Provision users from Azure AD using SCIM

Microsoft Azure Active Directory (AD) is a cloud-based identity and access management solution used by organizations to control access to their protected resources.

With the SCIM provisioning, you can automatically import user accounts based on the group memberships from the source system, Azure AD, to your target ‚ÄčAkamai MFA‚Äč SCIM application. For existing user profiles, SCIM provisioning ensures the automatic synchronization between both systems when a change to the user data is detected in the source system.

You can also use the attribute mapping capability to customize and match user attributes exchanged during the provisioning process between Azure AD and the SCIM application.


The automatic provisioning described in this section was implemented using a minimally viable subset of SCIM specifications. In particular, ‚ÄčAkamai MFA‚Äč doesn't support the full capabilities of the SCIM filtering parameter.


  • Sign up for a Microsoft Azure account with an active subscription.

  • If you want to send the enrollment email to users provisioned from your Azure AD, make sure each user has a valid email address. Users who don't have the email attribute field populated in their Azure AD user profile won't receive the enrollment email.

This integration:

  • Supports endpoints compatible with the SCIM 2.0 specification.

  • Requires one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Add SCIM provisioning

Follow this procedure to set up your SCIM service in ‚ÄčAkamai MFA‚Äč and obtain your authentication token and base URL. Your authentication credentials let you enable the import of user data from Azure Active Directory to ‚ÄčAkamai MFA‚Äč in the following steps of the provisioning process.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Identity & Users > User Provisioning.

  2. Click Add Provisioning (+).

  3. In the User Provisioning page, select the SCIM 2.0 provisioning type and enter its unique name.

  4. Click Save and Deploy.

    You've just generated your API Token and Base URL that you will use in the following configuration steps.

On the SCIM provisioning configuration page, you can also enable these settings:

  1. Send enrollment emails. Toggle on to send the enrollment emails to the new users whose accounts were synced up with ‚ÄčAkamai MFA‚Äč. With this setting, new users receive an email with the enrollment link that lets them register their authentication device in the ‚ÄčAkamai MFA‚Äč service once their accounts have been imported from Microsoft Azure AD.

  2. Include Manually Provisioned Users. Toggle on to update the source of provisioning for users already existing in ‚Äč‚ÄčAkamai MFA‚Äč. With this setting enabled, writes to users and groups not associated with any provisioning method (manually provisioned) by the SCIM client will cause them to have their provisioning method point to that SCIM integration. This allows the SCIM integration to claim ownership of existing users without forcing users to re-enroll if they already have accounts.


Please note that with Read All Users enabled, the sync operation doesn’t claim users unless it detects a change in their records (such as a different email address).

  1. Read All Users. Toggle on to let the SCIM integration read every user record in the system, including those created by other SCIM instances or by EAA.


If you have existing users on ‚ÄčAkamai MFA‚Äč that you want your provisioning solution to take control of, we recommend that you first enable Include Manually Provisioned Users, verify that the users and groups were claimed, and only then enable Read All Users. Otherwise users present in both systems may not sync.
If you manage users via SailPoint, and want to allow it to read every user regardless of how they were provisioned, enable Read All Users.

  1. Click Save and Deploy.

    You’ve created a new SCIM service that you will connect with the Azure enterprise application in the following steps.

Create and configure an enterprise application in Azure AD

Follow these steps to create a new enterprise application in your Microsoft Azure Active Directory (Azure AD) tenant.

  1. Log in as administrator to your account in the Azure AD portal.

  2. Go to the Azure AD.

  3. In the Azure AD navigation menu, select Enterprise Applications.

    The All applications page displays enterprise applications configured in your Azure AD tenant.

  4. In All applications, click New application (+).

    You're redirected to the Azure AD gallery that displays the available application templates.

  5. In Browse Azure AD Gallery (Preview), click Create your own application (+).

  6. Select Integrate any other application you don't find in the gallery, enter a unique name for your SCIM application, and click Create.

    You're redirected to your newly created enterprise application. The navigation menu lets you display and, if needed, configure the application properties.

  7. In the application menu, go to Manage, and select Properties.

  8. The Properties page allows you to view all configurable parameters of your enterprise application. Leave the default settings. To learn more about the properties configuration, see Azure user guide.

    You've just created and configured an enterprise application in Microsoft Azure AD. Go to the following step to configure the automatic user provisioning for the SCIM application.

Configure provisioning in Azure AD

Follow these steps to configure automatic provisioning of users and groups in Microsoft Azure Active Directory. With this configuration, you can import and synchronize all identity and access data via SCIM.

  1. Log in as administrator to your account in the Azure AD portal.

  2. Go to the Azure AD.

  3. In the Azure AD navigation menu, select Enterprise Applications and navigate to the enterprise application that you created in the previous step.

