---
title: "Managing Users and Readers with SCIM in Entra"
slug: "scim-with-entra"
description: "Automate user provisioning with SCIM and Microsoft Entra for seamless access management in Document360, ensuring real-time updates and efficient user control."
updated: 2026-06-03T11:14:14Z
published: 2026-06-03T11:14:14Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.document360.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing Users and Readers with SCIM in Entra

**SCIM**(System for Cross-domain Identity Management)****is an open standard protocol that automates user provisioning and deprovisioning between identity providers and applications. When integrated with Microsoft Entra, SCIM allows you to automatically sync users, readers, and groups from Entra to Document360, eliminating the need for manual user management. Any changes made in Entra, such as adding, updating, or deactivating users are automatically reflected in Document360, ensuring your team always has the right level of access.

Before you begin, ensure the following prerequisites are completed:

1. Complete the SCIM setup in Microsoft Entra ID. For setup instructions, see [SAML SSO with Entra](/help/docs/saml-sso-with-entra).
2. Your Microsoft Entra ID application must be created as a **Non-Gallery app** using:

**New application** > **Create your own application** > **Integrate any other application you don't find in the gallery**.

If you use a Gallery app, SCIM provisioning will not be available. See [SAML SSO with Entra](/help/docs/saml-sso-with-entra#adding-an-application-in-the-azure-portal) for more details.
3. SAML SSO must be fully configured and working between Microsoft Entra ID and Document360.
4. SCIM provisioning must be enabled in Document360. Navigate to **Settings**> **Users & permissions** > **SSO Configuration**, open your SSO setup, and confirm the **Enable SCIM provisioning**toggle is turned on.

---

### Start Provisioning

To start provisioning in Entra, ensure you have already created and integrated SCIM with Entra. Once done:

1. Navigate to your SCIM application in Entra and click **Start provisioning**.
2. In the confirmation dialog, click **Yes**.

![Overview page of Document360 SCIM SSO with provisioning options highlighted.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/start provision(1).png)

With SCIM, you can manage readers, users, and groups, and any changes made will be automatically synced to Document360.

---

### Assign attribute mapping

To create a new attribute mapping for the User role condition,

1. Open **Enterprise app** tab and select your SCIM SSO application.
2. Navigate to the **Provisioning**tab, then select **Attribute mapping (Preview)** from the left menu and click **Provision Microsoft Entra ID Users.**
3. Scroll down to the **Attribute mappings** section, select the **Show advanced options**checkbox and then click **Edit attribute list for customappsso**to proceed.

![](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/attribute mapping.gif)

1. On the **Edit attribute** list page, scroll down, enter the URL parameter in the **Name**field, and set the **Type**to **Boolean**from the dropdown, as shown below.

| Name | Type |
| --- | --- |
| urn:ietf:params:scim:schemas:extension:document360:2.0:User:isTeamAccount | Boolean |

![Editing the attribute list for SCIM SSO with highlighted Boolean option.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/boolean(1).png)

> [!NOTE]
> ******NOTE
> 
> Ensure there are no whitespaces when entering the URL parameter in the **Name**field.

1. Click **Save**, then click **Yes**in the confirmation dialog.

---

### Using Expression builder to map roles

You can configure an attribute mapping expression in Entra that evaluates each user's existing profile attribute, such as Job Title, and automatically determines whether they should be provisioned as a **User**or a **Reader**in Document360.

The expression maps directly to the `isTeamAccount` attribute:

- `isTeamAccount` = `True` → provisioned as a **User**
- `isTeamAccount` = `False` → provisioned as a **Reader**

**Steps to configure**

1. Open your SCIM SSO application in Entra and navigate to **Provisioning** > **Attribute Mappings.**
2. Locate the `isTeamAccount` attribute and click the**Edit**icon next to it. This will navigate to the **Edit Attribute** page.
3. Set the **Mapping type** to **Expression**.
4. Enter your expression in the expression field. The expression evaluates each user's profile attribute and determines whether they should be provisioned as a **User**or a Reader. Refer to the**Use the expression builder**link below the expression field to visually build and test your expression against a real user in your directory before applying it.

