Auto-provisioning Omni users with Microsoft Entra SCIM
When SCIM (System for Cross-domain Identity Management) is enabled, you can automatically provision Omni accounts for your users and synchronize Omni user groups with groups in Microsoft Entra (formerly Active Directory / Azure AD).
Omni users created via SCIM will have Organization Member permissions. Organization Admins must be created in Settings > Users or have their permissions manually upgraded.
Requirements
To follow the steps in this guide, you'll need:
- To have Microsoft Entra SAML authentication set up. If you don't, refer to the Microsoft Entra SAML authentication setup guide before proceeding.
- Omni Organization Admin permissions
- Permissions in Microsoft Entra that allow you to:
- Access the Entra admin panel
- Modify Entra applications
1. Create an Omni API key
Reach out to Omni support to have API keys enabled for your organization.
- Follow these steps to create a new API key named Entra SCIM.
- Copy the key somewhere handy - you'll need it to complete the setup.
2. Configure the Omni Entra application
This guide assumes that you have an existing Omni application in Microsoft Entra. Refer to the SAML setup guide if you have not yet created an Omni application.
- Log in to the Microsoft Entra admin panel.
- Navigate to Applications > Enterprise Applications.
- Locate and open the Omni application.
- In the Omni application, navigate to Manage > Provisioning.
- For the provisioning mode, select Automatic Provisioning Mode.
- Configure the Admin credentials section as follows:
- Tenant URL - Enter the URL you use to log into Omni, appended with
/api/scim/v2
. For example, if your Omni login URL ishttps://blobsrus.omniapp.co
, you would enterhttps://blobsrus.omniapp.co/api/scim/v2
. - Secret Token - Paste the Omni API key you created in step 1
- Tenant URL - Enter the URL you use to log into Omni, appended with
- Click Test connection and proceed if successful.
3. Configure mappings
In this step, you'll configure the user and user group mappings to provision in Omni.
- In the Mappings section, click the type of object you want to map - users or user groups.
- Remove all default attribute mappings except the following:
- For users - Remove all mappings except
userName
,active
, anddisplayName
- For user groups - Remove all mappings except
displayName
andmembers
- For users - Remove all mappings except
- Click Save.
4. Configure Omni login settings
- In Omni, navigate to Settings > Authentication.
- Enable Automatically provision new users on first login from this SAML provider.
- Click Save SAML changes.
What's next?
After you finish setting up SCIM, you can go a step further and sync your custom user attributes from Entra to Omni.
Refer to the Syncing Entra user attributes guide for more information.