Documentation Index

Fetch the complete documentation index at: https://docs.document360.com/llms.txt

Use this file to discover all available pages before exploring further.

Managing Users and Readers with SCIM in Entra

  • Updated on Jun 19, 2026
  • Published on May 7, 2026
  • 10 minute(s) read
Prev Next

SCIM integration with Microsoft Entra allows you to manage Document360 users, readers, and groups directly from Entra in an automated and centrally controlled manner.

When a new user is added in Entra, their Document360 account is provisioned automatically. Any updates to their role or group membership are synced in real time, and when a user is deactivated or removed in Entra, the same is reflected in Document360 without any manual intervention. This eliminates the need for separate account management in Document360 and ensures that user data remains accurate and up to date across both platforms.

Why manage users and readers through SCIM

Managing users manually across multiple platforms is time-consuming and creates risk. Without SCIM, administrators must remember to add new employees to Document360 separately and manually revoke access when someone leaves. Mistakes can result in unauthorized access or delayed onboarding.

With SCIM enabled between Microsoft Entra and Document360:

  • New employees are provisioned to Document360 automatically when added in Entra — no separate setup required.
  • Role assignments are consistent and controlled through a single source of truth in your IdP.
  • When a user is deleted in Entra, their access to Document360 is revoked automatically.
  • Group membership changes in Entra are reflected in Document360 in real time.
  • Content access remains manageable from within Document360 even when identity is controlled by Entra.

Before you begin

SCIM provisioning in Document360 is set up as part of your SSO configuration. Ensure the following are completed before proceeding:

  • Your Microsoft Entra application must be created as a Non-Gallery app using: New application > Create your own application > Integrate any other application you don't find in the gallery. If you use a Gallery app, SCIM provisioning will not be available.
  • SAML SSO must be fully configured and working between Microsoft Entra and Document360.
  • SCIM provisioning must be enabled in Document360. Navigate to Settings () > Users & permissions > SSO Configuration, open your SSO setup, and confirm the Enable SCIM provisioning toggle is turned on.

Set up SAML with Entra →

NOTE

SCIM provisioning with Microsoft Entra is only supported through SAML. OpenID Connect with Entra does not support SCIM provisioning in Document360.

Start provisioning

To start provisioning in Entra, ensure you have already created and integrated SCIM with Entra. Once done:

  1. Navigate to your SCIM application in Entra and click Start provisioning.
  2. In the confirmation dialog, click Yes.
Overview page of Document360 SCIM SSO with provisioning options highlighted.

With SCIM, you can manage readers, users, and groups, and any changes made will be automatically synced to Document360.

Assign attribute mapping

To create a new attribute mapping for the User role condition:

  1. Open the Enterprise app tab and select your SCIM SSO application.
  2. Navigate to the Provisioning tab, then select Attribute mapping (Preview) from the left menu and click Provision Microsoft Entra ID Users.
  3. Scroll down to the Attribute mappings section, select the Show advanced options checkbox and then click Edit attribute list for customappsso to proceed.
Attribute mapping settings in Microsoft Entra admin center.
  1. On the Edit attribute list page, scroll down, enter the URL parameter in the Name field, and set the Type to Boolean from the dropdown, as shown below.
Name Type
urn:ietf:params:scim:schemas:extension:document360:2.0:User:isTeamAccount Boolean
Editing the attribute list for SCIM SSO with highlighted Boolean option.

NOTE

Ensure there are no whitespaces when entering the URL parameter in the Name field.

  1. Click Save, then click Yes in the confirmation dialog.

Use Expression Builder to map roles

You can configure an attribute mapping expression in Entra that evaluates each user's existing profile attribute, such as Job Title, and automatically determines whether they should be provisioned as a User or a Reader in Document360.

The expression maps directly to the isTeamAccount attribute:

  • isTeamAccount = True → provisioned as a User
  • isTeamAccount = False → provisioned as a Reader

Steps to configure:

  1. Open your SCIM SSO application in Entra and navigate to Provisioning > Attribute Mappings.
  2. Locate the isTeamAccount attribute and click the Edit icon next to it. This will navigate to the Edit Attribute page.
  3. Set the Mapping type to Expression.
  4. Enter your expression in the expression field. The expression evaluates each user's profile attribute and determines whether they should be provisioned as a User or a Reader. Refer to the Use the expression builder link below the expression field to visually build and test your expression against a real user in your directory before applying it.

