# SCIM ### How it works SCIM (System for Cross-domain Identity Management) is an open standard for automating user provisioning. The SCIM protocol acts as an intermediary, collecting user identity data from identity providers (Azure AD, Google Workspace, Okta...) and communicating it to service providers (such as Dastra) who need the credentials. {% hint style="info" %} We strongly recommend that you first set up SSO with the "Force for all users" option enabled. {% endhint %} ### How do I configure SCIM with Azure Active Directory? Dastra users can be added, deleted and modified using SCIM 2.0. You define groups in your Azure Directory, and Dastra can synchronize these users. It's an ideal way to save time and hassle managing user accounts. It's also an ideal implementation of security. #### 1. Log on to Azure and click on Azure Active Directory
01-Azure-SCIM
#### 2. Go to "Enterprise applications".
01-Azure-SCIM
#### 3. Click on "New application"
03-Azure-SCIM
#### 4. Click on "Create your own application".
04-Azure-SCIM
#### 5. Name your application #### 6. In the newly created application, click on "Provision User Accounts".
06-Azure-SCIM
#### 7. Click on "Get Started"
07-Azure-SCIM
#### 8. Set provisioning mode to automatic. Fill in the tenant URL and secret token from your Dastra account information. Log on to Dastra as administrator. Go to Organization configuration > click on Security / SCIM ![](https://2697025545-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LvBxs22wUMicv9uWp6C-1972196547%2Fuploads%2Fh4m1IXsFBTj9vLfgZiGH%2Fimage.png?alt=media\&token=b28bcfa0-7380-4b8c-8617-eaafff1d9f9f) Click on the "Configure" button
Configure your SCIM. Select the workspace you wish to synchronize (teams and users will be automatically provisioned in this workspace). Then choose the default role you wish to give to new users. Note that roles will be managed locally by the Dastra account administrator. Click on **Save changes** {% hint style="info" %} Today, Dastra lets you synchronize a single workspace per organization in SCIM (teams + users). {% endhint %} Click on "**Test connection**" and "**Save**". If you encounter an error during the connection test, this may be due to a lack of activated functionality in your subscription. Please contact support #### 9. Activate provisioning
#### 10. Add users and/or groups to the created application
### Let your users log in to Dastra You should see your AD user accounts automatically synchronized in Dastra. If they log in to Dastra via the login page, they should be able to log in with their e-mail. If SSO is not configured and enforced for all users, users will need to do a password reset to log in. If SSO is enabled and forced for all users, they will be automatically redirected to your identity provider's login form (Azure AD, Google Workspace, Okta...). ### SCIM Synchronization Behavior and Limitations #### User Lifecycle Management **User Disabled in Entra ID** When a user is disabled in Entra ID: * Their profile is **anonymized in Dastra** * If the user is later re-enabled: * A **new user account is created** * The previous anonymized account is not restored *** **Full Deletion in Entra ID** When a user is permanently deleted from Entra ID: * Their profile is **fully anonymized in Dastra** * All past actions are **preserved** * The user appears as **"deleted user"** **Impact on related data:** * Linked objects (e.g. processing activities, risks, requests, etc.) are **not deleted** * Relationships (e.g. owner, assignee) are **preserved** * Only the user’s identity is anonymized *** #### Group (Team) Management **Group Removal in Entra ID** If a group is removed in Entra ID: * The corresponding **team is deleted in Dastra** * **User accounts remain active** * No impact on individual users *** #### Mapping and Synchronization Scope **Groups and Workspaces** * SCIM supports synchronization of **multiple groups** * Current limitation: * Only **one workspace per organization** can be synchronized * Multi-workspace synchronization is **not supported** *** **Supported Attributes** Currently, Dastra synchronizes: * Group **name (`displayName`)** Not supported at this stage: * Mapping to **organizational units** * Synchronization of attributes such as: * organization * country > This could be supported in the future via a specific attribute containing a reference identifier compatible with Dastra. *** #### Local Management in Dastra After SCIM synchronization: * Administrators can still: * **modify roles** * **adjust permissions** * Fine-grained access control remains **manageable locally in Dastra** *** #### Licensing Impact * SCIM synchronization is limited by: * the **number of users included in your subscription** * If the quota is exceeded: * The SCIM server returns an **error** * Additional users are **not provisioned** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.dastra.eu/en/features/settings/scim.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.