Enable Azure AD for SCIM provisioning

||Connect docs via MCP

Microsoft Entra ID (Azure AD) SCIM provisioning automatically creates, updates, and deactivates users and groups in Atlan as they change in your directory. Start in Atlan to generate a SCIM token, then complete the setup in the Entra admin center.

Prerequisites

• Azure AD SSO is already configured for Atlan. SCIM runs alongside SSO and requires it. See Enable Azure AD for SSO if you haven't completed that setup.
• Users or groups are assigned to the Atlan application in Azure AD. Only assigned users and groups are provisioned.
• Admin access in Atlan to generate the SCIM token, and administrator access in the Microsoft Entra admin center to configure provisioning. These are often held by different people. Coordinate before starting.
• For group sync: the groups must already exist in Atlan, and group mapping must be configured in the Azure AD SSO settings. See Sync groups from your IdP.

Get SCIM token from Atlan

Before touching Entra, generate the token Atlan uses to authenticate SCIM requests from your IdP.

1. In your Atlan workspace, click Settings from the left menu.

   If you are using the Old UI (Classic), from the left menu, click Admin.

2. Click SSO, then open your Azure AD provider.

3. Under Overview, find Automate Provisioning with SCIM and toggle it on.

4. Click + Generate token.

5. Copy the token and store it securely.

warning

The SCIM token is shown only once. If you close the dialog without copying it, you will need to generate a new token.

Your SCIM endpoint URL is https://<your-tenant-dns>/api/service/scim. You will need both the token and this URL when configuring Entra.

Configure provisioning in Entra

All the Entra-side setup happens here: connect to Atlan, verify attribute mappings, and start the provisioning cycle.

Connect Entra to Atlan

1. Log in to the Microsoft Entra admin center.

2. Go to Identity > Enterprise apps > All applications and open your Atlan SAML application.

3. In the left menu under Manage, click Provisioning.

4. Set Provisioning Mode to Automatic.

5. Under Admin Credentials, enter:

   • Tenant URL: https://<your-tenant-dns>/api/service/scim
   • Secret Token: paste the token you copied from Atlan

6. Click Test Connection to verify Entra can reach Atlan.

7. Click Save.

Verify attribute mappings

After saving, the Mappings section appears on the Provisioning page. Both group and user mappings are enabled by default. Confirm the following are present.

Groups: click Provision Azure Active Directory Groups:

• displayName → displayName (currently unsupported in Atlan, but keep the mapping in place)
• objectId → externalId
• members → members

Users: click Provision Azure Active Directory Users:

• mailNickname → userName (if absent, Entra defaults to UserPrincipalName / UPN)
• Switch([IsSoftDeleted], , "False", "True", "True", "False") → active
• displayName → displayName
• mail → emails[type eq "work"].value
• givenName → name.givenName
• surname → name.familyName
• objectId → externalId

Click Save if you make any changes.

Start provisioning

Entra offers two methods.

Automatic cycle: on the Provisioning overview page, click Start provisioning and set Provisioning Status to On. Entra runs an initial sync then incremental syncs every 40 minutes.

info

The initial sync processes all assigned users and groups and can take up to 40 minutes. Subsequent syncs are incremental.

On-demand: in the Provisioning left menu, click Provision on demand, search for a user or group, then click Provision. There are known limitations to on-demand provisioning. Review them before relying on it for bulk operations.

Before you provision: Things to check

• Username and email address cannot be changed after a user has been provisioned to Atlan.
• Existing Atlan users being provisioned via SCIM must have Azure AD credentials that match their current Atlan credentials. Mismatches prevent provisioning.

Need help?

If users or groups are not appearing in Atlan after a sync, or if you see errors in the Entra provisioning logs, see Troubleshooting SCIM provisioning. Contact Atlan Support if the issue persists.

See also

• Enable Azure AD for SSO: The SSO setup SCIM runs alongside.
• Troubleshooting SCIM provisioning: Common issues and fixes.
• SCIM provisioning overview: When to use SCIM and how it compares to SSO-only.
• Sync groups from your IdP: Group sync via SSO login as a lighter-touch alternative.