NOTE

For more information on building and testing expressions in Entra, refer to Microsoft's Expression Builder documentation.

  1. Set the Default value if null (optional) to False. This ensures that any user without a matching attribute value is provisioned as a Reader by default.
  2. Click Ok to save the attribute.
Expression mapping settings for user attributes in Document360 SCIM SSO configuration.

Example

If your users have a Job Title attribute in their Entra profile, you can map roles based on their title:

Switch([jobTitle], "False", "Manager", "True", "Senior Manager", "True", "Team Lead", "True")

Users with the title Manager, Senior Manager, or Team Lead are provisioned as Users. Any other Job Title returns False and the user is provisioned as a Reader.

Create users, readers, and groups

Create a user

  1. Expand the Entra ID dropdown in the left navigation bar and click Users.
  2. Click New user > Create new user and fill in the required user details.
Microsoft Entra admin center showing user management options and user list.
  1. Click Create + review, then click Create to finalize and create the user.

Once the user is created and provisioned, Document360 automatically determines their role based on the expression configured in the Expression Builder and provisions them accordingly as a User.

Assign user to application

  1. Click Enterprise apps in the left navigation bar and locate your SCIM SSO application.
  2. Select the application and navigate to the Users and groups tab, then click Add user/group.
Microsoft Entra admin center showing users and groups management options.
  1. On the Add assignments page, click Users and groups, search for the user in the search bar, then click Select > Assign. The user has been successfully assigned to the application.
Assigning a user to an application in Microsoft Entra.
  1. To push the user to Document360, navigate to the Provisioning tab in the left menu and click Provision on demand.
  2. In the Selected user search bar, search for and select the user, then click Provision.
Provisioning on demand for users in Microsoft Entra admin center interface.

The user will be automatically added to Document360. To verify, go to Document360 and navigate to Settings () > Users & permissions > Readers & groups.

Create a reader

  1. Expand the Entra ID dropdown in the left navigation bar and click Users.
  2. Click New user > Create new user and fill in the required user details.
  3. Click Create + review, then click Create to finalize and create the reader.
Microsoft Entra admin center showing users and groups management interface.

Once the user is created and provisioned, Document360 automatically determines their role based on the expression configured in the Expression Builder and provisions them accordingly as a Reader.

Assign reader to application

  1. Click Enterprise apps in the left navigation bar and locate your SCIM SSO application.
  2. Select the application and navigate to the Users and groups tab, then click Add user/group.
  3. On the Add assignments page, click Users and groups, search for the user in the search bar, then click Select > Assign. The user has been successfully assigned to the application.
Assigning a reader to an application in Microsoft Entra.
  1. To push the reader to Document360, navigate to the Provisioning tab in the left menu and click Provision on demand.
  2. In the Selected user search bar, search for and select the user, then click Provision.
Provisioning on demand for users in Microsoft Entra admin center interface.
  1. The reader will be automatically added to Document360. To verify, go to Document360 and navigate to Settings () > Users & permissions > Readers & groups.
User management interface displaying active readers and their access details.

Create a group

  1. Open the Groups tab in the left menu and click New Group.
  2. Fill in the required details and click Create.
Overview of Microsoft Entra admin center with highlighted options for groups and new group.

Assign group to application

  1. Navigate to Enterprise apps and select your SCIM SSO application.
  2. Open the Users and groups tab, click Add user/group, then click None selected under Users and groups and search for the group name.
  3. Select the group and click Assign.
Assigning a group to an application in Microsoft Entra.

To provision the group to Document360:

  1. Navigate to the Provisioning on demand tab, search for the group name, and click Provision.
Provisioning settings for Document360 SCIM SSO with selected group and user options.
  1. You can select the number of users or members in the group by selecting the radio buttons.
  2. The group will be successfully added to Document360. To verify, go to Document360 and navigate to Settings () > Users & permissions > Readers & groups > Reader group tab.
Overview of reader groups and permissions management in the knowledge base portal.

