SCIM Automatic User Provisioning
SCIM (System for Cross-domain Identity Management) automatically creates, updates, and removes NeuralTrust user accounts when changes happen in your Microsoft Entra ID directory. No manual user management needed.Benefits
- Automatic onboarding: Users get NeuralTrust access when added to your directory
- Automatic offboarding: Users lose access when removed from your directory
- No manual invitations: Eliminate manual user management tasks
- Always in sync: User accounts stay synchronized with your corporate directory
Prerequisites
Before configuring SCIM, ensure:- SSO is configured and working
- Enterprise Applications access in Azure Portal
- Owner role in NeuralTrust
Alternative: Manual User SyncIf you prefer on-demand user import instead of automatic provisioning, you can use Manual User Sync instead. Manual Sync uses your existing SSO app registration and doesn’t require a separate Enterprise Application in Azure.
Part 1: Generate SCIM Token in NeuralTrust
Step 1: Open SCIM Settings
- Log in to NeuralTrust as Owner
- Go to Settings → SSO
- Click the SCIM Provisioning tab
Step 2: Generate Token
- Click Generate Token
- Select expiration period:
- 30 days
- 60 days
- 90 days (recommended)
- 180 days
- 365 days
- Click Generate
- Copy the token immediately — It will not be shown again
Step 3: Copy Tenant URL
Your SCIM endpoint URL is displayed in the setup guide:Token Status Dashboard
After generating a token, you’ll see a status panel with:Revoking a Token
If you need to revoke access:- Go to Settings → SSO → SCIM Provisioning tab
- Click Revoke
- Confirm the action
- The token is immediately invalidated
Part 2: Configure Azure Provisioning
Step 1: Create Enterprise Application
- Go to Azure Portal
- Navigate to Enterprise Applications
- Click + New application
- Click Create your own application
- Enter name:
NeuralTrust SCIM - Select Integrate any other application you don’t find in the gallery
- Click Create
Step 2: Configure Provisioning Mode
- In your new application, go to Provisioning
- Click Get started
- Set Provisioning Mode to Automatic
Step 3: Enter Admin Credentials
Under Admin Credentials, enter:
Click Test Connection. You should see:
“The supplied credentials are authorized to enable provisioning.”
Step 4: Configure Attribute Mappings
- Expand Mappings
- Click Provision Azure Active Directory Users
- Verify these mappings exist:
- Click Save
Step 5: Assign Users and Groups
- Go to Users and groups
- Click + Add user/group
- Select the users or groups you want to provision
- Click Assign
You can assign individual users or entire Azure AD groups. When you assign a group, all members of that group will be provisioned to NeuralTrust.
Step 6: Start Provisioning
- Go back to Provisioning
- Set Provisioning Status to On
- Click Save
Part 3: Test Provisioning
Test with a Single User
Before enabling provisioning for your entire organization, test with a single user:- Go to Provisioning → Provision on demand
- Search for and select a test user
- Click Provision
- Review the provisioning steps and results
- Check NeuralTrust — the user should appear in your team
Verify User in NeuralTrust
- Go to Settings → Team in NeuralTrust
- Confirm the provisioned user appears in the member list
- Verify their display name and email are correct
Token Management
Token Lifecycle
Managing Tokens
Token Expiration Workflow
- NeuralTrust sends email reminders at 30, 14, and 7 days before expiration
- Generate a new token before the old one expires
- Update the Secret Token in Azure Enterprise Application
- Test the connection to verify the new token works
Provisioning Behavior
What Happens When You Add a User
- User is added to an assigned Azure AD group
- Azure detects the change (within 40 minutes, or immediately with on-demand)
- Azure sends SCIM request to NeuralTrust
- NeuralTrust creates the user account
- User can immediately sign in via SSO
What Happens When You Remove a User
- User is removed from all assigned Azure AD groups
- Azure detects the change (within 40 minutes)
- Azure sends SCIM deprovisioning request
- NeuralTrust deactivates the user account
- User can no longer access NeuralTrust
What Happens When User Attributes Change
- User’s display name, email, or other attributes change in Azure AD
- Azure detects the change (within 40 minutes)
- Azure sends SCIM update request
- NeuralTrust updates the user’s profile
Monitoring Provisioning
View Provisioning Logs in Azure
- Go to your Enterprise Application in Azure
- Navigate to Provisioning → View provisioning logs
- Filter by date, status, or user to find specific events
Common Log Entries
View Provisioning Events in NeuralTrust
Provisioning events are logged in NeuralTrust Audit Logs:- Go to Settings → Audit Logs
- Filter by Category: SSO Security
- Look for events like:
scim.user.provisionedscim.user.updatedscim.user.deprovisioned
Troubleshooting
Force Immediate Sync
If you need changes to sync immediately:- Go to Provisioning in Azure
- Click Provision on demand
- Select the user to sync
- Click Provision
Security Best Practices
- Set calendar reminders to regenerate tokens before the 90-day expiration
- Use Azure AD groups to manage access rather than individual user assignments
- Monitor provisioning logs regularly for failed operations
- Test with a small group before assigning your entire organization
- Review NeuralTrust audit logs for provisioning-related events
Next Steps
- Configure Audit Logs — Monitor SCIM provisioning events
- Manual User Sync — Use on-demand sync for additional control