How to setup SCIM with Microsoft Entra ID (Azure Active Directory)

Reftab users can be added, deleted and modified using SCIM 2.0

You define groups within your Azure Directory and Reftab can sync those users. This is an ideal way to save time and avoid hassle of managing user accounts. It is also an ideal security implementation.

1 – Login to Azure and perform a search for “Entra ID” and click “Microsoft Entra ID”

2 – Click “Enterprise Applications”

3 – Click “New Application”

4 – “Create your own application”

5 – Name your application

6 – In the new app, click Provision User Accounts


7 – Get Started


8 – Set provisioning mode to automatic. Fill out Tenant URL and secret token from information in your Reftab Account.

Log into Reftab as an administrator and click, “Settings” > “Integrations” > “Configure” next to SCIM

Copy Token and paste it into “Secret Token” in Azure


Finally, click “Test Connection” and “Save”.

9 – Go to Provision Azure Active Directory User Mappings


10 – Setup table as pictured below and save


NOTE: Your mapping table must look exactly like the image above. If any of the rows are missing, the SCIM connection will not work.

11 – Turn on provisioning status in the app.


11a. Click “Save” at top

12 – Add any users and or groups you want to be sent to Reftab

13 – Log into Reftab. Click “Settings” > “Integrations” > “Configure SCIM”

14 – Next, configure role assignments.

Default Reftab Access Role is the role that users brought over from Entra will be placed into who do not belong to an Entra group.

The Group Mappings section is available so that you can see the groups you’re pushing from Entra into Reftab. You can map Reftab access roles to groups. For example if you’re pushing a group called “Employees” into Reftab, every user brought over from that group can be assigned to a Reftab role such as “Loanee”.

If you want to map other fields such as department, manager, etc. follow this guide:


Sync Frequency

You should begin to see users appear under the “Sub Accounts” page in Reftab. Subsequent syncs are triggered every 20-40 minutes.

Disabled Users

If a user was a member of a group pushed to Reftab but then taken out of that group, during the next sync, they will be set to the “Default Role (for SCIM users without groups) set on the Manage SCIM page. Otherwise, it’s possible for the source to also send a ‘disable’ user, if the user is disabled in MS Azure then Reftab will know this and set their role in Reftab to ‘Disabled’.

Role Lock:

To lock users into a Reftab access role, (for example, those who should be Reftab administrators), you’ll want to turn on “role-lock” in Reftab. This locks the user into whatever access role they are currently in. This is helpful so that when a sync occurs, the user’s access role will not change if their group changes in MS Entra or if role assignment rules change in Reftab. In other words, enabling this setting bypasses role assignments and locks the user into a role.

Reach out to [email protected] for any questions

Next: Report on Disabled Users With Equipment

SCIM will automatically provision and disable users. It is best practice to report on users who are disabled. Follow this FAQ guide to setup an automated report to alert you of any disabled users with equipment: Click Here