Manage content access for users, readers, and groups

In Document360, user and group names cannot be edited or deleted directly — these actions must be managed from Entra. However, you can still manage roles, permissions, and content access within Document360.

  1. Select the desired user and click Manage content access.
  2. In the dialog, use the dropdowns to select the desired content access.
  3. If needed, you can also manage group assignments and add the user to a desired group.
User management interface showing content access and group management options.
  1. Click Update to confirm and save the changes.

Update a user, reader, or group

To make changes to a user or group name:

  1. In the left navigation bar, click Users and search for the user in the search bar, then click Select.
  2. On the user's Overview page, open the Properties tab and click the Edit icon to make the necessary changes.
User management interface displaying user details and properties in Microsoft Entra admin center.
  1. Once changes are made, click Save.
  2. To reflect these changes in Document360, navigate to Enterprise apps > SCIM SSO app > Provisioning > Provision on demand.
  3. Select the updated user in the Provisioning on demand page, then click Provision.
Provisioning on demand for users in Microsoft Entra admin center interface.

The updated user details will now be reflected in Document360.

Delete a user, reader, or group

To delete a user, reader, or group:

  1. Open the Users tab in the left menu, then search and select the desired user.
  2. Click Delete.
User management interface showing search results for user 'Jane' in Microsoft Entra.

The user is deleted successfully. This change will be reflected in Document360.

NOTE

Deleting a user in Entra does not remove the user profile from Document360. Instead, the status of the user will change from Active to Inactive.

Inherit from another application

When creating a new SSO configuration in Document360, you can inherit SCIM settings from an existing SSO connection. This approach simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

Child inherited SSO configuration

On the Configure Identity Provider (IdP) page, select the Configure an existing connection field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option designates the current project as the child project, inheriting all relevant properties from the parent.

Configuration settings for Identity Provider with selected connection details displayed prominently.

NOTE

Once the SSO configuration is created, the SCIM provisioning settings will be inherited from the parent application and cannot be modified in the child application.

Parent inherited SSO configuration

The parent application will display a list of all projects that have inherited its configuration. Any changes made to the parent application will automatically be reflected in the child application.

SCIM provisioning settings with project details and configuration instructions displayed.
  • If SCIM is enabled in the parent project after child projects have already inherited it, the users and groups will be automatically provisioned to all child projects in the background.
  • Enabling inheritance makes it easier to manage multiple SSO configurations with SCIM enabled, as all settings are controlled from one parent application. This saves time and reduces the effort required to manage each configuration individually.

Best practices

  • Always use a Non-Gallery application in Entra. Gallery applications do not support custom SCIM provisioning. Always select Create your own application and choose Integrate any other application you don't find in the gallery when creating your Entra application.
  • Always set isTeamAccount at the user level, not the group level. Users who belong to multiple groups with conflicting values may receive incorrect roles in Document360. Setting it at the user level ensures each user has one clear, consistent value.
  • Set the default value for isTeamAccount to False. This ensures that any user without a matching attribute value is provisioned as a Reader by default, rather than failing or receiving an unintended role.
  • Complete and save the Document360 SSO configuration before testing the SCIM connection. Testing before the Document360 configuration is saved will always fail. Always finish the Document360 setup first, then return to Entra to test the connection.
  • Store your primary and secondary secret tokens securely. Tokens are displayed only once at the time of creation. Store them in a secrets manager or password vault. If a token is compromised, regenerate it immediately and update your Entra configuration without delay.
  • Use the secondary token for safe rotation. If the primary token needs to be replaced, switch Entra to the secondary token first, then regenerate the primary. This ensures user provisioning continues without interruption during the transition.
  • Always use Provision on demand to push individual users and groups. This gives you precise control over which users are provisioned and allows you to verify each one before a full sync.
  • Deleting a user in Entra does not remove them from Document360. Their status changes to Inactive in Document360. Reactivate the account in Entra if access needs to be restored.
Related articles