Skip to main content
All CollectionsIntegrations & SSOSCIM
How to configure Azure AD SCIM for a subset of users
How to configure Azure AD SCIM for a subset of users

Learn how to configure Azure AD SCIM for a subset of users.

Michael Smietana avatar
Written by Michael Smietana
Updated over 3 years ago

System for Cross-Domain Identity Management (SCIM) is an open standard protocol for automating the exchange of user identity information between identity domains and IT systems. With Learnster, it can be used to provision and synchronize user information between Azure AD and Learnster. Please see this article on how to set up user provisioning using SCIM in Learnster.

Reasons for provisioning a subset of users

There are many reasons why you would like to control which users should be provisioned. Perhaps only parts of your organization should have access to Learnster? Another very common scenario is to test provisioning with a smaller number of users before putting it into production for your whole organization. This is a recommended approach, especially in so-called "brownfield" scenarios where you are not starting out from scratch but already have users in your Learnster system. If you already have users in your Learnster, make sure to always test the effect SCIM will have on existing user accounts since SCIM will take over and overwrite existing user credentials.

Configure a subset

There are two ways to configure user subsets in Azure AD. Option 1 is the simplest and most obvious one.

Option 1:

1. Under your Azure AD Enterprise Application that you have, or are setting up, for SCIM provisioning, go to Users and groups and add the users and/or groups you would like to enable the provisioning for.

2. Then go to provisioning settings and choose Sync only assigned users and groups under Settings/Scope and don't forget to save your changes.

❗ Please make sure not to forget this step! By default, SCIM is configured to sync all users and groups even if you have assigned only specific users or groups in the previous step, and if you don't change the Scope setting all users and groups in your AD will be synchronized.

Option 2:

The second option is to use Source Object Scoping.

1. Go to user mappings...

2. ...and then go to Source Object Scope to add a new scoping filter.

Here you can create advanced filters that combine different user attributes. Please note that when creating your filters, Azure AD uses AND as operator within a filter and OR as operator between two or multiple filters. In the image below, you can see an example of a scope filter for IT department employees whose employee-id includes the number 455.

❗ Please note! Just as with the first method, you need to set Scope under Settings to Sync only assigned users and groups, otherwise AD will synchronize all your users.

Related article

Did this answer your question?