Skip to main content
Unlock streamlined identity management with SCIM 2.0 Provisioning. Automate user and group synchronization between your identity provider (IdP) and absentify using the industry-standard SCIM protocol.
SCIM (System for Cross-domain Identity Management) is an open standard for automating user provisioning. It works with any SCIM-compatible identity provider, including Microsoft Entra ID, Okta, OneLogin, Ping Identity, and more.

Benefits of SCIM provisioning

  • Identity provider-independent: Works with any SCIM 2.0 compatible IdP, not just Microsoft
  • Granular control: Define exactly which users and groups are provisioned to absentify — ideal for organizations that need precise control over what data is synchronized
  • Automated user lifecycle: Automatically create, update, and deactivate user accounts
  • Group-based provisioning: Synchronize group memberships to absentify departments
  • Push-based updates: Your IdP pushes changes to absentify in real-time
  • Standardized protocol: Uses RFC 7643/7644 compliant SCIM 2.0
Microsoft Entra ID users: If you need additional features like group owner synchronization or profile pictures, consider using the native Microsoft Graph synchronization instead. SCIM is ideal when you need granular control over which users are provisioned or when using non-Microsoft identity providers.
SCIM provisioning requires a Plus subscription. Upgrade your plan to enable this feature.

Prerequisites

Before you begin, ensure the following:
  • An absentify account with admin rights
  • A Plus subscription or higher
  • Access to your identity provider’s admin console with permissions to configure SCIM provisioning

Getting started

Step 1: Generate a SCIM token

  1. Navigate to Settings > Integrations > SCIM Provisioning in absentify
  2. Click Generate Token
  3. Important: Copy the token immediately — it will only be displayed once
  4. Note the Tenant URL: https://api.absentify.com/api/scim/v2
Store your token securely. If you lose it, you’ll need to generate a new one, which will invalidate the previous token.

Step 2: Configure your identity provider

The configuration steps vary depending on your identity provider. Below are instructions for common IdPs.

Create an Enterprise Application

  1. Open the Microsoft Entra Admin Center
  2. Navigate to Enterprise applications > New application
  3. Click Create your own application
  4. Name it “absentify SCIM Provisioning”
  5. Select Integrate any other application you don’t find in the gallery
  6. Click Create

Configure Provisioning

  1. In the new application, go to Provisioning > Get started
  2. Set Provisioning Mode to Automatic
  3. Under Admin Credentials:
    • Tenant URL: https://api.absentify.com/api/scim/v2
    • Secret Token: Paste the token from Step 1
  4. Click Test Connection to verify the connection
  5. Click Save

Configure Attribute Mappings

Recommended User Mappings:
Entra ID AttributeSCIM Attribute
userPrincipalNameuserName
displayNamedisplayName
givenNamename.givenName
surnamename.familyName
mailemails[type eq “work”].value
Switch([IsSoftDeleted], , “False”, “True”, “True”, “False”)active
objectIdexternalId
preferredLanguagepreferredLanguage
employeeIdurn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber
Recommended Group Mappings:
Entra ID AttributeSCIM Attribute
displayNamedisplayName
objectIdexternalId
membersmembers

Assign Users and Groups

  1. Under Settings > Scope, choose:
    • Sync only assigned users and groups (recommended)
    • or Sync all users and groups
  2. Assign the users and groups you want to provision

Start Provisioning

  1. Click Start provisioning
  2. The initial sync may take 20-40 minutes depending on the number of users
  3. Monitor progress in Provisioning logs

Configure group synchronization

After your IdP starts provisioning groups to absentify, you can map them to departments.

