Identity Provisioning with Microsoft Entra ID

This guide explains how to integrate Microsoft Entra ID with the STACKIT Identity Provider (IdP). This integration enables identity provisioning, which reduces or eliminates the need to work with a proprietary user management API.

Prerequisites

Before you begin ensure you have:

An active STACKIT customer account: Create a STACKIT customer account
Administrative access to your Microsoft Entra ID tenant.

Connect STACKIT IdP to your Microsoft Entra ID tenant

Request the Entra ID tenant integration

To integrate Microsoft Entra ID with the STACKIT IdP for your organization, open a ticket in the Help Center. The ticket must include your organization ID, which is linked to your STACKIT customer account.

In response to your ticket, you will receive the Client ID and Client Secret essential for configuration.

Register STACKIT IdP as enterprise application

The Microsoft identity platform manages identities and access only for registered applications. Registering your application creates a trust relationship between your application and the Microsoft identity platform.

For detailed instructions, refer to the official Microsoft documentation: Integrate your SCIM endpoint with the Microsoft Entra provisioning service.

In Entra ID, navigate to Entra ID > Enterprise apps.
Select + New application > + Create your own application.
Enter a meaningful name to recognize this instance of the application. Select option Integrate any other application you don’t find in the gallery.
Select Create.

You will be taken to the application you registered.

Configuration

Follow these steps to set up the SCIM provisioning connection within your registered application:

Select Provisioning.
Select + New configuration.
In the Tenant URL field, enter the STACKIT IdP SCIM endpoint: https://accounts.stackit.cloud/scim/v2/.
Configure the field Client ID and Client Secret, with the credentials you received from the STACKIT support team.

Test connection

Select Test Connection to have Microsoft Entra ID attempt to connect to the SCIM endpoint. If the attempt fails, error information will display.

Testing the provisioning feature can be challenging because Just in time (JIT) provisioning might mask a provisioning failure. The best approach is to use the provisioning logs from Microsoft Entra ID.

Alternatively, you can verify user provisioning by fetching the SCIMv2 /Users endpoint. For example, use ?filter=email eq "user@example.com" to check for a specific user. This test requires a bearer token to authenticate your request.

Attribute mapping

Review the attribute mappings for the user and group objects. Select Save to commit any changes.

Start on-demand provisioning

You can validate the integration by following Microsoft Entra ID’s synchronization flows, such as triggering a Provision on-demand action.

Property settings

Select Overview in the left panel, then Properties. Here you can enable notification emails and accidental deletion prevention. Click Apply to save any changes.

Start provisioning service

Select Start provisioning. Microsoft provides a detailed list of Provisioning logs to check for any failures. For more information on how to read the Microsoft Entra provisioning logs, see Reporting on automatic user account provisioning.

Verify your integration

After completing all tests on the Entra ID side, you can perform a practical validation by attempting to authenticate within the STACKIT Portal with the provisioned user.

For OAuth, you can use previously provided credentials to exchange a token for the provisioned user (authorization code) with all available scopes. This allows you to verify that all returned claims match those provided by Microsoft Entra ID SCIM Provisioning.