Skip to content

SCIM User Provisioning

If your organization manages people in Microsoft Entra ID (Azure AD), you can provision them into Ditio automatically instead of maintaining users in two places. Ditio supports the SCIM 2.0 protocol: when someone joins, changes role, or leaves in your directory, the change flows into Ditio on the next provisioning cycle.

  • Creates new Ditio accounts when people join your team or organization
  • Assigns the correct base role to users in Ditio
  • Updates user profiles when changes are made in Entra ID
  • Deactivates Ditio accounts when people leave the team or organization
  • Group provisioning is not supported
  • Write-back from Ditio to Entra ID is not supported
  1. An Entra ID (Azure AD) tenant with an active subscription
  2. A Ditio company already registered
  3. Provide your Azure Tenant ID to Ditio — we need it to generate a JWT security token for the SCIM application

Ditio operates a dedicated SCIM endpoint per environment (production and test). When you send your Azure Tenant ID to support@ditio.no, Ditio replies with:

  • the SCIM endpoint URL (the “Tenant URL” in Azure’s provisioning setup)
  • a secret token used to fetch the JWT bearer token for the integration

The secret is sent separately for security.

  1. Sign in to the Azure Portal
  2. Go to Enterprise Applications → select your Ditio application
  3. Go to the Provisioning configuration page
  4. Set Provisioning Mode to Automatic
  5. Enter the SCIM endpoint URL and the JWT token provided by Ditio

For detailed instructions, see Microsoft’s guide: SCIM provisioning with Entra ID.

Ensure the following attributes are mapped correctly in Entra ID.

Entra ID attributeSCIM attributeDescription
userPrincipalNameuserNameEmail address
Switch([IsSoftDeleted]…)activeEnable / disable user
displayNamedisplayNameFull name
telephoneNumberphoneNumbers[type eq "work"].valueWork phone (either work or mobile is required)
mobilephoneNumbers[type eq "mobile"].valueMobile phone (either work or mobile is required)
employeeIdurn:...:enterprise:2.0:User:employeeNumberEmployee number (must be unique within the company)
Extension attributeurn:...:ditio:1.0:User:birthDateDate of birth
Extension attributeurn:...:ditio:1.0:User:employmentStartDateEmployment start date
Entra ID attributeSCIM attributeDescription
givenNamename.givenNameFirst name
surnamename.familyNameLast name
jobTitletitleWork title
departmenturn:...:enterprise:2.0:User:departmentDepartment on the employment
Extension attributeurn:...:enterprise:2.0:User:costCenterSets “Main project number” on the employment
Extension attributeurn:...:ditio:1.0:User:employmentEndDateEmployment end date (terminates the employment)
Extension attributeurn:...:ditio:1.0:User:builderCardBuilder card ID
Extension attributeurn:...:ditio:1.0:User:builderCardExpirationDateBuilder card expiration date
Extension attributeurn:...:ditio:1.0:User:payrollConnectedtrue = hourly paid, false = fixed salary
Extension attributeurn:...:ditio:1.0:User:workTimeArrangementWork time arrangement table
Extension attributeurn:...:enterprise:2.0:User:organizationOrganization number (which Ditio company to create the user in)
Extension attributeurn:...:ditio:1.0:User:tagsKey-value pairs, e.g. "tag1:false,tag2:true"
managerurn:...:enterprise:2.0:User:manager.valueSets the user’s nearest manager. The value must be the Entra Object ID of an existing Ditio user; the resolved user becomes the primary immediate supervisor. Existing non-primary supervisors are preserved. Removing the attribute does not clear an existing supervisor.
  • dd.MM.yyyy (e.g. 15.01.2026)
  • ddMMyyyy (e.g. 15012026)
  • yyyy-MM-dd (e.g. 2026-01-15)

Extension attributes (for fields like birthDate and employmentStartDate) can be added in two ways.

Option 1: use existing extension attributes

Terminal window
Set-ADUser -Identity "anyUser" -Add @{extensionAttribute4="myString"}

Option 2: create custom extension attributes

See Microsoft’s guides:

Setting extension values:

Terminal window
Set-AzureADUserExtension `
-ObjectId {objectId} `
-ExtensionName extension_{your_extension_id}_BuilderCardId `
-ExtensionValue "Builder Card Value"

Reading all user properties including extensions:

Terminal window
(Get-AzureADUser -ObjectId {objectId}).ToJson()

Test with individual users before running a full provisioning cycle:

  1. Go to Enterprise Applications → your Ditio app → Users and Groups
  2. Add a few test users
  3. Use Azure’s on-demand provisioning to provision them manually
  4. Verify the users appear correctly in Ditio
  5. Once confirmed, enable automatic provisioning for all users
IssueCauseFix
User skipped during provisioningMissing required attribute (phone, employee number, birth date, employment start date)Check the provisioning log in Azure; fill the attribute in Entra ID
Duplicate employee numberemployeeId already in use in the Ditio companyEmployee numbers must be unique within a company — correct the conflicting value
User lands in the wrong companyorganization attribute doesn’t match a Ditio company organization numberVerify the organization number mapping with Ditio support
Nothing happens after setupProvisioning cycle hasn’t run yetAzure runs cycles roughly every 40 minutes; use on-demand provisioning to test immediately
  • If your HR system (not Entra ID) is the master, use the Employees API v5 instead
  • For sign-in (not provisioning) with Microsoft accounts, see Azure AD SSO