SCIM Provisioning
Automate user lifecycle management from your Identity Provider (IdP) with user and group provisioning through SCIM 2.0.
Last updated
Was this helpful?
Automate user lifecycle management from your Identity Provider (IdP) with user and group provisioning through SCIM 2.0.
Last updated
Was this helpful?
Veza's SCIM API provides a powerful automation tool to manage user access throughout the identity lifecycle. When an employee joins, changes roles, or leaves your organization, these changes can automatically propagate to Veza, maintaining access control while reducing administrative overhead.
The SCIM (System for Cross-domain Identity Management) protocol is an open standard for automating user provisioning between identity providers and applications. Veza exposes a standards-compliant SCIM 2.0 API at https://{tenant}.vezacloud.com/scim/v2.
Veza supports SCIM 2.0 integration with:
Microsoft Entra ID (formerly Azure AD)
Before implementing SCIM provisioning, ensure you understand the prerequisites and process flow. This integration requires administrator access to both Veza and your identity provider, as well as a dedicated service account for secure API communication.
The implementation follows these key steps:
Create a dedicated admin user in Veza with SCIM Provisioner privileges
Generate and securely store an API key for your identity provider to authenticate
Enable SCIM provisioning in Veza's administration settings
Configure your identity provider with Veza's SCIM endpoint and authentication details
Enable push groups to align identity provider groups with Veza teams and roles
Validate the integration by testing the full provisioning lifecycle
When enabling SCIM, there are some critical behaviors to be aware of:
SAML and SCIM interaction: When you enable SCIM provisioning, Veza automatically disables SAML Just-in-Time (JIT) provisioning to prevent potential conflicts. User profile updates now come exclusively from your identity provider through SCIM.
Group-to-role mapping: Veza maps each identity provider group to one or more team/role assignments in Veza. When a user's group membership changes in your IdP, Veza automatically updates their team/role assignments.
Permission persistence: If a user has the same permission from multiple groups, that permission remains until you remove the user from all groups granting that access. For example, if a user belongs to two groups that both assign Admin roles, removing them from only one group will not revoke their Admin permissions.
For identity provider-specific instructions, follow our detailed guide for .
- SCIM API endpoints and schema documentation
- Create and manage API keys
- Configure SAML SSO
- More information about Veza teams and role assignments