  4. In the navigation menu, select Provisioning and click Get Started.

    The Provisioning page opens.

  5. In Provisioning Mode, select Automatic.

  6. In Admin Credentials, do the following:

    1. In Tenant URL, enter the Base URL that you copied from the ‚ÄčAkamai MFA‚Äč provisioning page.

    2. In Secret Token, enter the API Token that you copied from the ‚ÄčAkamai MFA‚Äč provisioning page.

    3. Click Test Connection to verify the communication between Azure AD and the SCIM endpoint.

    4. Click Save if you receive a notification that the entered authentication credentials are correct.

  7. In Settings, select On as Provisioning Status.

  8. Click Save.

Go to the following step to assign users to your SCIM application.

Provision aliases in Azure AD

If you need to support multiple usernames, you can set up an automatic import of alternate usernames (aliases) into ‚ÄčAkamai MFA‚Äč. With this configuration, the primary username, as well as additional imported aliases, will point to the same account in ‚ÄčAkamai MFA‚Äč.

Follow this procedure to create and map your custom alias attribute in Azure AD. To define the attribute, you can use the append function described in Azure's tutorial on the expression language. The append operation allows you to add a desired string of information, for example, an email, after the userPrincipalName attribute.


This step is optional, only a primary username is required for the service to function.

  1. Log in as administrator to your account in the Azure AD portal.

  2. Go to the Azure Active Directory (AD).

  3. In the Azure AD navigation menu, select Enterprise Applications and navigate to your SCIM enterprise application.

  4. In the navigation menu, select Provisioning.

  5. Click Edit provisioning.

  6. On the Provisioning page, scroll down to the Mappings menu and expand it.

  7. Click Provision Azure Active Directory for Users.

    The Attribute Mapping page displays all existing attributes in the table with the following two main columns: Azure Active Directory Attribute that contains functions, and Custom Attribute (customappso Attribute) where your new custom attribute will display.

    To configure your new alias attribute, you have to create a custom attribute and map it in Azure AD.

  8. To create the alias attribute, follow the below steps:

    1. On the Attribute Mapping page, select Show advanced options, and click Edit attribute list for customappsso.
      This opens the existing attribute's configuration page.

    2. On the Edit Attribute List page, scroll down to the bottom of the attribute list, and define the following parameters for your attribute:

      • In the Name column, define your custom attribute. For example, enter aliases[type eq "email"].value, where aliases refers to the ‚ÄčAkamai MFA‚Äč custom attribute, and type eq "email" identifies a set of aliases provisioned for the user profile using the mapping logic that you will define in the following step. The right-hand side of the comparison with type can be changed as long as it is contained in quotation marks "".

      • In the Type column, verify if the String type is selected.

      • Click Save, and in Are you sure you want to make these changes, click Yes.

  9. To set up the mapping for your newly defined alias attribute, follow the below steps. You may need to check the Azure tutorial on the expression language.

    1. On the Attribute Mapping page, click Add New Mapping.

    2. In Edit Attribute, provide the following information:

      • In Mapping type, select Expression. This parameter lets you configure the mapping by means of a script-like expression.

      • In Expression, enter manually the mapping expression using the Append function. For example, enter Append([userPrincipalName], ""), where Append refers to the function type that lets you add ‚ÄčAkamai‚Äč email address to the userPrincipalName attribute.

      • In Target attribute, enter manually the expression that you defined on the Edit Attribute List page (see step 8ii).

      • Click Ok.

  10. Click Save.

  11. In the Save changes dialog, click Yes.

    Your custom attribute has been added and saved to the list of existing attributes.

    For additional information, see the tutorial on the provisioning of custom attributes.

    You've just set up alias provisioning that will automatically import users' aliases to corresponding users' accounts in ‚ÄčAkamai MFA‚Äč the next time the users are synced.

    Go to the following step to assign users to your SCIM application.

Assign users and groups in Azure AD

Follow this procedure to assign groups to your SCIM application.

  1. Log in as administrator to your account in the Azure AD portal.

  2. Go to the Azure Active Directory.

  3. In the Azure Active Directory navigation menu, select Enterprise Applications and navigate to your enterprise application.

  4. In the directory navigation menu, select Users and groups.

  5. Click Add user.

    The Add Assignment dialog opens.

  6. In the Add Assignment dialog, click Users and groups to unfold a dialog with a list of available users.

  7. In the Users and groups dialog, select a user or group you want to assign and click Select.

  8. Click Assign.

    You've just enabled the immediate transfer of the selected memberships from the Microsoft Azure AD. Users and their privileges are now overwritten in ‚ÄčAkamai MFA‚Äč.

Did this page help you?