Elevate Your Egnyte Expertise. Join our Customer Community to connect with a network of peers and share game-changing strategies. Join Today

Help Desk
Contact Support

Welcome to
Help Desk

Product Updates
 Training
Support
 Ideas Community Contact Support

Azure AD SCIM integration with Egnyte

This guide covers details on how to set up users and groups provisioning from Microsoft Entra (Azure AD). To set up Azure Single Sign On (SSO) only, please refer to this article

Please note that provisioning and Single Sign On can be configured within one App.

Prerequisites

  • If there is a local Active Directory present, it should be synced with Azure. Refer to this Microsoft article.
  • Egnyte recommends setting up a separate application for every Egnyte domain.:

Example:

Name of application Provisioning for Single Sign-On for
Egnyte US West acmeusw acmeusw
Egnyte US East acmeuse acmeuse
Egnyte EMEA  acmeemea acmeemea

Step-By-Step Guide

Creating Enterprise Applications For Provisioning

  1. Log in to the Azure Portal.
  2. Go to Enterprise Applications in the Microsoft Entra (Azure AD) section.
    Azure AD SCIM Integration With Egnyte -7.png
  3. Find Egnyte in Search Application input.
    Azure AD SCIM Integration With Egnyte -5.png

    If the user configured an application before June 2025, the previous guidance directed them to create a custom application. While those existing custom applications will continue to function, we now recommend using an official Egnyte app for all new configurations.

  4. (Optional) Choose the name of the App so it can be easily identified.
  5. Click on the newly created app, select Provisioning Section, and click the Get started button.
    Azure AD SCIM Integration With Egnyte -6.png
  6. Set provisioning mode to Automatic.
    Azure AD SCIM Integration With Egnyte -2.png
  7. Provide the tenant URL by changing <domain> to the Egnyte domain:
  8. Go to https://scim-20.egnyte.com/ or https://scim-20.egnytegov.com/ (for EgnyteGov customers) to generate a Secret Token for the domain. It is essential to log in with the domain admin credentials (a service account is recommended).
    Disclaimer: Even though this portal was initially created for the Okta identity provider, it can be used to generate a token for Azure. 
  9. Test the connection, and hit the Save button (users can also add email for notifications).
    Azure AD SCIM Integration With Egnyte -4.png

Mapping Attributes

Here we set up mappings between Microsoft Entra (Azure AD) object attributes and Egnyte object attributes. Please note that it would be possible to edit the mappings only when the connection is successfully tested and the user has saved the basic configuration.

Group Mappings

Go to  the application in Azure -> Provisioning -> Edit provisioning. Click on Mappings and then Provision Azure Active Directory Groups.

Set mappings in the following way:

Azure AD SCIM Integration With Egnyte -3.png

 

- Group provisioning may require a different Azure plan.
- objectID attribute is optional.

displayName allowed characters:
- Alphanumeric characters: Letters (A-Z, a-z) and numbers (0-9)
- Hyphen: -
- Underscore: _
- Period: .
- Spaces: Group names can contain spaces in between words.

User Mappings

Go to  the application in Azure -> Provisioning -> Edit provisioning. Click on Mappings and then Provision Azure Active Directory Users.

The following table shows an example of mappings that covers most scenarios:

        Attribute properties
Azure Active Directory Attribute customappsso Attribute Matching precedence Apply this mapping Mapping type Notes
Word([userPrincipalName], 1, "@") userName 1 Only during object creation Expression Usernames can only be updated manually
objectId externalId 2 Always Direct Mandatory
Not([IsSoftDeleted]) active   Always Expression Mandatory
givenName name.givenName   Always Direct Mandatory
surname name.familyName   Always Direct Mandatory
IIF(IsPresent([mail]),[mail],[userPrincipalName]) emails[type eq "work"].value   Only during object creation Expression Mandatory
power userType   Only during object creation Constant Optional. By default power.
jobTitle title   Always Direct Optional

Additional notes:

  • In order to edit attribute properties, click on the attribute line
  • Some attributes can be unavailable since they are already used with default mapping. Remove default mappings in order to free them up
  • If freed attributes are not visible, save the current changes and reload the page

Additional Comments To Mappings

There are many ways to customize those mappings (depending on the setup). Azure allows for a:

  • direct mapping (Azure attribute is sent to Egnyte as is)
  • constant mapping (there is an arbitrary constant value set, independent from Azure AD attributes)
  • expression mapping. The last one allows for the most flexibility. Find more about expressions in this Microsoft article

Keep in mind that Admins get to choose when those attributes should get updated while editing those mappings. Always, Upon Object Creation, or Only when there are multiple values for one attribute. This is important for attributes that should not change after being created once.

