SCIM Directory Integration - Azure Active Directory

By Emalee Firestein

Configure a SCIM user-directory integration with Azure Active Directory

Before You Begin

Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji instance. You will need to obtain the SCIM access token and API URL.
If you have already created a custom single sign-on (SAML) integration between Kandji and Azure Active Directory (Azure), you can use the same Enterprise application in Azure to complete the configuration below.
Copy and store the token provided as outlined in SCIM Directory Integration. The token will not be visible once you click Done and will be required in a later step.

Create the SCIM Integration in Azure

  1. Sign in to
  2. Open the menu in the top left corner.
  3. Select Azure Active Directory.

  4. In the Manage section, select Enterprise applications. 

  5. Select New application, or if you have already created a SAML single sign-on application, you can select that application and add SCIM.

  6. Select Create your own application.
  7. Give the application a name.
  8. Select Integrate any other application you don't find in the gallery (Non-gallery).
  9. Click Create.

  10. You will be taken to the Overview page for the newly created app.
  11. In the left-hand navigation, select Provisioning.
  12. Click Get started.

  13. For Provisioning Mode,select Automatic.
  14. If the Admin Credentials section doesn't display details, click the reveal triangle to expand it.
  15. Paste the Kandji SCIM API URLthat you copied earlier in the Tenant URL field.
  16. Paste theAPI token that you copied earlier in the Secret Token field.
  17. Click Test Connection.
    • You should see a notification similar to the one below

  18. In the upper-left corner, click Save, then click the in the upper-right corner to close the settings.

  19. Once back in the Provisioning view, click Edit provisioning.

  20. Expand the Mappings to reveal the triangle.
  21. Click the Provision Azure Active Directory Groups link.

  22. Set Enabled to No.
  23. Click Save and close the window.

  24. Back on the Provision page, expand the Settings reveal triangle.
  25. For Scope, select whether to synchronize only those users and groups assigned in the Users and Groups section or synchronize all users and groups in the directory.
Kandji SCIM only supports user synchronization and will not synchronize user groups. When an admin adds a user group to the Users and Groups section of the Enterprise Application in Azure, Kandji synchronizes only group members and not the group itself. If the Sync all users and groups scope option is selected, Azure sends only users to Kandji.

26. Set the Provisioning Status to On.

27. Click Save, then click the X in the upper-right corner to close the settings.

28. Select Users and groups in the left sidebar, click Add user/group and add the users or groups you want to provision in Kandji. If you are using the free Azure tier, you will only assign users to the app.

29. In the left sidebar, select Provisioning, then click Start provisioning to begin the provisioning process.

30. In Kandji, click the Users module in the left sidebar, then click Users Without Devices. If Kandji does not display users, go back to the Azure portal, click Stop provisioning, then click Start provisioning.

User syncing is one-way, meaning the Azure SCIM app will send user information to Kandji only when there is new information to be sent. Therefore, a Sync Now option is not available in the web app.