Skip to main content

Documentation Index

Fetch the complete documentation index at: https://knowledge.goautonomous.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

SCIM lets your identity provider provision users and keep group membership in sync with Go Autonomous automatically. When a new person joins the right Entra group, they show up in the platform with the correct access — no manual intervention. This guide walks through the Microsoft Entra (Azure AD) setup. The same SCIM endpoint will work for other compliant IdPs, but the field-level configuration below is written specifically for Entra.

What syncs and what doesn’t

Set the right expectation up front. The integration is deliberately scoped — it covers what most teams need without giving Entra control of everything in the platform.
ActionSynced from Entra?
New users created in EntraYes — provisioned into Go Autonomous
Group membership changesYes — Entra is the source of truth
User profile updatesNo — change them in the platform
User deactivation or deletionNo — manage in the platform
Group creation, rename, or deletionNo — managed in the Go Autonomous UI
If a user lands in zero synced groups (e.g. a PATCH to a group never reaches the platform, or all their groups are later removed), they’re automatically assigned to the Basic User group as a safety net so they keep baseline access.

Before you start

You’ll need:
  • An Enterprise Application for Go Autonomous in your Entra tenant.
  • A service account API key from the Go Autonomous platform to use as the SCIM secret token.
If you don’t have an API key yet, see API keys to generate one. Use a dedicated service account so the key is easy to rotate.

Set up provisioning in Entra

1

Open your Enterprise Application's Provisioning settings

In Entra, go to Enterprise Applications → Go Autonomous → Provisioning and switch Provisioning On.
2

Set the Tenant URL and Secret Token

FieldValue
Tenant URLhttps://platformapi.qa.goautonomous.io/scim/v2
Secret TokenThe service account API key issued by Go Autonomous
Click Test Connection to confirm Entra can reach the platform.
3

Configure the User attribute mapping

Open Mappings → Provision Microsoft Entra ID Users and adjust exactly one row:
customappsso (target)Microsoft Entra ID (source)Matching precedence
emails[type eq "work"].valuemail1
Setting matching precedence to 1 is what tells Entra to use this attribute for user reconciliation. Leave every other row at its default.
4

Restrict User Target Object Actions to Create only

Under the same Users mapping, set the Target Object Actions:
  • Create
  • ❌ Update
  • ❌ Delete
The platform creates the user in FusionAuth and the platform database when Entra POSTs to /scim/v2/Users. In the same provisioning cycle, Entra issues PATCH /scim/v2/Groups/{id} to add the user to each assigned synced group.
5

Configure the Group attribute mapping

Open Mappings → Provision Microsoft Entra ID Groups and adjust exactly one row:
customappsso (target)Microsoft Entra ID (source)Matching precedence
externalIdobjectId1
This is how Entra reconciles its group with the matching platform group. Leave members, externalId defaults, and every other row alone.
6

Restrict Group Target Object Actions to Update only

Under the same Groups mapping, set the Target Object Actions:
  • ❌ Create
  • Update
  • ❌ Delete
The platform supports membership updates (PATCH) only. Group creation and deletion happen in the Go Autonomous UI.
7

Assign users and groups, then scope the sync

Under Users and groups, assign the people and Entra groups you want synced. Then set the Provisioning Scope to Sync only assigned users and groups so Entra doesn’t try to provision your whole directory.
Don’t change any attribute mapping rows other than the two listed above. The defaults work for everything else, and modifying them can break reconciliation.

Set up the matching group in the platform

For every Entra group you want synced, you need a corresponding platform group with the same External Group ID.
1

Create or pick the platform-side group

Navigate to Administration → Access Control → User Groups and either create a new group or open an existing one you want to sync. Permissions on this group are what synced users will inherit.
2

Set the External Group ID

In Entra, go to Groups → [your group] → Properties and copy the Object ID. Paste it into the External Group ID field on the platform group’s SCIM/SSO tab.
3

Enable SCIM sync

Toggle Sync Enabled on. The group now displays a SCIM badge on its card and details sheet.

Verify the sync

1

Force an initial sync

In Entra, go to Provisioning → Overview → Restart provisioning. Pick a user who’s assigned to the app and a member of a synced group, then confirm they appear in the platform UI within seconds.
2

Confirm auto-provisioning works

Assign a new user to the application, or move a user in or out of a synced group. Entra runs a provisioning cycle roughly every 40 minutes — the change should land in the platform within that window.
Use the Last synced timestamp on the platform group’s details sheet to confirm sync is still running and to spot stale groups.

Rotate the API key

Rotate the secret token periodically as part of your security hygiene.
1

Issue a new key in the platform

Generate a new service account API key from the API keys page.
2

Update the Secret Token in Entra

Paste the new key into the Provisioning → Secret Token field on the Enterprise Application.
3

Save and restart provisioning

Click Save, then Restart provisioning so Entra picks up the new credential immediately.

What’s next

  • User Groups — configure permissions on the groups you sync.
  • User Management — see synced users in the Users table and check their effective permissions.