Microsoft Azure AD SCIM 终结点

Question

Can someone tell me how to provision Microsoft Azure AD users via SCIM to my own application?

The scenario is as follows:

I have some users in Azure Active Directory and want to sync them with my own application running at my own server somewhere. I already know that there is Graph-API where I can simply call some URL like

https://graph.microsoft.com/v1.0/users

and then I receive the users. Fine... but now I wanted to use SCIM.

So are the SCIM endpoints set up / opened on the AzureAD side? So I call some URL from my application to receive users (same like Graph-API)?

Or do I have to open "/Users" "/Groups" API endpoints in my own server/application and somehow set up Azure AD to connect to my server and send the users to my application?

Somehow the documentation about SCIM in the Microsoft docs is extremely confusing.

By the way: I tried to do the same with some other Cloud HR software (no names needed here).

I could simply login to the HR system, create some test users, add some SCIM-endpoint like "www.my_server.com/scim" and the users were sent to my server. Actually I want AzureAD to do the same.

Or maybe SCIM is not the right thing to do this and stick to Graph-API?

Answer 1

Or do I have to open "/Users" "/Groups" API endpoints in my own server/application and somehow set up Azure AD to connect to my server and send the users to my application?

This. Azure AD has a SCIM client (sends requests), but does not have a SCIM server(receives requests).

This documentation goes through how to set up our custom non-gallery SCIM connector: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#integrate-your-scim-endpoint-with-the-aad-scim-client