Provision users from Azure AD using SCIM

Microsoft Azure Active Directory (AD) is a cloud-based identity and access management solution used by organizations to control access to their protected resources.

With the SCIM provisioning, you can automatically import user accounts based on the group memberships from the source system, Azure AD, to your target ‚ÄčAkamai MFA‚Äč SCIM application. For existing user profiles, SCIM provisioning ensures the automatic synchronization between both systems when a change to the user data is detected in the source system.

You can also use the attribute mapping capability to customize and match user attributes exchanged during the provisioning process between Azure AD and the SCIM application.

‚ÄčAkamai MFA‚Äč SCIM support for Azure AD is only available with the SCIM 2.0 compliant mode of Azure AD.


The automatic provisioning described in this section was implemented using a minimally viable subset of SCIM specifications. In particular, ‚ÄčAkamai MFA‚Äč doesn't support the full capabilities of the SCIM filtering parameter.


  • Sign up for a Microsoft Azure account with an active subscription.

  • If you want to send the enrollment email to users provisioned from your Azure AD, make sure each user has a valid email address. Users who don't have the email attribute field populated in their Azure AD user profile won't receive the enrollment email.

This integration:

  • Supports endpoints compatible with the SCIM 2.0 specification.

  • Requires one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Add SCIM provisioning

Follow this procedure to set up your SCIM service in ‚ÄčAkamai MFA‚Äč and obtain your authentication token and base URL. Your authentication credentials let you enable the import of user data from Azure Active Directory to ‚ÄčAkamai MFA‚Äč in the following steps of the provisioning process.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Identity & Users > User Provisioning.

  2. Click Add Provisioning (+).

  3. In the User Provisioning page, select the SCIM 2.0 provisioning type and enter its unique name.

  4. Click Save and Deploy.

    You've just generated your API Token and Base URL that you will use in the following configuration steps.

On the SCIM provisioning configuration page, you can also enable these settings:

  1. Send enrollment emails. Toggle on to send the enrollment emails to the new users whose accounts were synced up with ‚ÄčAkamai MFA‚Äč. With this setting, new users receive an email with the enrollment link that lets them register their authentication device in the ‚ÄčAkamai MFA‚Äč service once their accounts have been imported from Microsoft Azure AD.

  2. Include Manually Provisioned Users. Toggle on to update the source of provisioning for users already existing in ‚Äč‚ÄčAkamai MFA‚Äč. With this setting enabled, writes to users and groups not associated with any provisioning method (manually provisioned) by the SCIM client will cause them to have their provisioning method point to that SCIM integration. This allows the SCIM integration to claim ownership of existing users without forcing users to re-enroll if they already have accounts.


Please note that with Read All Users enabled, the sync operation doesn’t claim users unless it detects a change in their records (such as a different email address).

  1. Read All Users. Toggle on to let the SCIM integration read every user record in the system, including those created by other SCIM instances or by EAA.


If you have existing users on ‚ÄčAkamai MFA‚Äč that you want your provisioning solution to take control of, we recommend that you first enable Include Manually Provisioned Users, verify that the users and groups were claimed, and only then enable Read All Users. Otherwise users present in both systems may not sync.
If you manage users via SailPoint, and want to allow it to read every user regardless of how they were provisioned, enable Read All Users.

  1. Click Save and Deploy.

    You’ve created a new SCIM service that you will connect with the Azure enterprise application in the following steps.

Create and configure an enterprise application in Azure AD

Follow these steps to create a new enterprise application in your Microsoft Azure Active Directory (Azure AD) tenant.

  1. Log in as administrator to your account in the Azure AD portal.

  2. Go to the Azure AD.

  3. In the Azure AD navigation menu, select Enterprise Applications.

    The All applications page displays enterprise applications configured in your Azure AD tenant.

  4. In All applications, click New application (+).

    You're redirected to the Azure AD gallery that displays the available application templates.

  5. In Browse Azure AD Gallery (Preview), click Create your own application (+).

  6. Select Integrate any other application you don't find in the gallery, enter a unique name for your SCIM application, and click Create.

