Entra starts the batch provisioning of users, which runs every 40 minutes. Entra begins by provisioning the users that you have already added to this application.

## 4. In Entra, provision users on demand

To trigger the immediate provisioning of specific Entra users, complete these steps:

1. Ensure that the users have been added to the application:

   1. Go to **Users and groups**.
   2. If the users aren't listed as members of the application, select **Add user/group** to add them.

2. Go to **Provision on demand**.

3. Select the users you want to immediately provision, and then select **Provision**.

   Entra immediately provisions these users.

## Next steps

[Optionally, enforce SCIM provisioning](/cloud/organizations/sso/enforce-scim-provisioning.md)