SCIM Provisioning with Azure AD


To set up SCIM provisioning with Azure AD, you'll need:

  • A TeamRetro ENTERPRISE subscription
  • The Organization Owner role in TeamRetro (to create an SCIM-scope API key)
  • An Administrator role in Azure AD (to configure SCIM)
  • Azure AD SSO set up on your TeamRetro application
    See our Azure AD SSO configuration guide

Configuring SCIM

Step 0 - Set up Azure AD Single Sign On (SSO) with TeamRetro

See our Azure AD SSO configuration guide

Step 1 - Get your TeamRetro SCIM API key

  • In TeamRetro, browse to [ORGANIZATION] > SETTINGS > SINGLE SIGN ON
  • Toggle SCIM to enabled (you may wish to disable Read and Write API access also)
  • Click CREATE
  • Copy the unique SCIM API key to use later in Azure AD

Step 2 - Configure SCIM Provisioning in Azure AD

Once you have completed the SSO set up, you will be able to access the application's settings:

  • Click on Provisioning from the side panel 
  • Change the Provisioning Mode to Automatic

Step 2.1 - Configure Admin Credentials

  • Complete the Admin Credentials form

    1. Tenant URL:
      For US Hosting:
      For EU Hosting:

      Note: the ?aadOptscim062020 flag notifies Azure AD to use the standards compliant SCIM behavior.
      This feature flag currently does not work with on-demand provisioning. More information

    2. Secret Token: <your TeamRetro SCIM API Key>
  • Click on Test Connection and if the connection succeeds, you will see a message/notification as follows:

  • Then click on Save to save the current changes you have made.

Step 2.2 - Configure Mappings

  • Click Mappings
    Both Provision Azure Active Directory Groups and Provision Azure Active Directory Users should be enabled.

  • Click on Provision Azure Active Directory Groups:
    • Ensure that Create, Update, and Delete are checked
    • Save any changes

  • Click on Provision Azure Active Directory Users:
    • Ensure that Create, Update, and Delete are checked
    • Save

Step 2.3 - Configure Additional Settings

Set the scope of your application to 'Sync only assigned users and groups' to avoid synchronizing unwanted users and groups. Then, set the Provisioning Status to On and Save the current changes.

How to Provision a Team via Azure AD

Ensure that you have assigned the desired users and groups to TeamRetro in order to sync them via the Users and Groups menu.

Still need help? Contact Us Contact Us