> [!NOTE]
> ******NOTE
> 
> For more information on building and testing expressions in Entra, refer to Microsoft's[Expression Builder](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-user-with-expression-builder) documentation.

1. Set the **Default value if null (optional)** to **False**, this ensures that any user without a matching attribute value is provisioned as a **Reader**by default.
2. Click **Ok**to save the attribute.

![Expression mapping settings for user attributes in Document360 SCIM SSO configuration.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/expression entra.png)

**Example**

If your users have a Job Title attribute in their Entra profile, you can map roles based on their title:

```plaintext
Switch([jobTitle], "False", "Manager", "True", "Senior Manager", "True", "Team Lead", "True")
```

Users with the title Manager, Senior Manager, or Team Lead are provisioned as **Users**. Any other Job Title returns **False**and the user is provisioned as a **Reader**.

---

## Create User, Reader & Group

**Create User**

## Create User

To create a new User,

1. Expand the **Entra ID** dropdown in the left navigation bar and click **Users.**
2. Click **New user** > **Create new user** and fill in the required user details.

![Microsoft Entra admin center showing user management options and user list.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/create new user.png)

1. Click **Create + review**, then click **Create**to finalize and create the User.

Once the user is created and provisioned, Document360 automatically determines their role based on the expression configured in the Expression Builder and provisions them accordingly as a **User.**

---

## Assign User to application

Once the user/reader has been created, you can assign them to desired application.

1. Click **Enterprise**apps in the left navigation bar and locate your SCIM SSO application.
2. Select the application and navigate to the **Users and groups** tab, then click **Add user/group**.

![Microsoft Entra admin center showing users and groups management options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/add user.png)

1. On the **Add assignments** page, click **Users and groups**, search for the user in the search bar, then click **Select**> **Assign**. The user has been successfully assigned to the application.

![](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/assign user to app.gif)

1. To push the user to Document360, navigate to the **Provisioning**tab in the left menu and click **Provision on demand**.
2. In the **Selected user** search bar, search for and select the user, then click **Provision**.

![Provisioning on demand for users in Microsoft Entra admin center interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/provision user.png)

The user will be automatically added to Document360. To verify, go to Document360 and navigate to **Settings**> **Users & permissions** > **Readers & groups.**

**Create Reader**

## Create Reader

To create a new Reader in Entra,

1. Expand the **Entra ID** dropdown in the left navigation bar and click **Users.**
2. Click **New user** > **Create new user** and fill in the required user details.
3. Click **Create + review**, then click **Create**to finalize and create the Reader.

![Microsoft Entra admin center showing users and groups management interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/add user(1).png)

Once the user is created and provisioned, Document360 automatically determines their role based on the expression configured in the Expression Builder and provisions them accordingly as a **Reader**.

---

### Assign Reader to application

Once the user/reader has been created, you can assign them to desired application.

1. Click **Enterprise**apps in the left navigation bar and locate your SCIM SSO application.
2. Select the application and navigate to the **Users and groups** tab, then click **Add user/group**.
3. On the **Add assignments** page, click **Users and groups**, search for the user in the search bar, then click **Select**> **Assign**. The user has been successfully assigned to the application.

![](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/assign user to app(1).gif)

1. To push the user to Document360, navigate to the **Provisioning**tab in the left menu and click **Provision on demand**.
2. In the **Selected user** search bar, search for and select the user, then click **Provision**.

![Provisioning on demand for users in Microsoft Entra admin center interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/provision user(1).png)

1. The reader will be automatically added to Document360. To verify, go to Document360 and navigate to **Settings**> **Users & permissions** > **Readers & groups.**

![User management interface displaying active readers and their access details.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/d360.png)

**Create Group**

## Create group

To create a new group in Entra:

1. Open the **Groups** tab in the left menu and click **New Group**.
2. Fill in the required details and click **Create**.

