Prerequisites
Before you configure SCIM provisioning, ensure you have:- Administrator access to your Microsoft Entra ID tenant
- A Brellium admin account with permissions to authorize integrations
- The Brellium application registered in your Microsoft Entra ID tenant
- SSO configured for Brellium (see the SSO Configuration for Microsoft Entra ID guide)
- SCIM Tenant URL and Secret Token from Brellium (contact your customer success manager or Brellium support)
Supported features
The Brellium SCIM integration supports the following provisioning features:| Feature | Direction | Description |
|---|---|---|
| Push new users | Entra ID to Brellium | Users assigned to the Brellium app in Entra ID are automatically created in Brellium |
| Push profile updates | Entra ID to Brellium | Profile changes made in Entra ID are synced to Brellium |
| Push user deactivation | Entra ID to Brellium | Users unassigned or disabled in Entra ID are deactivated in Brellium |
| Reactivate users | Entra ID to Brellium | Previously deactivated users are reactivated when reassigned in Entra ID |
Supported profile attributes
The following SCIM attributes are supported for user provisioning between Microsoft Entra ID and Brellium:Core attributes
| SCIM attribute | Description |
|---|---|
userName | User’s primary identifier (email address format) |
emails[primary eq true].value | Primary email address |
name.givenName | First name |
name.familyName | Last name |
active | Account activation status |
title | Job title |
userType | User type — determines the default permissions assigned when the user is created in Brellium. You must set this value correctly. Accepted values: employee, operations, manager (unless otherwise configured in coordination with Brellium). If you need a custom configuration, contact your customer success manager or Brellium support. |
timezone | User’s timezone |
externalId | External identifier |
Enterprise User extension attributes
The following attributes use theurn:ietf:params:scim:schemas:extension:enterprise:2.0:User schema namespace.
| Attribute | Description |
|---|---|
employeeNumber | Employee number |
department | Department |
division | Division |
organization | Organization |
manager | Manager |
Configuration steps
Verify the SSO application
Before creating the SCIM application, verify that the enterprise application you created for Single Sign-On is configured correctly.
- In the Microsoft Entra admin center, go to Identity > Applications > Enterprise applications.
- Select the application you created for Single Sign-On.
- Go to Manage > Properties.
- Confirm that Assignment required? is set to Yes.
Create a SCIM application
SCIM provisioning requires a separate non-gallery enterprise application in Microsoft Entra ID.
- Go back to Enterprise applications and click New application.
- Click Create your own application.
- Enter a name for the application (e.g.,
Brellium SCIM). - Select Integrate any other application you don’t find in the gallery (Non-gallery).
- Click Create.
Assign users and groups
Assign the same users and groups to the SCIM application as those assigned to the SSO application.
- In the newly created SCIM application, go to Users and groups under Manage.
- Click Add user/group.
- Select the users or groups to assign and click Assign.
Configure provisioning
- In the SCIM application, go to Provisioning under Manage.
- Set Provisioning Mode to Automatic.
- In the Admin Credentials section, enter the following:
- Tenant URL: Provided by Brellium
- Secret Token: Provided by Brellium
- Click Test Connection to verify the credentials.
- Click Save.
Configure attribute mappings
- In the Provisioning section, expand Mappings.
- Click Provision Microsoft Entra ID Users.
- Review the attribute mappings and ensure the following are configured:
userPrincipalName→userNamemail→emails[type eq "work"].valuegivenName→name.givenNamesurname→name.familyNamejobTitle→title
- Click Save.
Microsoft Entra ID provides default attribute mappings for standard SCIM attributes. Review the mappings to ensure they match your organization’s directory structure.
Configure scope and start provisioning
- In the Provisioning section, go to Settings.
- Set the Scope to one of the following:
- Sync only assigned users and groups — Only users and groups assigned to the Brellium SCIM app are provisioned.
- Sync all users and groups — All users in the directory are provisioned.
- Set Provisioning Status to On.
- Click Save.
Verify provisioning
- In the Provisioning section, check the Provisioning logs for the status of provisioned users.
- In Brellium, verify that the provisioned user accounts were created with the correct profile attributes.
- Update a test user’s profile in Microsoft Entra ID (for example, change the job title or department).
- Verify that the profile update is synced to Brellium.
- Unassign a test user from the Brellium app in Microsoft Entra ID.
- Verify that the user is deactivated in Brellium.
Troubleshoot
| Issue | Cause | Solution |
|---|---|---|
| ”Test Connection” fails | Incorrect Tenant URL or Secret Token | Verify the SCIM credentials provided by Brellium |
| Users not provisioned | Provisioning scope is misconfigured | Verify the scope setting and ensure users are assigned to the app |
| Attribute mapping errors | Incorrect attribute mappings | Review the mappings in the Provision Microsoft Entra ID Users section |
| Provisioning cycle stuck | Microsoft Entra ID provisioning service issue | Check the Provisioning logs for errors and restart provisioning if needed |
Support
If you have questions or encounter issues not covered in this guide, contact the Brellium support team:- Email: sso.support@brellium.com