Managing Users and Readers with SCIM in Entra

  • Updated on Mar 28, 2026
  • 6 minute(s) read
Prev Next

Plans supporting this feature:Enterprise

SCIM (System for Cross-domain Identity Management) is an open standard protocol that automates user provisioning and deprovisioning between identity providers and applications. When integrated with Microsoft Entra, SCIM allows you to automatically sync users, readers, and groups from Entra to Document360, eliminating the need for manual user management. Any changes made in Entra, such as adding, updating, or deactivating users are automatically reflected in Document360, ensuring your team always has the right level of access.

Start Provisioning

To start provisioning in Entra, ensure you have already created and integrated SCIM with Entra. Once done:

  1. Navigate to your SCIM application in Entra and click Start provisioning.

  2. In the confirmation dialog, click Yes.

Overview page of Document360 SCIM SSO with provisioning options highlighted.

With SCIM, you can manage readers, users, and groups, and any changes made will be automatically synced to Document360.

Create Reader

To create a new Reader in Entra,

  1. Expand the Entra ID dropdown in the left navigation bar and click Users.

  2. Click New user > Create new user and fill in the required user details.

  3. Click Create + review, then click Create to finalize and create the Reader.

Microsoft Entra admin center showing users and groups management interface.

The Reader is successfully created.

Assign Reader to application

Once the user/reader has been created, you can assign them to desired application.

  1. Click Enterprise apps in the left navigation bar and locate your SCIM SSO application.

  2. Select the application and navigate to the Users and groups tab, then click Add user/group.

  3. On the Add assignments page, click Users and groups, search for the user in the search bar, then click Select > Assign. The user has been successfully assigned to the application.

  1. To push the user to Document360, navigate to the Provisioning tab in the left menu and click Provision on demand.

  2. In the Selected user search bar, search for and select the user, then click Provision.

Provisioning on demand for users in Microsoft Entra admin center interface.

  1. The user will be automatically added to Document360. To verify, go to Document360 and navigate to Settings > Users & permissions > Readers & groups.

User management interface displaying active readers and their access details.

Create User

To create a new User,

  1. Expand the Entra ID dropdown in the left navigation bar and click Users.

  2. Click New user > Create new user and fill in the required user details.

Microsoft Entra admin center showing user management options and user list.

  1. Click Create + review, then click Create to finalize and create the User.

The User is successfully created.

Assign attribute mapping

To create a new attribute mapping for the User role condition,

  1. Open Enterprise app tab and select your SCIM SSO application.

  2. Navigate to the Provisioning tab, then select Attribute mapping (Preview) from the left menu and click Provision Microsoft Entra ID Users.

  3. Scroll down to the Attribute mappings section, select the Show advanced options checkbox and then click Edit attribute list for customappsso to proceed.

  1. On the Edit attribute list page, scroll down, enter the URL parameter in the Name field, and set the Type to Boolean from the dropdown, as shown below.

Name

Type

urn:ietf:params:scim:schemas:extension:document360:2.0:User:isTeamAccount

Boolean

Editing the attribute list for SCIM SSO with highlighted Boolean option.

 NOTE

Ensure there are no whitespaces when entering the URL parameter in the Name field.

  1. Click Save, then click Yes in the confirmation dialog.

  2. On the Attribute Mapping page, click Add New Mapping and fill in the required details as shown below.

Microsoft Entra admin center showing attribute mapping options and add new mapping feature.

Label

Value

Mapping type

Constant

Constant Value

True

Target attribute

urn:ietf:params:scim:schemas:extension:document360:2.0:User:isTeamAccount

Editing attribute mapping in Microsoft Entra admin center with highlighted fields.

  1. Once all fields are filled in, click Ok and then Save.

Assign User to application

Once the user/reader has been created, you can assign them to desired application.

  1. Click Enterprise apps in the left navigation bar and locate your SCIM SSO application.

  2. Select the application and navigate to the Users and groups tab, then click Add user/group.

Microsoft Entra admin center showing users and groups management options.

  1. On the Add assignments page, click Users and groups, search for the user in the search bar, then click Select > Assign. The user has been successfully assigned to the application.

