Skip to main content

SCIM + Microsoft SSO: Set Up User Provisioning

SafetyLine Support
Updated

This guide helps you set up SCIM-based user provisioning for SafetyLine using Microsoft Entra ID (formerly Azure AD).

Prerequisites (Customer Provides)

Before setup, ensure you have:

  • Provided your Tenant ID to our support team. 
  • Have you EntraID Administrator grant consent for the required enterprise applications.

    Your Azure AD Admin must grant consent using the following links:

⚠️ Tsunami IT will configure backend services.
You’ll be notified when backend setup is complete. Then, proceed to Step 2.

 

🔧 Step 2: Create the SCIM Enterprise App

  1. In Entra ID, go to: Enterprise Applications > New Application

  2. Choose: “Non-gallery application”

  3. Name the app: We recommend including “SCIM” and “SafetyLine” in the title

⚙️ Step 3: Configure SCIM Provisioning

Once the app is created:

  1. Go to: Provisioning tab > Manage > Provisioning

  2. Set “Provisioning Mode” to: Automatic

  3. Under Admin Credentials, enter:

    • Tenant URL: https://scim.slmonitor.com/scim

    • Secret Token: Provided by Tsunami's IT department prior to Step 2

  4. Click “Test Connection”, then Save

📄 Step 4: Attribute Mapping Setup

  1. A new “Mappings” section will appear after performing the Save in Step 3. 

  2. Under mappings, disable “Provision Microsoft Entra ID Groups”

  3. Click on “Provision Microsoft Entra ID Users”

  4. Ensure: All target object types are selected

  5. Follow the attribute mapping below and remove all other customappsso attributes:  

✅ Once mapping is saved and backend is confirmed, SCIM integration is ready.

👥 Managing Users via SCIM

You can manage the creation and deletion of SafetyLine users through your Entra ID SCIM integration.

➕ Add Users
Go to Users and Groups on the SCIM-enabled enterprise application
➤ Add users to automatically create SafetyLine users

Provisioning may take up to 40 minutes for the user to appear at https://slmonitor.com.

 

🟡 Removing Users (Soft Delete in SafetyLine)

If a user is removed from the SCIM-connected Enterprise App in Entra ID, or if their account is disabled in Entra ID, they’ll show as inactive in SafetyLine after the next sync (usually within 40 minutes).

  • Their profile remains in the system, marked as inactive.

  • All event history and logs stay intact for auditing and reporting.

This is the safest way to offboard someone without losing access to their historical data.

 

🔴 Deleting Users (Hard Delete in SafetyLine)

If a user is deleted from Entra ID, they first move into the “Deleted Users” list. After 30 days, Entra ID permanently deletes the account—when that happens, SafetyLine will also permanently remove the user and their event history during the next sync.

If the user is manually and permanently deleted from Entra ID immediately, SafetyLine will erase their profile and history during the next sync—no delay, no recovery.

⚠️ Use caution: Hard deletes mean complete data loss for that user in SafetyLine.

✅ These behaviors help align with your IT offboarding process by ensuring user access is properly revoked while still preserving important data when needed. Choose the approach that fits your organization’s retention, compliance, and audit needs.

 

🧠 Quick Tips

  • Always test your SCIM app using a test user before rolling out org-wide. Check your Provisioning Logs to see your results: 

  • Keep your app name consistent for easy identification. 

  • Contact our support team if you encounter provisioning errors. 

  • Once a user is provisioned, go to https://slmonitor.com to for user setup, including email and phone notifications and groups: Account Setup

 

Related to

Related articles