Configure SCIM provisioning with Azure AD

Ben Pemstein Ben Pemstein
· Updated

Admins can use SCIM to provision, update, and deactivate employees in 15Five directly from Azure AD.

Before You Begin

  • You must be an account admin in 15Five.
  • If your organization uses SSO, set up SSO before configuring SCIM. See Set up SAML Single Sign-On (SSO) in 15Five.
  • When SSO and SCIM are both active, SSO passes only Email and Name ID. All other attributes update via SCIM.

Part 1: Enable SCIM in 15Five

  1. Click the Settings gear in the bottom-left corner of 15Five.
  2. Go to Features > Integrations.
  3. Click Enable to the right of SCIM 2.0.
  4. Check Enable SCIM to open SCIM settings.
  5. Click Generate OAuth token.

> The page refreshes and displays the generated token, the account that generated it, and any previously generated tokens.

  1. Copy and save the OAuth token — you will need it in Part 2.
  2. Configure the following settings on the SCIM Integration settings page:

- Send welcome email — check to send 15Five invitations when employees are added in Azure AD. If SSO is enabled, the email links to your SSO page. If SSO is not enabled, the email links to password setup. > Important: The Invite details setting on the Company settings page must match this selection. If SCIM invite email is ON and the Company setting is OFF, invitation emails will not send. - Reassign reporters — check to automatically reassign direct reports to their manager's manager when a manager is deactivated.

  1. Click Save.

Part 2: Configure the Azure AD gallery app

  1. In Azure AD, go to Enterprise Applications and click New application.
  2. Search for 15Five and select it from the results.
  3. Name the integration and click Add.
  4. Go to Provisioning and set Provisioning Mode to Automatic.
  5. Under Admin Credentials, enter the following:

- Tenant URL: https://.15five.com/scim/v2/ - Secret Token: paste the OAuth token generated in Part 1 (30 characters). > Note: Do not use a 15Five Public API key. Public API keys are 32 characters and will not authenticate.

  1. Click Test Connection to verify credentials.
  2. Click Save.

> Note: The first sync after saving may take up to 40 minutes. Subsequent syncs occur approximately every 20 minutes.

Part 3: Configure attribute mappings

  1. Go to Provisioning > Mappings and click Provision Azure Active Directory Users.
  2. Update the user attribute mappings to match the following table:

| Azure Active Directory Attribute | customappsso Attribute | |---|---| | userPrincipalName | userName | | Not([IsSoftDeleted]) | active | | jobTitle | title | | mail | emails[type eq "work"].value | | givenName | name.givenName | | surname | name.familyName | | objectId | externalId | | employeeId | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber | | manager (or manager.value) | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager (or manager.value) | | physicalDeliveryOfficeName | urn:ietf:params:scim:schemas:extension:15Five:2.0:User:location | | extensionAttribute1 (or the attribute holding the employee's start date) | urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate |

  1. To sync manager and location, add custom attributes first:

- Click Edit attribute list for customappsso at the bottom of the Attribute Mapping page. - For location: enter urn:ietf:params:scim:schemas:extension:15Five:2.0:User:location as the attribute name and String as the type. Click Add Attribute. - If manager is not available as an Azure AD attribute: enter manager.value as the attribute name, Reference as the type, and urn:ietf:params:scim:schemas:extension:enterprise:2.0:User as the referenced object attribute. Click Add Attribute.

  1. Return to the User Attribute Mapping page.
  2. Click Add New Mapping for each custom attribute added in step 3.
  3. Click Save.

> Note: No changes to Group attribute mappings are required.

Part 4: Disconnect the integration

  1. Go to Settings > Features > Integrations > SCIM 2.0.
  2. Uncheck Enabled.
  3. Click Save.

After disconnecting, existing user accounts remain active in 15Five but are no longer managed by Azure AD.

What a successful setup looks like

After completing all four parts:

  • The SCIM Integration settings page in 15Five shows the OAuth token, its generation timestamp, and the Enabled checkbox is checked.
  • In Azure AD, Provisioning Status shows On and the test connection returns a success confirmation.
  • After up to 40 minutes, employees assigned to the 15Five app in Azure AD appear in 15Five with the expected attributes populated.

If Something Goes Wrong

Issue Check Fix
Test Connection fails in Azure AD Confirm the Tenant URL ends in /scim/v2/ with no trailing space Re-enter the Tenant URL exactly as https://.15five.com/scim/v2/
Test Connection fails in Azure AD Confirm the token is the SCIM OAuth token, not a Public API key Public API keys are 32 characters; SCIM tokens are 30. Regenerate the OAuth token in 15Five and re-enter it
Employees are not appearing in 15Five after saving First sync can take up to 40 minutes Wait 40 minutes; then update any field in Azure AD to trigger a new sync
Invitation emails are not sending Check that Send welcome email is ON in SCIM settings AND Invite details on the Company settings page is set to send invites Enable the matching setting on the Company settings page
Manager attribute is not syncing Confirm manager or manager.value is mapped and available as an Azure AD attribute See Manager field not syncing via Azure AD SCIM integration
Employees added before SCIM was enabled are not updating Pre-SCIM employees are not yet tracked by SCIM ID See Users added before SCIM was enabled not updating or deprovisioning via Azure AD

Not Covered Here

This article covers initial SCIM setup only. For start date delays, group sync behavior, password sync, and manual employee additions, see the related articles below.

Related Articles

-

Was this article helpful?

Sorry to hear that. Tell us what was missing →