Microsoft Entra ID SCIM Configuration
Note
Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof.
Note
The Microsoft Entra ID SCIM configuration documentation is written based on the new user experience for the Microsoft Entra ID application.
In Microsoft Entra ID, you must configure a non-gallery enterprise app, a SCIM connection, and provisioning.
Changes to users are sent from Microsoft Entra ID to Hyperproof. If you change a user's first name, last name, email address, or role in Microsoft Entra ID, the change is synchronized to Hyperproof. If you change a user's first name, last name, email address, or role in Hyperproof, the change is synchronized to Microsoft Entra ID after an import is performed on the side.
Microsoft Entra ID synchronizes with Hyperproof every 40 minutes.
If you remove a user from Microsoft Entra ID, that user is deactivated in Hyperproof. Be sure to reassign any work assigned to the deactivated user. See Reassigning work for a deactivated user.
Hyperproof roles must be assigned to users in Microsoft Entra ID, or those users will receive the default role of Limited access user when provisioned in Hyperproof.
You must meet the following prerequisites:
Microsoft Entra ID subscription
Have one of the following roles in Microsoft Entra ID: Application Administrator, Cloud Application Administrator, or Global Administrator.
Administrator access to your Hyperproof organization.
SCIM must be configured in Hyperproof first. See Configuring SCIM in Hyperproof.
Keep in mind the following:
SCIM supported features
The following features are supported:
Import new users and profile updates
Push new users
Push profile updates
Push groups
Deactivate users
Microsoft Entra ID workflow for configuring SCIM
The workflow to use SCIM provisioning with Microsoft Entra ID is as follows:
Configure SCIM in Hyperproof. See Configuring SCIM in Hyperproof.
Create a non-gallery enterprise application in Microsoft Entra ID. See Adding a Microsoft Entra non-gallery application for SCIM.
Configure automatic provisioning in Microsoft Entra ID. See Configuring Microsoft Entra ID automatic provisioning for SCIM.
Configure attribute mappings in Microsoft Entra ID. See Configuring Microsoft Entra ID attribute mappings for SCIM provisioning.
Configure Hyperproof roles in Microsoft Entra ID and map them to SCIM. See Configuring Hyperproof roles for Microsoft Entra ID SCIM provisioning.
Assign users and groups with roles in Microsoft Entra ID. See Assigning Microsoft Entra ID users and groups for SCIM provisioning.
Enable and verify provisioning in Microsoft Entra ID. See Enable and verify Microsoft Entra ID SCIM provisioning.
Follow the steps in Troubleshooting SCIM provisioning with Microsoft Entra ID to resolve any provisioning issues.
Best practices for SCIM provisioning with Microsoft Entra ID
Test with a small group first - Assign 2-3 test users before rolling out to your entire organization.
Use groups for role management - Create groups in Microsoft Entra ID for each Hyperproof role (e.g., "Hyperproof-Compliance-Managers").
Document your configuration - Keep a record of your SCIM endpoint URL and any custom attribute mappings.
Monitor provisioning logs - Check logs weekly for the first month to catch any issues early.
Coordinate with SSO -Ensure email addresses match between SSO and SCIM configurations.
Plan for deactivations - Establish a process for reassigning work from deactivated users.