SCIM Provisioning with Azure AD


Prerequisites

To set up SCIM provisioning with Azure AD, you'll need:

  • A TeamRetro ENTERPRISE subscription
  • The Account Owner role in TeamRetro (to create an SCIM-scope API key)
  • An Administrator role in Azure AD (to configure SCIM)

  • Azure AD SSO set up on your TeamRetro application

    See our Azure AD SSO configuration guide

Configuring SCIM

Set up Azure AD Single Sign On (SSO) with TeamRetro - See our Azure AD SSO configuration guide.

  1. Get your TeamRetro SCIM API key

    1. In TeamRetro, browse to SETTINGS > API & SCIM.


  2. Click CREATE API KEY.

  • ENABLE SCIM (you may wish to disable Read and Write API access also).

  1. Click CREATE.
  2. Copy the unique SCIM API key to use later in Azure AD.
  3. Click SAVE CHANGES.

Configure SCIM Provisioning in Azure AD

Once you have completed the SSO set up, you will be able to access the application's settings:

  1. Click on Provisioning from the side panel.

  2. Change the Provisioning Mode to Automatic.

Configure Admin Credentials

Complete the Admin Credentials form.

  1. Tenant URL:

    For US Hosting: https://scim.teamretro.com/?aadOptscim062020

    For EU Hosting: https://scim.eu.teamretro.com/?aadOptscim062020


    Note: the ?aadOptscim062020 flag notifies Azure AD to use the standards compliant SCIM behavior. This feature flag currently does not work with on-demand provisioning. More information.


  2. Secret Token: <your TeamRetro SCIM API Key>


    2. Click on Test Connection and if the connection succeeds, you will see a message/notification as follows:

    3. Then click on Save to save the current changes you have made.

Configure Mappings

  1. Click Mappings. Both Provision Azure Active Directory Groups and Provision Azure Active Directory Users should be enabled.

  1. Click on Provision Azure Active Directory Groups:
    • Ensure that Create, Update, and Delete are checked.
    • Save any changes.

  1. Click on Provision Azure Active Directory Users:
    • Ensure that Create, Update, and Delete are checked.
    • Save.

Configure Additional Settings

Set the scope of your application to Sync only assigned users and groups to avoid synchronizing unwanted users and groups. Then, set the Provisioning Status to On and Save the current changes.

How to Provision a Team via Azure AD

Ensure that you have assigned the desired users and groups to TeamRetro in order to sync them via the Users and Groups menu.

Still need help? Contact Us Contact Us