Provisioning

1. Adding users and groups to the scope

Once the mapping is configured and saved, add users and groups to the scope by going to the application in Azure and then to Users and groups. Keep in mind that only explicitly added groups will be created in Egnyte. Nested groups will be ignored. Users in nested groups will also be ignored.

2. Narrowing the scope

The scope can be narrowed down. For example, there are groups created in Egnyte but certain users like admins need to be excluded from being provisioned. 

To narrow down the scope, follow these steps:

  1. Go back to user attribute mappings
  2. Open Source Object Scope
  3. Here one can create filters based on attributes to include/exclude certain users or user sets. For example, One does not want to manage the primary admin user via SCIM, but it should stay in the provisioned group in Azure. Create a filter like this: userPrincipalName NOT EQUALS <UPN for the admin account>

3. Test or troubleshoot provisioning

Go to the Application -> Provisioning -> Provisioning on demand. Try to provision some users. Check in Egnyte if every attribute maps correctly. Unfortunately, provisioning on demand is not available for groups.

4. Enabling provisioning

If tests passed, users can enable provisioning by going to the Application -> Provisioning -> Edit provisioning and enable provisioning:

Azure AD SCIM Integration With Egnyte -1.png

Provisioning is an automated process from Azure's side, which runs every 40 minutes, and there is no control over this period. Depending on the number of users, the initial sync should take only a few minutes, but it can take several hours sometimes.

Deactivating and deleting users

Users will be deactivated in Egnyte when:

  • They are removed from the application scope
  • They are soft deleted in Microsoft Entra (Azure AD)

Users will be deleted in Egnyte when:

  • They are permanently deleted in Microsoft Entra (Azure AD) (by default 30 days after soft delete)

The change will take effect after the first successful provision. We can manually trigger the change by running provisioning on-demand.

 

Deleting groups and its impact on users

Groups will be deleted in Egnyte when:

  • They are removed from the application scope
  • They are deleted in Microsoft Entra (Azure AD)

Impact on Users when a Group is Deleted

  • There is no impact on the users if a group is deleted and the user is part of another group OR has been separately provisioned individually. They will be deactivated if the only provisioning source was the deleted group; however, they won't be deleted.

Limitations

  • Currently usage of any custom attributes is not possible upon user creation. However it is possible to send custom attributes with PATCH.
  • Send invitation email parameter - until custom attributes are fully supported it is not possible to control if users receive or will not receive invitation email. Note that users will always receive an invitation.
  • There are user account changes that should be performed manually, though. The user type is one of them. However, using dynamic groups in Azure or applying a custom attribute to users may allow for easy user type control.
  • Keep in mind that groups do not get owners. There are ways to use expressions or Microsoft Entra (Azure AD) custom attributes, but that requires a deep dive.
  • Keep in mind that Microsoft Entra (Azure AD) and on-prem AD allow using custom attributes. Those can be mapped to Egnyte just as easily. For example, user type cannot be obtained by group affiliation but can be added as a custom attribute via PowerShell script. Then, such an attribute can be mapped to Egnyte as userType, allowing the option to control user type from within AD and without the need to log into Egnyte at all.
  • Service accounts are recommended for the token generation, as deactivating or deleting the account may render the SCIM integration incapacitated.
  • The sync is one way. No changes to Egnyte will be reflected in Azure.
  • Microsoft Entra (Azure AD) SCIM provisioning does not support setting newly created users into a custom role.
Was this article helpful?
4 out of 5 found this helpful

For technical assistance, please contact us.