    You're redirected to your newly created enterprise application. The navigation menu lets you display and, if needed, configure the application properties.

  7. In the application menu, go to Manage, and select Properties.

  8. The Properties page allows you to view all configurable parameters of your enterprise application. Leave the default settings. To learn more about the properties configuration, see Azure user guide.

    You've just created and configured an enterprise application in Microsoft Azure AD. Go to the following step to configure the automatic user provisioning for the SCIM application.

Configure provisioning in Azure AD

Follow these steps to configure automatic provisioning of users and groups in Microsoft Azure Active Directory. With this configuration, you can import and synchronize all identity and access data via SCIM.

  1. Log in as administrator to your account in the Azure AD portal.

  2. Go to the Azure AD.

  3. In the Azure AD navigation menu, select Enterprise Applications and navigate to the enterprise application that you created in the previous step.

  4. In the navigation menu, select Provisioning and click Get Started.

    The Provisioning page opens.

  5. In Provisioning Mode, select Automatic.

  6. In Admin Credentials, do the following:

    1. In Tenant URL, enter the Base URL that you copied from the ‚ÄčAkamai MFA‚Äč provisioning page and append the following feature flag to your URL to ensure SCIM compliance: ?aadOptscim062020.

    2. In Secret Token, enter the API Token that you copied from the ‚ÄčAkamai MFA‚Äč provisioning page.

    3. Click Test Connection to verify the communication between Azure AD and the SCIM endpoint.

    4. Click Save if you receive a notification that the entered authentication credentials are correct.

  7. Expand Mappings and click Provision Azure Active Directory Users to map Azure attributes.

  8. In Attribute Mapping, map the customappsso attribute (same as SCIM attributes) to these Azure AD attributes. Remove other attributes by clicking Delete.

These default attribute mappings are supported by ‚ÄčAkamai MFA‚Äč.

Azure Active Directory Attributecustomappsso Attribute
Switch([IsSoftDeleted], , "False", "True", "True", "False")active
mailemails[type eq "work"].value
Join(“ “, [givenName], [surname])name.formatted
  1. Click Save and Yes.

Go to the following step to assign users to your SCIM application.


To learn more about feature flags and SCIM 2.0 protocol compliance, see Microsoft Azure AD documentation.

Assign users and groups in Azure AD

Follow this procedure to assign groups to your SCIM application.

  1. Log in as administrator to your account in the Azure AD portal.

  2. Go to the Azure Active Directory.

  3. In the Azure Active Directory navigation menu, select Enterprise Applications and navigate to your enterprise application.

  4. In the directory navigation menu, select Users and groups.

  5. Click Add user.

    The Add Assignment dialog opens.

  6. In the Add Assignment dialog, click Users and groups to unfold a dialog with a list of available users.

  7. In the Users and groups dialog, select a user or group you want to assign and click Select.

  8. Click Assign.

    You've just enabled the immediate transfer of the selected memberships from the Microsoft Azure AD. Users and their privileges are now overwritten in ‚ÄčAkamai MFA‚Äč.


Removing users from a group that is synced, or removing a user that is directly assigned to the ‚ÄčAkamai MFA‚Äč Enterprise Application in the Users and Groups section may not cause the user to be marked as disabled. This is contrary to the behavior described by Azure AD‚Äôs documentation, allowing them to continue to use ‚ÄčAkamai MFA‚Äč. This may prevent modification of the user until they are added back to the Enterprise Application. There are two ways to work around this issue.

  • One way is to mark the user as disabled, then navigate to Provisioning from your Enterprise Application, and click Restart provisioning. Next, verify that the change went through by clicking the View provisioning logs link and observing an Update request for the affected user(s) - this may take up to 40 minutes. Then, remove them from the synced group or application, and finally re-enable the user. The user should remain marked as disabled in ‚ÄčAkamai MFA‚Äč, as originally intended.
  • An alternative workaround is to create a policy that doesn't permit use of ‚ÄčAkamai MFA‚Äč, and assign it to the affected users.