SCIM User Provisioning
If your organization manages people in Microsoft Entra ID (Azure AD), you can provision them into Ditio automatically instead of maintaining users in two places. Ditio supports the SCIM 2.0 protocol: when someone joins, changes role, or leaves in your directory, the change flows into Ditio on the next provisioning cycle.
What SCIM provisioning does
Section titled “What SCIM provisioning does”- Creates new Ditio accounts when people join your team or organization
- Assigns the correct base role to users in Ditio
- Updates user profiles when changes are made in Entra ID
- Deactivates Ditio accounts when people leave the team or organization
Limitations
Section titled “Limitations”- Group provisioning is not supported
- Write-back from Ditio to Entra ID is not supported
Prerequisites
Section titled “Prerequisites”- An Entra ID (Azure AD) tenant with an active subscription
- A Ditio company already registered
- Provide your Azure Tenant ID to Ditio — we need it to generate a JWT security token for the SCIM application
SCIM endpoint and token
Section titled “SCIM endpoint and token”Ditio operates a dedicated SCIM endpoint per environment (production and test). When you send your Azure Tenant ID to support@ditio.no, Ditio replies with:
- the SCIM endpoint URL (the “Tenant URL” in Azure’s provisioning setup)
- a secret token used to fetch the JWT bearer token for the integration
The secret is sent separately for security.
Setup in Azure
Section titled “Setup in Azure”- Sign in to the Azure Portal
- Go to Enterprise Applications → select your Ditio application
- Go to the Provisioning configuration page
- Set Provisioning Mode to Automatic
- Enter the SCIM endpoint URL and the JWT token provided by Ditio
For detailed instructions, see Microsoft’s guide: SCIM provisioning with Entra ID.
Attribute mapping
Section titled “Attribute mapping”Ensure the following attributes are mapped correctly in Entra ID.
Required attributes
Section titled “Required attributes”| Entra ID attribute | SCIM attribute | Description |
|---|---|---|
| userPrincipalName | userName | Email address |
| Switch([IsSoftDeleted]…) | active | Enable / disable user |
| displayName | displayName | Full name |
| telephoneNumber | phoneNumbers[type eq "work"].value | Work phone (either work or mobile is required) |
| mobile | phoneNumbers[type eq "mobile"].value | Mobile phone (either work or mobile is required) |
| employeeId | urn:...:enterprise:2.0:User:employeeNumber | Employee number (must be unique within the company) |
| Extension attribute | urn:...:ditio:1.0:User:birthDate | Date of birth |
| Extension attribute | urn:...:ditio:1.0:User:employmentStartDate | Employment start date |
Optional attributes
Section titled “Optional attributes”| Entra ID attribute | SCIM attribute | Description |
|---|---|---|
| givenName | name.givenName | First name |
| surname | name.familyName | Last name |
| jobTitle | title | Work title |
| department | urn:...:enterprise:2.0:User:department | Department on the employment |
| Extension attribute | urn:...:enterprise:2.0:User:costCenter | Sets “Main project number” on the employment |
| Extension attribute | urn:...:ditio:1.0:User:employmentEndDate | Employment end date (terminates the employment) |
| Extension attribute | urn:...:ditio:1.0:User:builderCard | Builder card ID |
| Extension attribute | urn:...:ditio:1.0:User:builderCardExpirationDate | Builder card expiration date |
| Extension attribute | urn:...:ditio:1.0:User:payrollConnected | true = hourly paid, false = fixed salary |
| Extension attribute | urn:...:ditio:1.0:User:workTimeArrangement | Work time arrangement table |
| Extension attribute | urn:...:enterprise:2.0:User:organization | Organization number (which Ditio company to create the user in) |
| Extension attribute | urn:...:ditio:1.0:User:tags | Key-value pairs, e.g. "tag1:false,tag2:true" |
| manager | urn:...:enterprise:2.0:User:manager.value | Sets the user’s nearest manager. The value must be the Entra Object ID of an existing Ditio user; the resolved user becomes the primary immediate supervisor. Existing non-primary supervisors are preserved. Removing the attribute does not clear an existing supervisor. |
Supported date formats
Section titled “Supported date formats”dd.MM.yyyy(e.g.15.01.2026)ddMMyyyy(e.g.15012026)yyyy-MM-dd(e.g.2026-01-15)
Adding extension attributes in Entra ID
Section titled “Adding extension attributes in Entra ID”Extension attributes (for fields like birthDate and employmentStartDate)
can be added in two ways.
Option 1: use existing extension attributes
Set-ADUser -Identity "anyUser" -Add @{extensionAttribute4="myString"}Option 2: create custom extension attributes
See Microsoft’s guides:
Setting extension values:
Set-AzureADUserExtension ` -ObjectId {objectId} ` -ExtensionName extension_{your_extension_id}_BuilderCardId ` -ExtensionValue "Builder Card Value"Reading all user properties including extensions:
(Get-AzureADUser -ObjectId {objectId}).ToJson()Testing
Section titled “Testing”Test with individual users before running a full provisioning cycle:
- Go to Enterprise Applications → your Ditio app → Users and Groups
- Add a few test users
- Use Azure’s on-demand provisioning to provision them manually
- Verify the users appear correctly in Ditio
- Once confirmed, enable automatic provisioning for all users
Common issues
Section titled “Common issues”| Issue | Cause | Fix |
|---|---|---|
| User skipped during provisioning | Missing required attribute (phone, employee number, birth date, employment start date) | Check the provisioning log in Azure; fill the attribute in Entra ID |
| Duplicate employee number | employeeId already in use in the Ditio company | Employee numbers must be unique within a company — correct the conflicting value |
| User lands in the wrong company | organization attribute doesn’t match a Ditio company organization number | Verify the organization number mapping with Ditio support |
| Nothing happens after setup | Provisioning cycle hasn’t run yet | Azure runs cycles roughly every 40 minutes; use on-demand provisioning to test immediately |
Alternatives
Section titled “Alternatives”- If your HR system (not Entra ID) is the master, use the Employees API v5 instead
- For sign-in (not provisioning) with Microsoft accounts, see Azure AD SSO
Related
Section titled “Related”- Azure AD SSO — single sign-on setup
- Employees API v5 — API-based employee management
- Users API (v4) — legacy user endpoints
- SCIM specification