> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omni.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Auto-provisioning Omni users with Microsoft Entra SCIM

> Automatically manage Omni accounts for your users with Microsoft Entra SCIM provisioning.

When SCIM (System for Cross-domain Identity Management) is enabled, you can automatically provision and de-provision Omni accounts for your users and synchronize Omni user groups with groups in Microsoft Entra (formerly Active Directory / Azure AD).

## Requirements

To follow the steps in this guide, you'll need:

* **To have Microsoft Entra SAML authentication set up**. If you don't, refer to the [Microsoft Entra SAML authentication setup guide](/administration/authentication/entra/saml) before proceeding.
* **Omni Organization Admin permissions**
* **Permissions in Microsoft Entra that allow you to:**
  * Access the Entra admin panel
  * Modify Entra applications

## Limitations

Omni [system user attributes](/administration/users/attributes#default-system-user-attributes) are read-only and cannot be assigned via SCIM.

## Steps

<Note>
  Omni users created via SCIM will have **Organization Member** permissions. Organization Admins must be created in **Settings > Users** or have their permissions [manually upgraded](/administration/users/permissions).
</Note>

<Steps>
  <Step title="Create an Omni API key">
    1. Follow [these steps](/api/authentication) to create a new API key named **Entra SCIM**.
    2. Copy the key somewhere handy - you'll need it to complete the setup.
  </Step>

  <Step title="Configure the Omni Entra application">
    This guide assumes that you have an existing Omni application in Microsoft Entra. Refer to the [SAML setup guide](/administration/authentication/entra/saml) if you have not yet created an Omni application.

    1. Log in to the Microsoft Entra admin panel.
    2. Navigate to **Applications > Enterprise Applications**.
    3. Locate and open the Omni application.
    4. In the Omni application, navigate to **Manage > Provisioning**.
    5. For the **provisioning mode**, select **Automatic Provisioning Mode**.
    6. Configure the **Admin credentials section** as follows:
       * **Tenant URL** - Enter the URL you use to log into Omni, appended with `/api/scim/v2`.

         For example, if your Omni login URL is `https://blobsrus.omniapp.co`, you would enter `https://blobsrus.omniapp.co/api/scim/v2`.
       * **Secret Token** - Paste the Omni API key you created in step 1
    7. Click **Test connection** and proceed if successful.
  </Step>

  <Step title="Configure mappings">
    In this step, you'll configure the user and user group mappings to provision in Omni.

    1. In the **Mappings** section, click the type of object you want to map - users or user groups.
    2. Remove all default attribute mappings **except the following**:
       * **For users** - Remove all mappings except `userName`, `active`, and `displayName`
       * **For user groups** - Remove all mappings except `displayName` and `members`
    3. Click **Save**.
  </Step>

  <Step title="Configure Omni login settings">
    1. In Omni, navigate to **Settings > Authentication**.
    2. Enable **Automatically provision new users on first login from this SAML provider**. This ensures that users assigned to the Omni app in Entra are automatically created in Omni when they first log in via SAML.
    3. Click **Save SAML changes**.
  </Step>
</Steps>

**Note**: when users are removed from Entra they will be de-provisioned and revoked in Omni which has implications for the schedules and content they own. See the [Revoke Membership](/administration/users/delete) page for more details.

## What's next?

After you finish setting up SCIM, you can go a step further and sync your custom user attributes from Entra to Omni.

Refer to the [Syncing Entra user attributes guide](/administration/authentication/entra/user-attributes) for more information.