Skip to main content

SCIM User Provisioning Setup

Learn how to set up SCIM user provisioning in Visibuild with your identity provider (Entra ID, Okta, or other SCIM 2.0 systems) to automatically create and deactivate user accounts.

Written by Adnan Sadinlija

Overview

SCIM (System for Cross-domain Identity Management) lets you automatically provision and deprovision Visibuild users from your identity provider (IdP), such as Microsoft Entra ID (Azure AD), Okta, or any other SCIM 2.0-compatible system.

Once configured, your IdP becomes the source of truth for user access. When you add someone to Visibuild's application in your IdP, they are automatically created in Visibuild. When you remove them or disable their account, they are immediately deactivated in Visibuild.

What SCIM does in Visibuild

User provisioning

When a user is assigned to Visibuild in your identity provider, SCIM creates their account automatically.

Note: Group sync is not supported. Users are provisioned individually. Project access and roles within Visibuild must be assigned manually after provisioning.

User deprovisioning

When a user is unassigned from Visibuild in your IdP, or their account is disabled, Visibuild will:

  1. Deactivate their account - they can no longer log in or access any data

  2. Remove their roles and project access - permissions are cleared and they are deactivated from all projects they were a member of

Note: Deprovisioned users are not permanently deleted from the database. Their record is retained for audit and historical data purposes.

Note: Existing users are not affected when SCIM is first enabled. Any users already in Visibuild who are not present in your identity provider will retain their access and continue working normally - SCIM only acts on users your IdP explicitly provisions or deprovisions.

Requirements

  • You must be a company admin in Visibuild to configure SCIM

  • The SCIM feature must be enabled on your account. If you don't see the SCIM section in Identity Management settings, reach out to your Visibuild account manager or contact support directly via the chat bubble in the bottom-right corner of the app

Enabling SCIM in Visibuild

  1. In Visibuild, navigate to Company Settings → Identity Management

  2. Scroll to the SCIM section

  3. Toggle Enable SCIM on

  4. A dialog will appear showing your SCIM bearer token. Copy this token and store it securely — it will only be shown once.

  5. Once enabled, your SCIM endpoint URL is displayed. Copy this URL — you will need it when configuring your identity provider.

Token management

  • Your SCIM token is valid for 1 year from the date it was generated

  • The token expiration date is visible in the SCIM settings section

  • To rotate the token at any time, click Regenerate token. The existing token is immediately invalidated, so update your IdP configuration with the new token promptly

  • To disable SCIM entirely, toggle Enable SCIM off. You will be asked to confirm before the token is invalidated

Setting up SCIM with Microsoft Entra ID (Azure AD)

Overview

This guide walks through configuring automatic user provisioning from Microsoft Entra ID (formerly Azure Active Directory) to Visibuild using SCIM 2.0.

Before you begin, complete the steps in the SCIM User Provisioning article to obtain your SCIM endpoint URL and bearer token.

Steps

Step 1: Create an enterprise application in Entra ID

  1. Sign in to the Microsoft Entra admin centre as an administrator

  2. Navigate to Identity → Applications → Enterprise applications

  3. Click New application

  4. Click Create your own application

  5. Enter a name for the application, e.g. Visibuild

  6. Select Integrate any other application you don't find in the gallery (Non-gallery)

  7. Click Create

Step 2: Configure provisioning

  1. In your new Visibuild enterprise application, click Provisioning in the left sidebar

  2. Click New configuration

  3. Under Admin Credentials, enter:

    1. Tenant URL: your SCIM endpoint URL from Visibuild (e.g. https://app.visibuild.com.au/scim_v2/)

    2. Secret Token: the bearer token copied from Visibuild

  4. Click Test Connection to verify the credentials are accepted

  5. Click Save

Step 3: Configure attribute mappings

Entra ID needs to map its user attributes to SCIM attributes that Visibuild understands.

  1. In the Provisioning section, expand Mappings

  2. Click Provision Microsoft Entra ID Users

  3. Review the attribute mappings. The username should be set the email used in Visibuild.

  4. Click Save

Step 4: Assign users

Users must be assigned to the Visibuild application in Entra ID before they will be provisioned.

  1. Navigate to Users and groups in the left sidebar of the Visibuild enterprise application

  2. Click Add user/group

  3. Select the users or groups you want to provision to Visibuild

  4. Click Assign

Note: Even if you assign a group, Visibuild will provision each user in the group individually. Group membership itself is not synced to Visibuild - you will need to manage project access and team membership within Visibuild after users are provisioned.

Step 5: Start provisioning

  1. Click Start Provisioning

Entra ID will run an initial provisioning cycle, which typically takes 20–40 minutes depending on the number of users. Subsequent incremental syncs run approximately every 40 minutes.

Deprovisioning users

When you want to remove a user's access to Visibuild:

  • Remove from the application: Unassign the user from the Visibuild enterprise application in Entra ID. Entra ID will send a SCIM DELETE request and Visibuild will deactivate the user.

  • Disable the user in Entra ID: If a user's Entra ID account is disabled, Entra ID will send a PATCH with active: false, and Visibuild will deactivate the account.

In both cases, the user will be immediately signed out of Visibuild and will not be able to log in to any Visibuild platform.

Rotating your SCIM token

SCIM tokens expire after one year. When you regenerate your token in Visibuild, you must update the Secret Token in Entra ID:

  1. In the Visibuild enterprise application, go to Provisioning → Admin Credentials

  2. Replace the Secret Token with the new token from Visibuild

  3. Click Test Connection, then Save

Provisioning will continue working after the save — there is no need to restart the provisioning service.

Troubleshooting

Test Connection fails

  • Confirm the Tenant URL is correct

  • Confirm you pasted the full bearer token without leading or trailing spaces

  • Check that SCIM is still enabled in Visibuild (Company Settings → Identity Management)

  • If you recently regenerated the token, ensure you are using the new token

Users are not being provisioned

  • Verify the user is assigned to the Visibuild application in Entra ID (Users and groups tab)

  • Check the provisioning logs for error details (Provisioning → Provisioning logs)

  • A user with the same email address may already exist in Visibuild - duplicate emails return a conflict error. Contact support via the chat bubble in the bottom-right corner of the app to resolve.

I can't see the SCIM section in settings

  • The SCIM feature must be enabled on your Visibuild account. Reach out to your account manager or contact support via the chat bubble in the bottom-right corner of the app to request access.

Did this answer your question?