![Overview of Microsoft Entra admin center with highlighted options for groups and new group.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/new group.png)

### Assign Group to application

1. Navigate to **Enterprise apps**and select your SCIM SSO application.
2. Open the **Users and groups** tab, click **Add user/group**, then click **None selected** under **Users and groups** and search for the group name.
3. Select the group and click **Assign**.

![](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/assign group to app(1).gif)

To provision the group to Document360:

1. Navigate to the **Provisioning on demand** tab, search for the group name, and click **Provision**.

![Provisioning settings for Document360 SCIM SSO with selected group and user options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/provision grp.png)

1. You can select the number of users or members in the group by selecting the radio buttons.
2. The group will be successfully added to Document360. To verify, go to Document360 and navigate to **Settings** > **Users & permissions** > **Readers & groups** > **Reader group** tab.

![Overview of reader groups and permissions management in the knowledge base portal.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/group.png)

---

## Manage content access for Users, Readers and groups

In Document360, user and group names cannot be edited or deleted directly, these actions must be managed from Entra. However, you can still manage roles, permissions, and content access within Document360.

1. Select the desired user and click **Manage content access**.
2. In the dialog, use the dropdowns to select the desired content access.
3. If needed, you can also manage group assignments and add the user to a desired group.

![User management interface showing content access and group management options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/manage content access(1).png)

1. Click **Update** to confirm and save the changes.

---

## Update User, Reader and Groups

To make changes to the user/group name,

1. In the left navigation bar, click **Users**and search for the user in the search bar, then click **Select.**
2. On the user's **Overview**page, open the **Properties**tab and click the **Edit**icon to make the necessary changes.

![User management interface displaying user details and properties in Microsoft Entra admin center.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/edit(2).png)

1. Once changes are made, click **Save**.
2. To reflect these changes in Document360, navigate to **Enterprise apps**> **SCIM SSO app** > **Provisioning**> **Provision on demand.**
3. Select the updated user in the **Provisioning on demand** page, then click **Provision**.

![Provisioning on demand for users in Microsoft Entra admin center interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/provision user(2).png)

The updated user details will now be reflected in Document360.

---

## Delete User, Reader or Group

To delete a user, reader or group,

1. Open **Users**tab in the left menu, and search and select the desired user.
2. Then, click **Delete**.

![User management interface showing search results for user 'Jane' in Microsoft Entra.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/delete user.png)

The user is deleted successfully. This change will be reflected in Document360.

> [!NOTE]
> ******NOTE
> 
> Deleting a user in Entra does not remove the user profile from Document360. Instead, the status of the user will change from Active to Inactive.

---

## Inherit from another application

When creating a new SSO configuration in Document360, you can inherit SCIM settings from an existing SSO connection. This approach simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

### Child Inherited SSO configuration

On the **Configure Identity Provider (IdP)** page, select the **Configure an existing connection** field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option will designate the current project as the child project, inheriting all relevant properties from the parent.

![Configuration settings for Identity Provider with selected connection details displayed prominently.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/inherit(1).png)

> [!NOTE]
> **** NOTE**
> 
> Once the SSO configuration is created, the SCIM provisioning settings will be inherited from the parent application and cannot be modified in the child application.

### Parent Inherited SSO Configuration

The parent application will display a list of all projects that have inherited its configuration. Any changes made to the parent application will automatically be reflected in the child application.

![SCIM provisioning settings in Okta with project details and configuration instructions displayed.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/parent.png)

- If SCIM is enabled in the parent project after child projects have already inherited it, the users and groups will be automatically provisioned to all child projects in the background.
- Enabling inheritance makes it easier to manage multiple SSO configurations with SCIM enabled, as all settings are controlled from one parent application. This saves time and reduces the effort required to manage each configuration individually.