This guide will walk you through setting up SCIM (System for Cross-domain Identity Management) integration between Microsoft Entra ID and Right-Hand Portal for automated user provisioning.
Microsoft Entra ID does not propagate null or empty attribute values to downstream applications. If an attribute is cleared in Entra ID, the update will not be sent to Cyberready and the existing value will be retained.
Example: If a user has Department, Office Location, Job Title, and Employee Type populated in Cyberready, and all four fields are subsequently cleared in Entra ID, Cyberready will continue to display the previously synced values. To remove an attribute value, it must be updated directly in the Cyberready portal.
Step 1: Create Enterprise Application in Microsoft Entra ID
Login to Azure Portal and search for "Microsoft Entra ID" in the search bar.
On the left panel, under the "Manage" tab, click "Enterprise Applications."
To create a new SCIM application, click "New Application."
Click on "Create your own application."
Name your application "Right-Hand SCIM" and select the last option, "Integrate any other application you don't find in the gallery (Non-gallery)."
Once the application is created, click "Provision User Accounts" and then "Get Started."
Select "Automatic" from the Provisioning mode dropdown.
Step 2: Configure Provisioning
You'll need to fill out the Tenant URL and Secret token from the Right-Hand Portal:
Go to RH Portal > Company Management > Employees > List
On the top right corner, click Import > select SCIM
Enable SCIM Provisioning toggle button
Copy the webhook URL (Tenant URL) and token (Secret Token)
Copy and paste the Tenant URL and Secret Token into Azure. Click "Test Connection" to verify the connection. Once successful, click "Save."
Step 3: Configure Attribute Mapping
Go to "Provisioning" under the manage tab.
Select "Edit attribute mapping."
Under mappings, select "Provision Microsoft Entra ID Users."
Delete any unnecessary attributes and keep only the ones that the app will use.
Click "Save" and exit.
Step 4: Assign Users
Return to the application and select "Users and Groups."
Click "Add Users/Group."
Assign the users you want to provision to the Right-Hand Portal.
Step 5: Test and Activate Provisioning
Before activating full provisioning, test with an individual user using the "Provision on Demand" option. Note: The user must already be assigned to the app to use the "Provision on demand" feature.
Click on the "Provisioning" section.
At the top, click "Provision on demand."
Look for the specific user you want to test, select them, and click "Provision."
After confirming the test user was correctly provisioned to the Right-Hand Portal, go back to the "Provisioning" section.
Click on overview.
Click "Start provisioning" at the top to activate full provisioning.
All users assigned to the application will now be synchronized with the Right-Hand Portal.
After the first sync is completed, you can check the Provisioning logs to see which users were successfully synchronized.
Important Notes
Only one SCIM provider should be active at a time.
Users unassigned from the application will be archived in the Right-Hand Portal.
The following user attributes are supported for synchronisation:
SCIM Attribute | Microsoft Entra ID Attribute | RH Attribute |
userName | onPremisesSamAccountName | userName |
emails[type eq "work"].value | ||
active | Switch([IsSoftDeleted], , "False", "True", "True", "False") | Status of Employee (Active/Archived) |
displayName | displayName | Fall back for First Name, in case First Name is not available |
name.givenName | givenName | First Name |
name.familyName | surname | Last Name |
addresses[type eq "work"].streetAddress | streetAddress | Office Location |
externalId | userPrincipalName | Field is needed for user creation |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department | department | Department |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager | manager | Manager |
title | jobTitle | Job Title |
userType | employeeType | Employee Type |
Note: Division is not supported for synchronisation via Entra SCIM at this time.
User Group Sync Behaviour
The behaviour of User Group synchronisation in Cyberready depends on how provisioning is triggered in Entra ID and whether the groups are assigned to the SCIM application.
On-Demand Provisioning: Each group must be provisioned individually. If a user belongs to 4 groups but only 1 group is selected during on-demand provisioning, Cyberready will reflect only that 1 group for the user.
Automatic Provisioning: When a group is assigned to the SCIM application in Entra ID, all users within that group β along with their group memberships β are automatically synchronised to Cyberready.
Group scope: A group must be explicitly assigned to the SCIM application in Entra ID for it to sync. If a group is not part of the SCIM application scope, it will not be provisioned regardless of how the user is provisioned.
Manually added users: If a user was manually created in Cyberready and the same user is subsequently added in Entra ID and provisioned on demand, all attributes will be updated with the latest values from Entra ID β except for empty or null fields, which will be retained as-is per the null value behaviour described above.
If you have any questions or need assistance with your SCIM integration, please contact our support team. [email protected]