Skip to content
English - United Kingdom
Sign in
  • There are no suggestions because the search field is empty.

Automated User & Group Management (SCIM) Overview

1. What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard that automates the provisioning and management of user identities across cloud applications. Rather than manually creating and removing user accounts in SpeakUp each time you hire or terminate an employee, SCIM lets your identity provider—such as Microsoft Entra ID—become the single source of truth for user and group information.

1.1 The Problem SCIM Solves

Without SCIM, managing users across multiple systems is manual and error-prone:

  • New employees need accounts created in SpeakUp, Active Directory, email, collaboration tools, etc.

  • When employees change roles or departments, their permissions must be updated everywhere

  • When employees leave, you must revoke access across all systems—and it's easy to miss one

With SCIM, these changes happen automatically.

1.2 Key Benefits

Operational Efficiency

  • Eliminate manual user creation and deletion

  • Keep group memberships synchronized automatically

  • Reduce IT support tickets for account management

Accuracy & Consistency

  • User attributes (name, email, department, manager) stay in sync across systems

  • No more mismatched data between HR systems and applications

Time Savings

  • Automate employee onboarding into SpeakUp

  • Instant offboarding when employees leave

  • Reduce manual data entry errors

2. Supported Identity Providers

SpeakUp currently supports:

  • Microsoft Entra ID (using OAuth 2.0 Client Credentials flow)

3. How SCIM Works with SpeakUp

Once you enable SCIM integration:

3.1 Initial Sync

All users and groups from your identity provider are synchronized to SpeakUp.

3.2 Ongoing Sync

Changes in your identity provider are automatically reflected in SpeakUp:

  • New user created in Entra ID → Automatically created in SpeakUp

  • User's department updated in Entra ID → Updated in SpeakUp

  • User marked as inactive in Entra ID → Deactivated in SpeakUp (not deleted)

  • User added to a group → Group membership updated in SpeakUp

3.3 Lifecycle Management

As employees are hired, promoted, or depart, their SpeakUp accounts change automatically.

3.4 Important Sync Direction: One-Way Only

SpeakUp is the target system receiving provisioning instructions from Entra ID. This is a one-way sync (Entra ID → SpeakUp). Changes made directly in SpeakUp are not synced back to Entra ID.

4. SCIM Resources

SpeakUp's SCIM API manages two primary resources:

4.1 Users

Individual accounts that can be created, updated, disabled, or removed. User attributes include:

  • Core attributes: username, email, first name, last name, active status

  • User profile attributes: title, phone, preferred language

  • Enterprise attributes: department, division, manager, cost center, user type

User operations:

  • GET /Users — List all users

  • GET /Users/{id} — Retrieve a specific user

  • POST /Users — Create a new user

  • PUT /Users/{id} — Update all user attributes

  • PATCH /Users/{id} — Update specific user attributes

  • DELETE /Users/{id} — Remove a user (or deactivate if supported)

4.2 Groups

Collections of users that share common access requirements or organizational structures (teams, departments, roles). Groups simplify assigning permissions to multiple users at once.

Group operations:

  • GET /Groups — List all groups

  • GET /Groups/{id} — Retrieve a specific group

  • POST /Groups — Create a new group

  • PUT /Groups/{id} — Update group details

  • PATCH /Groups/{id} — Manage group membership (add/remove users)

  • DELETE /Groups/{id} — Delete a group

5. Access Levels: What You Can Do

When you create an App Integration for SCIM, you must assign it an access level. This determines which operations the integration can perform. Choose the level appropriate for your use case.

5.1 Read-Only Access

Use when you only need to view users and groups without making changes.

What you can do:

  • Retrieve user information → GET /Users, GET /Users/{id}

  • List and filter users with pagination

  • Retrieve group information → GET /Groups, GET /Groups/{id}

  • List and filter groups with pagination

What you cannot do:

  • Create, update, or delete users or groups

  • Modify group membership

  • Disable or remove user accounts

Use case: Audit and reporting integrations where you need to query user data but not modify it.

5.2 Full Access

Use when you're provisioning users and groups from Entra ID into SpeakUp.

