Automated provisioning using Microsoft Entra and SCIM
Automated provisioning using Microsoft Entra and SCIM
This page describes how you can automatically create Brainframe users and/or Brainframe contacts (with group tags) based on your Identity provider users and groups configured in Microsoft Entra.
We have built the SCIM user provisioning in such a way that none of your existing user/group configurations will be impacted. The IdP users/groups will be synced independently from existing entities, and the system will "link" these identities together based on rules explained in this documentation (e.g. if they are part of the brainframeUser or brainframeContact groups in your IdP)
1️⃣ Create the Application
(this step can be skipped if you already created an application for SSO)
- Go to the Entra admin center → https://entra.microsoft.com/#home and click New application.
- Select Create your own application.
- Enter a name for your application, choose Non-gallery application, and click Create.
2️⃣ Configure the Entra Application
- Go to Provisioning menu
- Click New configuration
- Fill in the tenant URL and secret code from the Brainframe GRC user provisioning settings
Go to Brainframe GRC > Workspace Settings > User provisioning, and enable SCIM. This will show you the SCIM URL and **Token **that needs to be configured. These will allow your IdP to authenticate to Brainframe for automated provisioning of the IdP users and groups assigned to the Entra application.
Keep "Bearer authentication" as authentication method, and fill in the URL and token in Microsoft Entra. Then click on Test connection, and if all worked well you should get a confirmation of success.
Now click on **Create **at the bottom of the screen, which will setup the provisioning part in Entra for this application.
3️⃣ Configure the provisioning mapping
In order to correctly map the values of your Idp users and groups to what is expected in Brainfame GRC, we need to ensure the IdP attribute mapping is correctly configured.
Attribute mapping of user:
Select attribute mapping from the application you created in the previous steps, and select Provision Microsoft entra ID Users
The next page will have many details that are aligned with your company defaults, and from the Brainframe side we only need you to ensure that the following app attributes (target sent to Brainframe) are mapped to the Microsoft Entra ID attributes (source from your identities).
Ensure the following target actions are enabled: Create, Update and Delete
Brainframe Target attribute | Microsoft Entra ID source attribute | Description |
|---|---|---|
externalId | objectId | The unique identifier to link IdP users between the two systems |
active | accountEnabled | Indicates if the account is enabled or not and will disable users/remove contacts |
name.givenName | givenName | The first name of the user |
name.familyName | surname | The family name of the user |
emails[type eq "work"].value | This will be the email that will be used for all communications and username to workspace mapping during login | |
preferredLanguage | preferredLanguage |
|
Click save on top of the screen
Attribute mapping of group:
Select attribute mapping again from the application you created, and select Provision Microsoft entra ID Groups
Ensure the following target actions are enabled: Create, Update and Delete
Brainframe Target attribute | Microsoft Entra ID source attribute | Description |
|---|---|---|
displayName | displayName | This will be the name of the group how it will be shown in Brainframe under SCIM groups (which can then be linked to Brainframe groups) |
externalId | ObjectId | The unique identifier to link IdP groups between the two systems |
members | members | List of members from the group |
4️⃣ Create dedicated brainframe groups in your IdP
The automated provisioning will be used to create a Brainframe user and/or a Brainframe contact, depending on if the user is part of a group called "brainframeUser" and/or "brainframeContact".
If user are not part of any of these groups, they will be synchronised, but inside Brainframe nothing will happenStill inside Microsoft entra, create 2 groups "brainframeUser" and "brainframeContact" by clicking All groups > New group with default values (no need to assign any users yet, we'll do this during the testing step below)
Now open the Enterprise app again that you created in the beginning of this document, and assign these two groups to application by clicking "Users and groups" > "Add user/group"
Then add both groups "brainframeUser" and "brainframeContact" and click select
5️⃣ Test the Brainframe contact creation
In this section we'll show you how to create a contact that can receive (auto) distributions. These contacts will never be able to log in unless they are also part of the brainframeUser group
Inside the enterprise application, again select Users and groups, and click on brainframeContact .
Add individual users or for contacts it might be interesting to
Now again select your Enterprise application, and select the provisioning menu
To force test the provisioning of the brainframeContact group, you select "Provision on demand", and select the "brainframeContact" group
Then select the checkbox for the actual members to sync and click provision at the bottom of the page
When successful, you will now see in Brainframe the user appear in the Workspace settings > User provisioning menu. The IDP group brainframeContact will not appear, because that is a special group that can not be mapped to Brainframe groups
The user has now also been added to the Brainframe contacts (you might need to refresh the page to see them)
Here is an example after doing a provision on demand of a "Human resources" group like we did before
Which will result in the IDP group being synced:
he Tag being added to the contact (because the user is part of brainframeContact group), which can potentially trigger an automated distribution being sent if this tag is configured in the distribution with auto send
6️⃣ Test the Brainframe user creation
In this section we'll show you how you can create an actual Brainframe user.
Similar to how we proceeded in step 4, the only thing we need to do is to add a specific user to the brainframeUser group, and trigger a provision on demand.
First we add the user to the brainframeUser group
Then we need to add the brainframeUser group to the enterprise application (else it won't sync users from that group)
Then we can trigger the provisioning of that brainframeUser group on the same enterprise application to push the results to Brainframe.
Then you select the user to provision, and click **provision **
If all went well, the user should now have been added/linked to IDP with password login Disabled (you might need to refresh the page to see the update)
7️⃣ IDP SCIM group mapping to Brainframe Groups
Because Brainframe groups are linked to folder permissions that can be replicated to different workspaces, and because every company has different IdP group names, we built the group mapping using SCIM provisioning in such a way that you can configure per workspace which IdP group will be mapped to which Brainframe group.
To do this, we'll use an example to show how we can map members of the IdP group "Human resources" that we synced earlier on, to an existing Brainframe group called "Brainframe HR" which we pre-created with permissions to specific folder data
So for demo purposes we created a group "Brainframe HR" without any users mapped:
And the "Human resources" IdP group that was already synced before:
By clicking the edit button on the right of IDP Group "Human resources", you can map this IdP group to a Brainframe group
And you'll see that the user "Davy Cox" who was already member of the "Human resources" IdP group, is now also member of the "Brainframe HR" group
Updated on: 24/02/2026
Thank you!