Configure SCIM Provisioning for Onplana with Microsoft Entra
Step-by-step automated user provisioning for the IT admin wiring Onplana up to Microsoft Entra ID's SCIM 2.0 connector. Covers token generation, the Entra Enterprise app, attribute mappings, the recommended scoping + group-disable settings, role-assignment patterns, and the handful of errors you might see on the first sync.
What you'll need before you start
- An Entra ID tenant with Entra ID Premium P1 or P2 license (SCIM provisioning requires it; the free Entra tier doesn't include the provisioning service).
- Global Administrator or Application Administrator role on Entra.
- An Onplana org on the Enterprise plan or higher (SCIM is gated to ENTERPRISE+).
- SSO already configured on the Onplana org with at least one verified email domain. SCIM refuses to create users whose email domain isn't on the verified list. Configure SSO first, see the SSO Entra setup guide.
Three things to configure
The whole setup boils down to three things in this order. The seven steps below implement them in detail; this overview is the mental model.
- 1In Onplana, generate a SCIM bearer token and copy the per-tenant endpoint URL.
- 2In Entra, paste them into the Enterprise app's Provisioning tab + configure attribute mappings.
- 3Assign users to the app, sync runs on demand (immediate) or on Entra's regular cycle (~40 min for incremental).
Role assignment, pick a pattern
Onplana supports exactly three role values for SCIM-provisioned users: MEMBER, MANAGER, and ADMIN. Three patterns for assigning them, ordered from simplest to most Entra-driven:
Recommended for most teams, default-MEMBER
Every SCIM user lands as MEMBER. Leave the role attribute mapping unconfigured in Entra. Promote individuals to MANAGER or ADMIN later from the Onplana People page. Lowest-effort setup, easiest to debug, matches how most Onplana customers run SCIM.
Skip the per-user-role and group-based patterns below if this works for you.
Option 1, per-user role attribute
In Entra's user attribute mapping, target the SCIM attribute roles[primary eq true].value with a source expression that emits one of MEMBER / MANAGER / ADMIN. Common pattern: derive from jobTitle or a custom extension attribute via a Switch expression.
Option 2, group-based
Push Entra groups whose displayName is exactly one of:Members, Managers, or Admins. Onplana maps membership to the corresponding role. Any other group displayName is rejected with HTTP 400.
If your source groups have different names, use Entra's group displayName mapping to rename them on the wire (Switch expression on objectId emitting the canonical name). Don't rename your actual Entra groups, that breaks other M365 integrations.
Setup, seven steps
Generate the SCIM bearer token in Onplana
- Open Onplana, navigate to Integrations (or Org Settings, Security & Compliance, SCIM).
- Click Generate Token.
- Copy the plaintext token immediately, it's shown once on generation, then bcrypt-hashed in storage. If you lose it, generate a new one (the old one stays valid until you click Revoke).
- Note the SCIM Endpoint URL displayed below the token, the format is exactly
https://api.onplana.com/scim/v2/<your-org-slug>with no trailing slash and no/Userssuffix.
Create the Entra SCIM application
Two paths, depending on whether the Onplana Gallery listing is live in your Entra tenant:
- If Onplana is in the Application Gallery: Microsoft Entra admin center, Enterprise applications, New application, search "Onplana", pick the Gallery app, add it. The Gallery template ships with attribute mappings pre-populated.
- If you're pre-Gallery (custom app): Microsoft Entra admin center, Enterprise applications, New application, Create your own, name it
Onplana SCIM, pick Integrate any other application you don't find in the gallery (Non-gallery).
Tip: you can use the same Entra app for both SAML SSO and SCIM provisioning. If you've already followed the SSO guide and have an Onplana SSO app, just open that same app and click Provisioning, you don't need a second app registration.
Paste the credentials into Provisioning
- Open the new (or existing) app, navigate to Provisioning, Get started.
- Set Provisioning Mode = Automatic.
- Tenant URL: paste the SCIM Endpoint URL from step 1. Full URL, no trailing slash, no
/Users. - Secret Token: paste the plaintext token from step 1.
- Click Test Connection. A green check means Onplana accepted the credentials and the bearer token resolves to a valid org. A red error means re-check the URL format and token contents (see troubleshooting below).
- Save.
Recommended, disable Group provisioning
For the default-MEMBER pattern (the recommended setup for most teams), Onplana doesn't need Entra to sync groups at all. Disabling group provisioning has two benefits: it shortens the per-user provisioning cycle, and it avoids Entra automatically pulling in M365 ecosystem groups (Defender for Cloud Apps, Check Point Harmony, etc.) that Onplana would have to no-op.
- Open Provisioning, Mappings, Provision Microsoft Entra ID Groups.
- Set Enabled = No.
- Save.