  1. To push the user to Document360, navigate to the Provisioning tab in the left menu and click Provision on demand.

  2. In the Selected user search bar, search for and select the user, then click Provision.

Provisioning on demand for users in Microsoft Entra admin center interface.

The user will be automatically added to Document360. To verify, go to Document360 and navigate to Settings > Users & permissions > Readers & groups.

Create group

To create a new group in Entra:

  1. Open the Groups tab in the left menu and click New Group.

  2. Fill in the required details and click Create.

Overview of Microsoft Entra admin center with highlighted options for groups and new group.

Assign Group to application

  1. Navigate to Enterprise apps and select your SCIM SSO application.

  2. Open the Users and groups tab, click Add user/group, then click None selected under Users and groups and search for the group name.

  3. Select the group and click Assign.

To provision the group to Document360:

  1. Navigate to the Provisioning on demand tab, search for the group name, and click Provision.

Provisioning settings for Document360 SCIM SSO with selected group and user options.

  1. You can select the number of users or members in the group by selecting the radio buttons.

  2. The group will be successfully added to Document360. To verify, go to Document360 and navigate to Settings > Users & permissions > Readers & groups > Reader group tab.

Overview of reader groups and permissions management in the knowledge base portal.

Manage content access for Users, Readers and groups

In Document360, user and group names cannot be edited or deleted directly, these actions must be managed from Entra. However, you can still manage roles, permissions, and content access within Document360.

  1. Select the desired user and click Manage content access.

  2. In the dialog, use the dropdowns to select the desired content access.

  3. If needed, you can also manage group assignments and add the user to a desired group.

User management interface showing content access and group management options.

  1. Click Update to confirm and save the changes.

Update User, Reader and Groups

To make changes to the user/group name,

  1. In the left navigation bar, click Users and search for the user in the search bar, then click Select.

  2. On the user's Overview page, open the Properties tab and click the Edit icon to make the necessary changes.

User management interface displaying user details and properties in Microsoft Entra admin center.

  1. Once changes are made, click Save.

  2. To reflect these changes in Document360, navigate to Enterprise apps > SCIM SSO app > Provisioning > Provision on demand.

  3. Select the updated user in the Provisioning on demand page, then click Provision.

Provisioning on demand for users in Microsoft Entra admin center interface.

The updated user details will now be reflected in Document360.

Delete User, Reader or Group

To delete a user, reader or group,

  1. Open Users tab in the left menu, and search and select the desired user.

  2. Then, click Delete.

User management interface showing search results for user 'Jane' in Microsoft Entra.

The user is deleted successfully. This change will be reflected in Document360.

 NOTE

Deleting a user in Entra does not remove the user profile from Document360. Instead, the status of the user will change from Active to Inactive.

Inherit from another application

When creating a new SSO configuration in Document360, you can inherit SCIM settings from an existing SSO connection. This approach simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

Child Inherited SSO configuration

On the Configure Identity Provider (IdP) page, select the Configure an existing connection field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option will designate the current project as the child project, inheriting all relevant properties from the parent.

Configuration settings for Identity Provider with selected connection details displayed prominently.

 NOTE

Once the SSO configuration is created, the SCIM provisioning settings will be inherited from the parent application and cannot be modified in the child application.

Parent Inherited SSO Configuration

The parent application will display a list of all projects that have inherited its configuration. Any changes made to the parent application will automatically be reflected in the child application.

SCIM provisioning settings in Okta with project details and configuration instructions displayed.

  • If SCIM is enabled in the parent project after child projects have already inherited it, the users and groups will be automatically provisioned to all child projects in the background.

  • Enabling inheritance makes it easier to manage multiple SSO configurations with SCIM enabled, as all settings are controlled from one parent application. This saves time and reduces the effort required to manage each configuration individually.

Troubleshooting

Sync failed due to a SCIM server error

When adding new users from Okta, this error indicates that one or more users could not be synced to Document360. This may be caused by:

  • Duplicate users provisioning

  • User limit reached based on your current subscription plan

  • Other validation or processing errors.

Click View details to see which users failed to sync.

User management interface displaying sync error and user account details.

Related articles