Setting Up Microsoft Entra ID SCIM Provisioning for SpeakUp

1. Create Non-Gallery Enterprise Application

Sign in to the Azure Portal
Navigate to Azure Active Directory > Enterprise applications
Click + New application
Click + Create your own application
Choose the name for your application (e.g., "SpeakUp SCIM Provisioning")
Select Integrate any other application you don't find in the gallery (Non-gallery)
Click Create

2. Create App Integration in SpeakUp

Before configuring Entra ID, you need to create an app integration and get credentials from SpeakUp:

Log in to SpeakUp Admin Dashboard
Navigate to Settings > System > Configuration > API
Click + Create app integration
Fill in the form:
- Name: Enter a name for this integration (e.g., "Entra ID SCIM Provisioning")
- Issues: Select access level (leave as default or select "Access")
- Users and Groups: Select Full access (required for SCIM provisioning)
Click Add

Once created, note down the following credentials (you'll need these in the next steps):

Client ID
Client Secret
Token Endpoint

3. Configure SCIM Provisioning with OAuth2 in Entra ID

Configure Provisioning in Entra ID

Once your enterprise application is created in Entra ID:

Open the application.
Go to Provisioning (left sidebar).

Then navigate to:

Manage → Provisioning

Fill in the following fields using values from your SpeakUp app integration:

1. Provisioning Configuration Fields

In the dropdown under provisioning mode select Automatic

Under Authentication method select OAuth2 Client Credentials Grant

Your SCIM endpoint is where Entra ID will send provisioning requests.

SCIM endpoint format:

https://{your-speakup-domain}/scim/v2

Example:

https://client-api.speakup.cloud/scim/v2

Important: The URL must include /scim/v2 at the end.

Keep this URL ready — you will enter it as the Tenant URL in the provisioning settings.

Tenant URL

Enter: Your SpeakUp SCIM Endpoint URL
Example:

https://client-api.speakup.cloud/scim/v2
Must include /scim/v2 at the end.

Client ID

Enter: The Client ID from your SpeakUp app integration
Example:

a718353e-9198-4eb2-a508-eb069fe2b98d

Token Endpoint

Enter: The Token Endpoint from your SpeakUp app integration
(You can find this in the Example Request from section 2.)
Example:

https://eu-central-1tgl0o34mr.auth.eu-central-1.amazoncognito.com/oauth2/token

Client Secret

Enter: The Client Secret from your SpeakUp app integration
Copy exactly as shown — do not add spaces or modify it.

After entering all values:

Click Test Connection to verify the configuration.
If successful, click Save.
Enable provisioning by clicking Start Provisioning.

4. Test the Connection

Click Test Connection
If successful, you'll see a confirmation message
If it fails, verify:
- Tenant URL includes /scim/v2 at the end
- Client Secret is correct (copy it exactly from SpeakUp)
- Your SpeakUp account has SCIM provisioning enabled

Once the test passes, click Save

5. Assign Users and Groups

Only assigned users and groups will be provisioned to SpeakUp:

In the app, go to Users and groups (left sidebar)
Click + Add user/group
Select the users or groups you want to provision
Click Assign

Tip: Start with a small test group (3-5 users) to validate the integration before provisioning your entire organization.

6. Start Provisioning

Go back to Provisioning
Click Start provisioning
Entra ID will begin syncing assigned users and groups to SpeakUp

First sync timing: The initial sync may take several minutes depending on the number of users and groups.

Ongoing syncs: After the initial sync, Entra ID automatically syncs changes every 40 minutes.

7. Verify Provisioning

Check that users are being provisioned correctly:

Log in to SpeakUp
Go to Users section
Verify that users from Entra ID appear in SpeakUp
Check that user attributes (email, name, department, etc.) match Entra ID

8. Trigger Immediate Sync (Optional)

If you need changes to appear immediately rather than waiting for the next 40-minute cycle:

In Entra ID provisioning, click Pause provisioning
Wait a few seconds
Click Resume provisioning
Changes should appear in SpeakUp within a few minutes

Common Issues

Test Connection Fails

Problem: Error message when clicking "Test Connection"

Solutions:

Verify Tenant URL ends with /scim/v2
Confirm Client Secret is correct (copy exactly from SpeakUp, no extra spaces)
Ensure your SpeakUp organization has SCIM provisioning enabled
Check that the Secret Token field has your Client ID (if your Entra ID version requires it separately)

Users Not Appearing in SpeakUp

Problem: Assigned users don't appear in SpeakUp after provisioning starts

Solutions:

Verify users are assigned to the app (check Users and groups section)
If provisioning is not yet active, the Start provisioning button will be enabled.
Wait for the first sync cycle to complete (can take 5-10 minutes)
Check SpeakUp user count is increasing
Verify email addresses in Entra ID match what SpeakUp expects

Sync Stops or Shows Errors

Problem: Provisioning appears to be stuck or showing error status

Solutions:

Go to Provisioning > Logs and check for error messages
If credentials expired, update them in the Admin Credentials section
Pause and resume provisioning (see section 10)
Contact SpeakUp support with the error message

Next Steps

Monitor the initial sync — Check SpeakUp to confirm users are appearing
Test user updates — Change a user's attribute in Entra ID and verify it updates in SpeakUp (within 40 minutes)
Scale up — Once validated, assign additional users or groups
Review Common Questions — See the SpeakUp SCIM Overview for frequently asked questions

Support

If you encounter issues not covered above:

Check the provisioning logs in Entra ID (Provisioning > Logs)
Review the error messages carefully
Contact SpeakUp support with:
- The exact error message from Entra ID provisioning logs
- The number of users being provisioned
- When the issue started