# With Microsoft Entra ID
*Automatic provisioning through SCIM is available starting in* [*Enterprise Edition*](https://www.sonarsource.com/plans-and-pricing/enterprise/)\*. \*
You can enable SCIM to automate user and group provisioning from Microsoft Entra ID (previously known as Azure AD) to SonarQube Server. For an overall understanding of the feature, read the SCIM [overview](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/saml/scim/overview "mention") page.
## Prerequisites
* You have a working [introduction](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/saml/ms-entra-id/introduction "mention").
* The connection from the Identity Provider to SonarQube must not be blocked on the network (unlike SAML, SCIM requires a direct network connection from the Identity Provider to SonarQube).
## Configuring SonarQube Server
1\. Within SonarQube Server, go to **Administration** > **Authentication** > **SAML**.
2\. Under **Provisioning**, click **Automatic user and group provisioning with SCIM**.
3\. Click **Save** and validate the pop-up window if you are sure you want to enable SCIM.
SCIM is now enabled in SonarQube Server, it will handle all the queries coming from Microsoft Entra ID about users and groups.
## Configuring Microsoft Entra ID
**Step 1:** In Microsoft Entra ID, go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the application created for SonarQube Server. On the application’s page, select **Provisioning**.
**Step 2:** On the **Provisioning** page, click **Get started**.
**Step 3:** Under **Provisioning Mode**, select **Automatic**.
**Step 4:** Configure the **Admin Credentials** section as follows:
* **Tenant Url**: `/api/scim/v2`
* **Secret token**: Paste a SonarQube Server user token from an administrator account in this field. For safety reasons, we recommend using a token from a local admin account (not managed through SCIM). See the [managing-tokens](https://docs.sonarsource.com/sonarqube-server/2025.1/user-guide/managing-tokens "mention") page for more details.
Click **Test Connection** to check that your credentials are valid, then click **Save.**
**Step 5.a:** Under **Mappings**, click on **Provision Microsoft Entra ID Groups**. This opens the **Attribute Mapping** dialog for groups.
**Step 5.b:** Under **Target Object Actions**, make sure that **Create**, **Update**, and **Delete** are enabled.
**Step 5.c:** In **Attribute Mappings**, make sure `displayName` appears in both columns of the mapping. This ensures groups are mapped based on their names.
**Step 5.d**: Click **Save.** This takes you back to the **Provisioning** page. If this was the default configuration, go back to the previous page.
**Step 6.a**: Under **Mappings**, click on **Provision Microsoft Entra ID Users**. This opens the **Attribute Mapping** dialog for users.
**Step 6.b:** Under **Target Object Actions**, make sure that **Create**, **Update,** and **Delete** are enabled.
**Step 6.c:** In **Attribute Mappings** , map the `userName` **customappsso Attribute** (target) to the **Microsoft Entra ID Attribute** (source) used as SAML user login attribute in your SAML configuration.\
For example, if your login attribute is `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in your SonarQube Server’s SAML configuration and it is mapped to `user.userprincipalname` (default), use `userprincipalname` here. Otherwise, if it is mapped to `user.mail`, then use `mail` instead.
{% hint style="info" %}
To check which Microsoft Entra ID attribute is used as SAML user login attribute:
1. In SonarQube, go to **Administration** > **Authentication** > **SAML**.
2. In **SAML Configuration > SAML**, select **Edit**. The MS Entra ID attribute is the value of **SAML user login attribute**.
{% endhint %}
**Step 6.d:** Click **Save.** This takes you back to the **Provisioning** page.
**Step 7:** In the **Settings > Scope** section, select **Sync only assigned users and groups**.
**Step 8:** Set the provisioning status to **On** and click **Save**. The Microsoft Entra ID users and groups will be synchronized with SonarQube Server.
{% hint style="info" %}
Microsoft Entra ID runs a SCIM synchronization every 40 minutes. Changes in Microsoft Entra ID are not reflected immediately in SonarQube Server.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/saml/scim/scim-provisioning-with-azure-ad.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.