SCIM Automatic User Provisioning
SCIM (System for Cross-domain Identity Management) automatically creates, updates, and removes NeuralTrust user accounts when changes happen in your Microsoft Entra ID directory. No manual user management needed.
Benefits
- Automatic onboarding: Users get NeuralTrust access when added to your directory
- Automatic offboarding: Users lose access when removed from your directory
- No manual invitations: Eliminate manual user management tasks
- Always in sync: User accounts stay synchronized with your corporate directory
Prerequisites
Before configuring SCIM, ensure:
- SSO is configured and working
- Enterprise Applications access in Azure Portal
- Owner role in NeuralTrust
SSO must be configured before setting up SCIM provisioning.
Alternative: Manual User SyncIf you prefer on-demand user import instead of automatic provisioning, you can use Manual User Sync instead. Manual Sync uses your existing SSO app registration and doesn’t require a separate Enterprise Application in Azure.| Use SCIM when… | Use Manual Sync when… |
|---|
| You want fully automated user lifecycle | You want control over when users are imported |
| Auto-deprovisioning is required | You handle offboarding manually |
| You have many users to manage | You have a smaller team |
Part 1: Generate SCIM Token in NeuralTrust
Step 1: Open SCIM Settings
- Log in to NeuralTrust as Owner
- Go to Settings → SSO
- Click the SCIM Provisioning tab
Step 2: Generate Token
- Click Generate Token
- Select expiration period:
- 30 days
- 60 days
- 90 days (recommended)
- 180 days
- 365 days
- Click Generate
- Copy the token immediately — It will not be shown again
Step 3: Copy Tenant URL
Your SCIM endpoint URL is displayed in the setup guide:
https://app.neuraltrust.ai/api/scim/v2
Save the Secret Token securely. It’s only shown once and cannot be retrieved later. If you lose it, you’ll need to generate a new one.
Token Status Dashboard
After generating a token, you’ll see a status panel with:
| Field | Description |
|---|
| Status | Active or Expired |
| Created At | When the token was generated |
| Expires At | When the token will expire |
| Last Used | Last successful SCIM request |
Revoking a Token
If you need to revoke access:
- Go to Settings → SSO → SCIM Provisioning tab
- Click Revoke
- Confirm the action
- The token is immediately invalidated
Step 1: Create Enterprise Application
- Go to Azure Portal
- Navigate to Enterprise Applications
- Click + New application
- Click Create your own application
- Enter name:
NeuralTrust SCIM
- Select Integrate any other application you don’t find in the gallery
- Click Create
- In your new application, go to Provisioning
- Click Get started
- Set Provisioning Mode to Automatic
Step 3: Enter Admin Credentials
Under Admin Credentials, enter:
| Field | Value |
|---|
| Tenant URL | https://app.neuraltrust.ai/api/scim/v2 |
| Secret Token | Paste your token from NeuralTrust |
“The supplied credentials are authorized to enable provisioning.”
- Expand Mappings
- Click Provision Azure Active Directory Users
- Verify these mappings exist:
| Azure AD Attribute | NeuralTrust Attribute |
|---|
userPrincipalName | userName |
displayName | displayName |
Switch([IsSoftDeleted]...) | active |
mail | emails[type eq "work"].value |
givenName | name.givenName |
surname | name.familyName |
- Click Save
Step 5: Assign Users and Groups
- Go to Users and groups
- Click + Add user/group
- Select the users or groups you want to provision
- Click Assign
You can assign individual users or entire Azure AD groups. When you assign a group, all members of that group will be provisioned to NeuralTrust.
Step 6: Start Provisioning
- Go back to Provisioning
- Set Provisioning Status to On
- Click Save
Azure will begin an initial provisioning cycle, which can take 20-40 minutes depending on the number of users.
Part 3: Test Provisioning
Test with a Single User
Before enabling provisioning for your entire organization, test with a single user:
- Go to Provisioning → Provision on demand
- Search for and select a test user
- Click Provision
- Review the provisioning steps and results
- Check NeuralTrust — the user should appear in your team
Verify User in NeuralTrust
- Go to Settings → Team in NeuralTrust
- Confirm the provisioned user appears in the member list
- Verify their display name and email are correct
Token Management
Token Lifecycle
| Property | Value |
|---|
| Expiration | 90 days |
| Renewable | Yes, before expiration |
| Revocable | Yes, immediately |
Managing Tokens
| Action | Steps | Effect |
|---|
| View status | Settings → SSO → SCIM | Shows expiration date and last used timestamp |
| Regenerate token | Settings → SSO → SCIM → Regenerate Token | Creates new token, revokes old one immediately |
| Revoke token | Settings → SSO → SCIM → Revoke | Stops all provisioning until new token is created |
When you regenerate a token, you must update the Secret Token in Azure immediately. Provisioning will fail until the new token is configured.
Token Expiration Workflow
- NeuralTrust sends email reminders at 30, 14, and 7 days before expiration
- Generate a new token before the old one expires
- Update the Secret Token in Azure Enterprise Application
- Test the connection to verify the new token works
Provisioning Behavior
What Happens When You Add a User
- User is added to an assigned Azure AD group
- Azure detects the change (within 40 minutes, or immediately with on-demand)
- Azure sends SCIM request to NeuralTrust
- NeuralTrust creates the user account
- User can immediately sign in via SSO
What Happens When You Remove a User
- User is removed from all assigned Azure AD groups
- Azure detects the change (within 40 minutes)
- Azure sends SCIM deprovisioning request
- NeuralTrust deactivates the user account
- User can no longer access NeuralTrust
What Happens When User Attributes Change
- User’s display name, email, or other attributes change in Azure AD
- Azure detects the change (within 40 minutes)
- Azure sends SCIM update request
- NeuralTrust updates the user’s profile
Monitoring Provisioning
View Provisioning Logs in Azure
- Go to your Enterprise Application in Azure
- Navigate to Provisioning → View provisioning logs
- Filter by date, status, or user to find specific events
Common Log Entries
| Status | Description |
|---|
| Success | User successfully provisioned/updated/deprovisioned |
| Failure | Provisioning failed — check error details |
| Skipped | User skipped due to scoping filter or already exists |
View Provisioning Events in NeuralTrust
Provisioning events are logged in NeuralTrust Audit Logs:
- Go to Settings → Audit Logs
- Filter by Category: SSO Security
- Look for events like:
scim.user.provisionedscim.user.updatedscim.user.deprovisioned
Troubleshooting
| Issue | Cause | Solution |
|---|
| ”Test Connection failed” | Invalid or expired token | Generate a new SCIM token in NeuralTrust |
| Users not provisioning | Provisioning status is Off | Turn on provisioning in Azure |
| Users not provisioning | Not assigned to application | Assign users/groups in Azure Enterprise Application |
| Duplicate users | User exists with different identifier | Delete duplicate in NeuralTrust, re-provision |
| Attributes not updating | Mapping not configured | Verify attribute mappings in Azure |
| Provisioning delayed | Azure sync interval | Use “Provision on demand” for immediate sync |
- Go to Provisioning in Azure
- Click Provision on demand
- Select the user to sync
- Click Provision
Security Best Practices
- Set calendar reminders to regenerate tokens before the 90-day expiration
- Use Azure AD groups to manage access rather than individual user assignments
- Monitor provisioning logs regularly for failed operations
- Test with a small group before assigning your entire organization
- Review NeuralTrust audit logs for provisioning-related events
Next Steps
