Identity Provisioning with Microsoft Entra ID

This guide explains how to integrate Microsoft Entra ID with the STACKIT Identity Provider (IdP). This integration enables identity provisioning, which reduces or eliminates the need to work with a proprietary user management API.

Prerequisites

Before you begin ensure you have:

• An active STACKIT customer account: Create a STACKIT customer account
• Administrative access to your Microsoft Entra ID tenant.

Connect STACKIT IdP to your Microsoft Entra ID tenant

Request the Entra ID tenant integration

To integrate Microsoft Entra ID with the STACKIT IdP for your organization, open a ticket in the Help Center. The ticket must include your organization ID, which is linked to your STACKIT customer account.

In response to your ticket, you will receive the Client ID and Client Secret essential for configuration.

Register STACKIT IdP as enterprise application

The Microsoft identity platform manages identities and access only for registered applications. Registering your application creates a trust relationship between your application and the Microsoft identity platform.

For detailed instructions, refer to the official Microsoft documentation: Integrate your SCIM endpoint with the Microsoft Entra provisioning service.

1. In Entra ID, navigate to Entra ID > Enterprise apps.
2. Select + New application > + Create your own application.
3. Enter a meaningful name to recognize this instance of the application. Select option Integrate any other application you don’t find in the gallery.
4. Select Create.

You will be taken to the application you registered.

Configuration

Follow these steps to set up the SCIM provisioning connection within your registered application:

1. Select Provisioning.
2. Select + New configuration.
3. In the Tenant URL field, enter the STACKIT IdP SCIM endpoint: https://accounts.stackit.cloud/scim/v2/.
4. In the Token Endpoint field, enter the StackIT IdP token endpoint: https://accounts.stackit.cloud/oauth/v2/token.
5. Configure the field Client ID and Client Secret, with the credentials you received from the STACKIT support team.
6. Configure the mappings for the user and group objects. Detailed configuration are provided in next section

Attribute mapping

STACKIT IdP doesn’t need or use all the information configured via default mappings on Entra ID and not expected information will be rejected, returning HTTP 400.

If you want to check if one specific parameter is allowed or not, you can validate the live schemas directly from discovery endpoint:

• All Schemas
• User
• Enterprise User
• Invite Extension
• Group

As example, these are the fields that STACKIT IdP expects and the suggested mappings:

User

STACKIT IdP	Entra ID	Notes
userName	userPrincipalName
active	Switch([IsSoftDeleted], , “False”, “True”, “True”, “False”)
emails[type eq “work”].value	mail	Email address used for authentication.
preferredLanguage	preferredLanguage
name.givenName	givenName
name.familyName	surname
externalId	objectId	This mapping is mandatory
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber	employeeId	Optional
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter	employeeOrgData.costCenter	Optional
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization	companyName	Optional
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division	employeeOrgData.division	Optional
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department	department	Optional
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value	manager	Optional. If provided, this should be a reference value that assigns the manager objectId

Note: The urn:ietf:params:scim:schemas:extension:enterprise:2.0:User extension is optional and can be added to the user schema as needed. STACKIT accepts the information but doesn’t use it; it’s supported for RFC compliance reasons.

Group

STACKIT IdP	Entra ID	Notes
displayName	displayName
externalId	objectId	This mapping is mandatory
members	members

Start on-demand provisioning

Validate the integration by following Microsoft Entra ID’s synchronization flows, such as triggering a Provision on demand action.

Property settings

Select Overview in the left panel, then Properties. Here you can enable notification emails and accidental deletion prevention. Click Apply to save any changes.

Start provisioning service

Select Start provisioning. Microsoft provides a detailed list of Provisioning logs to check for any failures. For more information on how to read the Microsoft Entra provisioning logs, see Reporting on automatic user account provisioning.

Verify your integration

After you’ve configured all parameters and enabled provisioning, you can individually test the provisioning feature by selecting Provision on demand. Follow the steps on the Microsoft Entra ID page to trigger the synchronization flow for a specific user or group.

Testing automatic provisioning can be challenging because just-in-time (JIT) provisioning might mask a provisioning failure. After checking with some on-demand syncs, the best approach is to use the provisioning logs from Microsoft Entra ID.

After completing all tests on the Entra ID side, perform a practical validation by attempting to authenticate in the STACKIT Portal with the provisioned user (assuming you’ve already registered a federation).

To apply a rotation policy to the client secret, request a replacement before the expiration date defined by your policy by opening a ticket in the STACKIT Help Center. In the ticket, state the action you need (rotate), and your preferred timeline so the team can process the request without delay. After you receive the new secret, securely store it, update the Entra ID configuration and any dependent systems or secrets managers, then restart and test affected services to confirm authentication and functionality. Reply to the Help Center ticket with your verification results so it can be closed.