Step 1: Access group synchronization settings

  1. Navigate to Settings > Integrations > SCIM Provisioning
  2. Click Group Synchronization
  3. Click Add a group synchronization

Step 2: Configure the synchronization

  1. Name your synchronization: Use a descriptive name that matches the group and department
  2. Select the SCIM group: Choose from the groups provisioned by your IdP
  3. Select absentify departments: Map the group to one or more departments
  4. Configure sync options: Enable the features you need (see below)

Synchronization options

Enable auto-creation of user accounts

Automatically create absentify accounts for users in SCIM groups who are not yet in the system.
  1. Toggle Enable Auto-Creation of user accounts
  2. New users will be created as inactive accounts
  3. Group owners receive an email notification to activate new accounts
  4. New accounts receive a pro-rata allowance based on their start date

Key points

  • Users already in the workspace: When existing users are added to a synced group, they will also be assigned to the corresponding synced department
  • Users not yet in the workspace: New users are created as inactive and assigned to the synced department
  • Manual department assignment not possible: You cannot manually assign a user to a department that is part of a SCIM sync

Manage department membership and archive users

Keep absentify departments aligned with SCIM group changes.
  1. Toggle Manage department membership on group updates and archive users not assigned to departments
  2. When users are removed from a SCIM group:
    • If they belong to other departments, they remain active
    • If they have no other department assignments, they are automatically archived
Archiving occurs approximately 10 minutes after group updates. A slight delay may occur if the same user is removed from multiple groups in quick succession.

Supported SCIM features

User attributes

AttributeTypeRequiredDescription
userNameStringUnique identifier (e.g., UPN)
name.givenNameStringFirst name
name.familyNameStringLast name
displayNameStringDisplay name
emails[].valueStringEmail address
emails[].primaryBooleanPrimary email flag
activeBooleanActive/inactive status
externalIdStringExternal ID from IdP
preferredLanguageStringPreferred language (e.g., “de”, “en”)
employeeNumberStringEmployee number (enterprise extension)

Group attributes

AttributeTypeRequiredDescription
displayNameStringGroup name
externalIdStringExternal ID from IdP
members[].valueStringUser IDs of members
Language fallback: If preferredLanguage is not set, the workspace’s default language is used.

SCIM vs. Microsoft Graph sync

If you’re using Microsoft Entra ID, you can choose between SCIM and native Microsoft Graph synchronization.
FeatureSCIMMicrosoft Graph
User synchronization
Group synchronization
Auto-creation of accounts
Department assignment
User deactivation
Group owner/manager sync
Profile picture sync
IdP-independent
Push-based updates
Use SCIM when:
  • You use a non-Microsoft identity provider (Okta, OneLogin, etc.)
  • You want a standardized, IdP-independent solution
  • You need granular control over exactly which users and groups are provisioned
  • You only need user and group synchronization
Use Microsoft Graph when:
  • Microsoft 365 / Entra ID is your primary IdP
  • You want to sync group owners as department managers
  • You want to sync profile pictures
  • You want automatic provisioning of all users in a group without additional IdP configuration
SCIM and Microsoft Graph cannot be configured for the same group simultaneously. Different groups can use different sync methods.

Token management

Token validity

  • Default validity: 12 months
  • Expiration date is displayed in the settings

Regenerate token

  1. Navigate to SCIM settings
  2. Click Regenerate Token
  3. The old token is immediately invalidated
  4. Update the token in your IdP configuration

Revoke token

  • Click the trash icon next to the masked token
  • All SCIM requests will be rejected immediately
  • Provisioned users and groups remain in absentify

Troubleshooting

Common issues

IssuePossible causeSolution
Connection test failsInvalid tokenGenerate a new token and update IdP
Users not createdPlus subscription requiredUpgrade to Plus plan
Groups not appearingGroups not provisioned yetCheck IdP provisioning logs
User not archivedMultiple group removalsWait 10-15 minutes and check again

Check sync logs

  1. Navigate to Settings > Microsoft > Sync Logs
  2. Filter by Operation and select SCIM Provisioning
  3. Review the logs for errors or skipped events

Limitations

  • No group owner sync: SCIM 2.0 does not support group owners/administrators. Manager synchronization is not available with SCIM.
  • No profile pictures: SCIM does not support image synchronization.

FAQ

Yes, but not for the same group. Different groups can use different synchronization methods.
SCIM 2.0 does not include a concept of group owners or administrators. This is a protocol limitation, not an absentify limitation.
The user is marked as inactive in absentify. Depending on your sync configuration, they may also be archived if they have no other department assignments.
The initial sync typically takes 20-40 minutes depending on the number of users and groups. Incremental updates are much faster.
No. SCIM users are stored separately and linked to absentify members by email. Existing profile data is not overwritten.