What you can do:

User Management

  • Create users → POST /Users

  • Update user information → PUT /Users/{id}, PATCH /Users/{id}

  • Deactivate/reactivate users → PATCH with active status

  • Delete users → DELETE /Users/{id}

Group Management

  • Create groups → POST /Groups

  • Update group details → PUT /Groups/{id}

  • Add users to groups → PATCH /Groups/{id}

  • Remove users from groups → PATCH /Groups/{id}

  • Delete groups → DELETE /Groups/{id}

Read Operations

  • All read operations from section 6.1 (Read-Only Access)

Use case: Production provisioning where Entra ID is your source of truth for users and group memberships.

6. What SCIM Does & Doesn't Do

6.1 Supported Capabilities

  • Automatically create users in SpeakUp when they're added to Entra ID

  • Automatically deactivate users in SpeakUp when they're marked inactive in Entra ID

  • Synchronize standard user attributes (name, email, department, manager, etc.)

  • Automatically create and update groups in SpeakUp

  • Manage group membership—add/remove users from groups

  • Support for both users and groups (SCIM 2.0 specification)

6.2 Not Supported

  • Custom user attributes — Beyond the attributes listed in section 4.1; attributes specific to your organization cannot be synced

  • Bidirectional sync — Entra ID is the source of truth; changes in SpeakUp are not synced back to Entra ID

  • Nested groups — Groups within groups are not supported

  • Distribution lists or mail-enabled groups — Only security groups are supported

  • Real-time sync — Provisioning runs every 40 minutes

  • User deletion — SCIM deactivates users by setting active: false rather than deleting them, preventing accidental data loss

7. Deprovisioning: How Users Are Removed

When an employee leaves your organization, SCIM uses deactivation rather than deletion:

7.1 The Deprovisioning Flow

  1. In Entra ID, the user is marked as inactive or disabled

  2. SpeakUp receives the update via SCIM and sets the user's active status to false

  3. The user account is deactivated but not deleted—their data remains in SpeakUp for audit and historical purposes

  4. The user is unable to sign in or access SpeakUp

7.2 Why Deactivation Instead of Deletion?

SCIM protocol deactivates users rather than deletes them. When a user is marked inactive in Entra ID, SCIM sets the user's active status to false in SpeakUp. This approach preserves historical records and maintains data integrity across the system.

8. Sync Direction & Timing

8.1 Sync Direction: One-Way (Entra ID → SpeakUp)

Entra ID is the master source. User and group changes in Entra ID flow into SpeakUp automatically.

Do not manually edit users or groups in SpeakUp if they're managed by SCIM. Your changes may be overwritten when the next sync occurs.

8.2 Sync Timing

Initial Sync

  • Occurs when you first enable provisioning

  • May take longer for large organizations (100+ users)

Ongoing Incremental Sync

  • Runs every 40 minutes

  • Only changed users/groups are updated

  • Large numbers of users or groups may take longer to sync

9. API Version & Standards

This documentation covers SCIM 2.0 (RFC 7644 / RFC 7643 / RFC 7642).

9.1 Specification References

For technical implementation details, refer to the API reference pages (sections 4.1 and 4.2).

Common Questions

What happens if a user exists in both SpeakUp and Entra ID? SpeakUp matches users by email address. If a user with the same email exists, the SCIM integration will update that user's information from Entra ID.

Can I use SCIM just for users, without groups? Yes. You can enable user provisioning without group sync if your use case doesn't require it.

What if I have users in SpeakUp that aren't in Entra ID? These users remain unaffected. SCIM only manages users synced from Entra ID. Users created directly in SpeakUp are not touched by SCIM.

How do I stop SCIM provisioning? Disable the provisioning setting in Entra ID. This stops new syncs but doesn't delete existing users in SpeakUp. Existing users remain in the system.

Can I change the sync frequency? Provisioning runs every 40 minutes and cannot be customized.

Which user attributes are required for provisioning? At minimum, a unique identifier (userName or email) and emailaddress are required. Other attributes are optional and depend on your needs.