Skip this step ONLY if you're using the optional group-based role assignment pattern in step 6 (Onplana exposes three groups: Members, Managers, Admins). For the default-MEMBER pattern, disable.
Review the attribute mappings (Gallery defaults usually work)
The Gallery app ships with sensible defaults. If you used the custom-app path in step 2, paste these into the Entra mapping table:
| SCIM target attribute | Entra source |
|---|---|
| userName | userPrincipalName |
| name.givenName | givenName |
| name.familyName | surname |
| emails[type eq "work"].value | |
| externalId | objectId |
| active | Switch([IsSoftDeleted], , "False", "True", "True", "False") |
| displayName | displayName |
| roles[primary eq true].value | (optional) e.g. Switch([jobTitle], "MEMBER", "Director", "MANAGER", "VP", "ADMIN") |
The roles[primary eq true].value mapping is optional. Leave it unmapped for the default-MEMBER pattern (recommended). See the role-assignment callout above for the two patterns that use it.
Set the scoping filter (recommended)
- Open Provisioning, Settings.
- Set Scope to
Sync only assigned users and groups(notSync all users and groups). - Save.
This prevents Entra from attempting to push every user in your tenant directory into Onplana, which can hit Onplana's rate limit and cause large incremental syncs to fail. For typical org sizes (under ~10k users) you can leave this on the default; for larger directories the scoping filter is essential.
Assign users + enable provisioning
- Open Users and groups, Add user/group.
- Pick the users (or Entra groups) whose email is on Onplana's verified SSO domain list.
- Open Provisioning again, set Provisioning Status = On, Save.
- For instant feedback on a specific user, use Provision on demand, this shows the full SCIM request body and Onplana's response, the fastest way to diagnose any per-user issue.
- Regular incremental sync runs every ~40 minutes after that.
Screenshot, Onplana SCIM token + endpoint screen
Org Settings, Security & Compliance, SCIM with a freshly-generated token shown.
Screenshot, Entra Provisioning "Test Connection" green check
After pasting the Tenant URL and Secret Token from step 1.
Screenshot, Entra "Provision on demand" success view
A successful per-user sync showing the full SCIM request and response body.
Screenshot, Onplana /people with SCIM-provisioned badge
A user row showing the "SCIM" badge that distinguishes provisioned users from manually-invited ones.
Screenshots will land in a follow-up content pass. The text above is sufficient to complete the setup without them.
SCIM capabilities (what Onplana actually supports)
For reference. Most Entra installs don't need to know any of this directly, the Gallery app respects the documented limits automatically. But if you're debugging an integration or wiring up a non-Gallery IdP, here's the exact surface.
| Base URL | https://api.onplana.com/scim/v2/<org-slug> |
| Discovery endpoints | GET /ServiceProviderConfig, /Schemas, /ResourceTypes |
| User operations | GET (list + by id), POST, PUT, PATCH. No DELETE. Deactivation is PATCH active:false. |
| Group operations | GET (list + by id), POST, PUT, PATCH (members add/remove). No DELETE. Three fixed displayNames only: Members, Managers, Admins. |
| Filter operators | userName eq "<email>" on /Users, displayName eq "<name>" on /Groups. Other shapes return HTTP 400 invalidFilter. |
| Pagination | Max count=200 per page, default 100. Standard RFC 7644 startIndex + itemsPerPage. |
| Authentication | HTTP Bearer token (RFC 6750). Generated once per org via the Onplana admin UI, bcrypt-hashed on storage. Rotatable. |
| Per-tenant isolation | Deactivation via PATCH active:false flips OrganizationMember.isActive for THIS org only. Multi-org users retain access to other orgs. |
Onplana doesn't claim broader operator support, deeper filter expressions, or HTTP DELETE on the SCIM resources, the IdP-side reviewer pushback when documented behaviour exceeds actual implementation isn't worth the false-confidence trade.
Verify the sync worked
- In Onplana, open /people. The SCIM-provisioned user should appear with a
SCIMbadge that distinguishes them from manually-invited users. - Click View history on that user's row. The audit timeline should show a
Provisioned via SCIMevent with timestamp and externalId. - In Entra, Provisioning, Provisioning Logs, confirm a Success status for the user. The log entry includes the full SCIM request and response, which is the canonical reference if anything looks off in Onplana.
- Test deactivation: in Entra, remove the user from the app assignment (or set them
IsSoftDeleted = true). Wait for the next sync (or force via Provision on demand). Onplana's People page should show them deactivated for that org only.
Troubleshooting
Ten common SCIM provisioning errors and what to do about each. If the symptom isn't in the list, the Entra Provisioning Logs panel almost always has the exact error code from Onplana's SCIM response, search for it here.
