> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-devin-1781641701-docs-github-pat-fine-grained.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure SCIM

> Learn how to configure SCIM provisioning with Azure for Infisical.

<Info>
  Azure SCIM provisioning is a paid feature.

  If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
  then you should contact [sales@infisical.com](mailto:sales@infisical.com) to purchase an enterprise license to use it.
</Info>

Prerequisites:

* [Configure Azure SAML for Infisical](/documentation/platform/sso/azure)

<Steps>
  <Step title="Create a SCIM token in Infisical">
    In Infisical, head to the **Single Sign-On (SSO)** page and select the **Provisioning** tab. Under SCIM Configuration,
    press the **Enable SCIM provisioning** toggle to allow Azure to provision/deprovision users for your organization.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/scim-enable-provisioning.png" alt="SCIM enable provisioning" />

    Next, press **Manage SCIM Tokens** and then **Create** to generate a SCIM token for Azure.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/scim-create-token.png" alt="SCIM create token" />

    Next, copy the **SCIM URL** and **New SCIM Token** to use when configuring SCIM in Azure.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/scim-copy-token.png" alt="SCIM copy token" />
  </Step>

  <Step title="Add Users and Groups in Azure">
    In Azure, navigate to Enterprise Application > Users and Groups. Add any users and/or groups to your application that you would like
    to be provisioned over to Infisical.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/azure/scim-azure-add-users-and-groups.png" alt="SCIM Azure Users and Groups" />
  </Step>

  <Step title="Configure SCIM in Azure">
    In Azure, head to your Enterprise Application > Provisioning > Overview and press **Get started**.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/azure/scim-azure-get-started.png" alt="SCIM Azure" />

    Next, set the following fields:

    * Provisioning Mode: Select **Automatic**.
    * Tenant URL: Input the SCIM URL from Step 1 with `?aadOptscim062020` appended as a query parameter.
    * Secret Token: Input the **New SCIM Token** from Step 1.

    Afterwards, click **Enable SCIM** and press the **Test Connection** button to check that SCIM is configured properly.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/azure/scim-azure-config.png" alt="SCIM Azure" />

    After you hit **Save**, select **Provision Microsoft Entra ID Users** under the **Mappings** subsection.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/azure/scim-azure-select-user-mappings.png" alt="SCIM Azure" />

    Next, adjust the mappings so you have them configured as below:

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/azure/scim-azure-user-mappings.png" alt="SCIM Azure" />

    Finally, head to your Enterprise Application > Provisioning and set the **Provisioning Status** to **On**.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/azure/scim-azure-provisioning-status.png" alt="SCIM Azure" />

    Alternatively, you can go to **Overview** and press **Start provisioning** to have Azure start provisioning/deprovisioning users to Infisical.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/platform/scim/azure/scim-azure-start-provisioning.png" alt="SCIM Azure" />

    Now Azure can provision/deprovision users to/from your organization in Infisical.
  </Step>
</Steps>

**FAQ**

<AccordionGroup>
  <Accordion title="Why do SCIM-provisioned users have to finish setting up their account?">
    Infisical's SCIM implmentation accounts for retaining the end-to-end encrypted architecture of Infisical because we decouple the **authentication** and **decryption** steps in the platform.

    For this reason, SCIM-provisioned users are initialized but must finish setting up their account when logging in the first time by creating a master encryption/decryption key. With this implementation, IdPs and SCIM providers cannot and will not have access to the decryption key needed to decrypt your secrets.
  </Accordion>
</AccordionGroup>
