SCIM (System for Cross-domain Identity Management) is a standardized protocol designed to simplify the management of user identities in cloud-based applications and services. It enables automatic provisioning, updating, and de-provisioning of user accounts, ensuring that user data is consistently synchronized across multiple systems. By using SCIM, organizations can streamline identity management processes, reduce administrative overhead, and improve security by ensuring that user access is always up-to-date.
​
This guide will show you how to configure SCIM settings in both ScreenCloud and Azure AD for smooth and secure data synchronization. Follow these steps to keep user records up-to-date across both platforms. Please note that you need to have SSO set up between ScreenCloud and Azure before you can implement SCIM. To learn how to set this up, please see How to set up ScreenCloud Single Sign-On (SSO) with Microsoft Azure.
​
In addition, SSO and SCIM for ScreenCloud is only available on the Enterprise tier plan. Please contact your account manager or our sales team here if you wish to get this set up for your ScreenCloud organization.
​

1.1. To create your SCIM connection between Microsoft Azure and ScreenCloud, a SCIM URL and SCIM Authorization Token are needed.
​
​1.2. Your account's SCIM URL is found in Account > Organization under the Single Sign-On tab. Scroll down until you reach Provisioning Settings, where you can click the copy link button to copy the SCIM Tenant URL.

​1.3. Click the Generate SCIM API token button to find the SCIM Authorization Token. Make sure to save the authentication token somewhere safe once you receive it, as you are not able to view it again afterward. In case you lose the old token, you can click to regenerate a new SCIM API token. When you do this, you must also replace the SCIM Auth Token in your Microsoft Azure Portal.

​1.4. With your SCIM URL and SCIM Authorization Token ready, you can create your Enterprise app in Microsoft Azure. To start, head to your Azure portal at https://portal.azure.com/, search for Enterprise applications, and click the app.

​1.5. Click + New application and then the + Create your own application button, which will open a side window where you can name your application. Select the third option, which reads "Integrate any other application you don't find in the gallery (Non-gallery)", and click Create.

​1.6. Your application is now created! In your SCIM app's overview, click Manage in the left-side list and click Provisioning.

​1.7. Select the provisioning mode Automatic, and then insert the SCIM URL and SCIM Authorization Token as directed in the image below. You can then run the Test Connection, and click Save once the connection testing is complete.

1.8. You can now use your application to invite and create users in your ScreenCloud account.

Through SCIM, You can invite users to ScreenCloud individually or by group. We recommend inviting users as a group, as the group carries across to ScreenCloud. This will make it easier to apply permission settings to the users in your ScreenCloud organization, as they will already be assigned to a group in your ScreenCloud account settings. To learn how to manage groups in Microsoft, please see Manage Microsoft Entra groups and group membership from Microsoft’s help documentation. To learn about applying user permissions to your ScreenCloud users, please see People, Groups, and Spaces: Managing Users & Teams With ScreenCloud.
​
Continue below to learn about assigning users to your ScreenCloud SCIM enterprise app:
​
​2.1. Log in to your Microsoft Azure Portal at https://portal.azure.com/.
​
​2.2. Search for Enterprise applications and select the app that populates.

​2.3. You will arrive at Enterprise applications | All Applications, where you can search for your SAML app by name. In our case here it is “ScreenCloud SCIM”.

2.4. You will arrive at ScreenCloud SCIM | Overview. Here you can select 1. Assign users and groups under Getting Started.

2.5. You will end up in ScreenCloud SCIM | Users and Groups. Go ahead and Click + Add user/group to add a new group or user.

2.6. In the 'Add Assignment' page, click None selected under Users and groups. Search for and select your group or user, hit Select, and then hit Assign.

2.7. The group or user is now included under Users and groups for your ScreenCloud SCIM enterprise app.

The provision step creates the user access for ScreenCloud for the email selected. A user that has been assigned to a group will carry over and be in a group in your ScreenCloud account. If a user was invited and not included as a group, they will be added to your ScreenCloud account without any user permissions applied.
​
The Microsoft Azure Portal will automatically provision any newly assigned or removed users with the next refresh interval set for the account. However, you can push the action immediately with the Provision on demand option. Instructions on how to use this action are provided below.
​
​3.1. As you view your ScreenCloud SCIM app, click the Provisioning option under the Manage menu.

3.2. Click Provision on demand, and search for and select your group or user.

3.3. While viewing just members of the group, make sure to select each user, and then click Provision.

At this point, if you choose to select users outside of the Microsoft group, they will be added to the ScreenCloud group that is created.
​

3.4. You will get confirmation of your group or user being added to your ScreenCloud account with four success marks, as pictured below.

3.5. Before you have your newly added users access your ScreenCloud account through the SCIM invite, please make sure to apply user and group permissions in ScreenCloud to the newly invited user or new group. Please see the guide People, Groups, and Spaces: Managing Users & Teams With ScreenCloud to learn how this is done.
​
​Please note: If you add a Microsoft group that has the same name as an existing group in your ScreenCloud organization, the new users will be invited to the existing ScreenCloud group. All permissions and settings from the ScreenCloud group will be applied.

If you are added to your ScreenCloud organization through SCIM, you will not receive an email invite. All you need to do, instead, is to log in with SSO and your company slug name.
​
​4.1. Select the Continue with SSO button on the ScreenCloud login page.

4.2. Insert your company slug name and hit Verify Organization.

4.3. You will then see the name of your ScreenCloud organization, where you can click Login next.

4.4. Complete your Microsoft login.

4.5. You should now have access to your ScreenCloud organization!

4.6. With your first login, if you notice that you don’t have any permissions applied and you can not access any settings or view any screens and content, please contact your team that is in charge of managing your company’s ScreenCloud account.

Here you perform similar steps to section 2, ending with running the same actions from section 3 of the previous parts in this guide.
​
​5.1. In Users and groups for your ScreenCloud SCIM enterprise app, select the user or group you wish to remove by ticking their box.
​
​5.2. Click Remove Assignment.
​
​5.3. Select Yes to Delete confirmation.
​
​5.4. Head to Provisioning > Provision on demand.
​
​5.5. Select the user or group you just removed
​
​5.6. Click Provision.
​
​5.7. The outcome will look like this, meaning the changes took effect.

​5.8. Go ahead and refresh your ScreenCloud account to see the changes take effect.

​Please note: The removed user will still have their login, but it will be directed to an empty account with no access to the ScreenCloud organization they were previously part of.

I deleted a user from ScreenCloud. Why aren’t they also removed as a user in the ScreenCloud SCIM enterprise app in Azure Portal?
Any changes made from your ScreenCloud Studio account do not reflect to the IdP, Microsoft Azure Portal.
​
​When I clicked the Provision action in Azure Portal, the action failed and the user was not added or removed from the ScreenCloud account. How can I fix this issue?
This might happen when your ScreenCloud account’s SCIM authentication token has been regenerated in your ScreenCloud account but not updated in Azure. Please fetch the new token from your Single-Sign on tab under Account > Organization, and place it under the Secret Token box. You can find this in your Enterprise applications > [Your ScreenCloud SCIM Enterprise app] > Provisioning > Admin Credentials tab.

I’ve been invited through SCIM to my organization’s ScreenCloud. Why doesn’t my email let me log in?
If the email you are using is already using another authentication, for example, Google, it can not log in with Microsoft Azure’s authentication.
​
​I am attempting to log in with the provided company slug, but I get stuck at a “Sorry, but we’re having trouble signing you in” error message. How can this be resolved?
This issue happens if your email has not yet been provisioned. Please contact your IT team or personnel in charge of setting your email up with SCIM between ScreenCloud and Microsoft Azure.