"Test connection failed" in Entra after I paste the Tenant URL + Token
Most common cause is a trailing slash or trailing /Users on the Tenant URL. The correct format is exactly https://api.onplana.com/scim/v2/<your-org-slug> with no trailing slash and no /Users suffix. Second most common cause is whitespace in the bearer token (the token is case-sensitive). Regenerate the token in Onplana if you suspect copy-paste corruption. Third: token revoked or org disabled. Check the Onplana backend audit log for the most recent provisioning attempt.
"Email domain is not in this organization's verified SSO domain list"
SCIM refuses to create users whose email domain isn't on the verified-SSO-domain allowlist. This is a hard gate. Fix: open Onplana, Integrations, SSO, Verified domains. Add the domain (lowercase, e.g. acme.com). Save, then retry provisioning. The domain doesn't need DNS challenge, it's admin-attested.
"Unsupported role" error on a specific user
You've set the role attribute mapping (the optional pattern in step 5b), but the source expression returned a value other than MEMBER, MANAGER, or ADMIN. Onplana supports exactly three role values and rejects everything else. Fix: open your Entra mapping for roles[primary eq true].value and confirm the Switch / expression only emits one of the three allowed strings. If you don't need IdP-driven roles, delete the mapping entirely and Onplana defaults to MEMBER, the recommended path.
Entra reports "checkpoint_inline_* group ignored"
Informational, no action required. Microsoft Defender for Cloud Apps (the Check Point Harmony Email & Collaboration integration in particular) automatically pulls a set of dynamic groups with displayNames starting with "checkpoint_inline_" into Entra. They aren't real users-and-groups, just M365 ecosystem instrumentation. Onplana silently no-ops them rather than fail provisioning. If you'd rather have Entra stop pushing them: disable Group provisioning (step 4) or add a scoping filter, displayName Not Starts With "checkpoint_".
User created in Entra but not appearing in Onplana
Two likely causes. (a) The user is present in your Entra directory but isn't assigned to the Onplana app, ensure Users and groups, Add user/group includes them. (b) The user IS assigned but Entra's incremental sync hasn't run yet; the default cycle is every ~40 minutes. Force the sync with Provisioning, Provision on demand on that user. The on-demand panel shows the full SCIM request/response, which is also the fastest path to diagnose any other per-user provisioning issue.
I deactivated a user in Entra. They're still in Onplana
Entra deactivation should send a SCIM PATCH active:false to Onplana within ~40 minutes (or immediately on a Provision on demand). When that PATCH lands, Onplana flips OrganizationMember.isActive to false for THIS org only. If the user belongs to multiple Onplana orgs, they retain access to the others, this is intentional per-tenant scoping (one SCIM tenant should not be able to deactivate a user out of another org). If you also want to revoke the user from their other orgs, each of those orgs needs to deactivate them separately, either via that org's own SCIM connector or by an OWNER/ADMIN on that org removing them from People. There is no single cross-org per-user revocation action by design.
Can SCIM create projects, tasks, or other Onplana resources?
No. SCIM 2.0 covers user and group provisioning only. Onplana's SCIM endpoints expose /Users and /Groups (with three fixed Group displayNames: Members, Managers, Admins for role assignment). Project / task / portfolio creation is out of scope for SCIM and lives behind the REST API + PAT auth, or behind the in-app UI.
How do I rotate the SCIM bearer token without breaking provisioning?
Generate a new token in Onplana (the old one stays valid until you click Revoke). Update the Secret Token in Entra, Provisioning. Test Connection. Once green, revoke the old token in Onplana. The two-token overlap window is bounded by how fast you can paste, typically under a minute.
What SCIM filter operators does Onplana support?
Exactly two: userName eq "<email>" on /Users (for lookup-then-update or lookup-then-create flows) and displayName eq "<name>" on /Groups. Any other operator (ne, co, sw, ew, gt, lt, ge, le, pr) or attribute path returns HTTP 400 with scimType=invalidFilter and a descriptive error. This narrow surface is the documented and tested capability, don't configure Entra mappings that depend on broader filtering.
What's the pagination limit on /Users and /Groups?
Max count=200 per page, default count=100. Use the startIndex + itemsPerPage paging pattern from RFC 7644 if you need to walk larger directories. Entra automatically respects the returned itemsPerPage and doesn't need configuration.
Related
Microsoft Entra SSO setup
The SAML SSO companion guide. Includes the critical Sign-SAML-response-and-assertion signing-option fix.
Read SSO setupSecurity at Onplana
Encryption, audit logging, IP allowlisting, session policy, data residency, compliance posture.
Read security overviewThis page is the canonical SCIM-Entra setup reference linked from Onplana's Microsoft Entra Application Gallery listing. If you found an error or want a section expanded, mail hello@onplana.com. Last verified against Onplana production: 2026-05-21.