1. Pendo Help Center
  2. Security and privacy
  3. Access methods

Set up SCIM for Microsoft Entra

Last updated:

SCIM provisioning lets you automatically create, update, and remove Pendo users based on assignments in Microsoft Entra ID (formerly Azure Active Directory). SCIM is available for Premium subscriptions or as an add-on.

Pendo's official Microsoft Gallery app supports SAML sign-on but doesn't include a Provisioning tab, because Microsoft hasn't certified a provisioning connector for the gallery entry. To enable SCIM provisioning, you create a separate non-gallery application in Entra ID that handles user and group provisioning alongside your existing Pendo SAML app.

Before you begin

Before you can proceed, you must have:

  • An existing Pendo SAML connection set up in Entra ID using the Pendo gallery app.
  • Global administrator or application administrator permissions in Microsoft Entra.

How the two-app setup works

Because the gallery app doesn't expose provisioning, you set up two enterprise applications in Entra ID that work together:

  • SAML app. Your existing Pendo gallery app handles sign-in.
  • SCIM app. A new non-gallery app handles user and group provisioning.

Assign the same users and groups to both apps. Entra ID signs users in through the SAML app and manages their accounts in Pendo through the SCIM app.

Step 1. Create the enterprise application

Create a non-gallery application in Entra ID to act as the SCIM endpoint for Pendo.

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Applications > Enterprise applications.
  3. Select New application > Create your own application.
  4. Enter a name for your app.
  5. Select Integrate any other application you don't find in the gallery (Non-gallery).
  6. Select Create.

Step 2. Configure provisioning settings

Connect Entra ID to Pendo's SCIM endpoint.

  1. In your new app, select Provisioning from the left menu.
  2. Change Provisioning Mode from Manual to Automatic.
  3. Expand Admin Credentials and enter the following:
    • Tenant URL. The SCIM endpoint provided by Pendo. For more information on where to obtain this, see Set up SCIM in Pendo.
    • Secret Token. The OAuth bearer token or an API key generated in your application's admin panel. 
  4. Select Test Connection.

Note: If the connection test fails, confirm that traffic from Microsoft Entra IP ranges is allowed by your firewall, that the Tenant URL ends in /v2, and that the bearer token is current.

Step 3. Map attributes

Attribute mappings tell Entra ID which fields in your directory correspond to fields in Pendo. Entra ID provides default mappings for both users and groups, which you can review and adjust.

Map user attributes

  1. In the Provisioning page, expand Mappings.
  2. Select Provision Microsoft Entra ID Users.
  3. Confirm that the following required attributes are mapped: userName, active, name.givenName, and name.familyName
  4. Review the Matching precedence setting. Entra ID uses one attribute as the joiner to link accounts between the two systems. 

Map group attributes

  1. In the Mappings section, select Provision Microsoft Entra ID Groups.
  2. Confirm that the following required attributes are mapped: displayName, objectId, and members
  3. Review the Matching precedence setting. 

Group provisioning behavior

Keep the following Entra ID behaviors in mind when assigning groups:

  • Nested groups aren't supported. If group A contains group B, only the members of group A are provisioned. Group B isn't provisioned unless it's explicitly assigned to the app.
  • Empty groups may be rejected. Some SCIM endpoints reject group creation requests for groups with no members. Assign at least one user to a group before syncing.
  • Initial sync must complete before manual syncs. When you first turn on provisioning, Entra ID runs a full initial cycle. You can't trigger an on-demand sync until the initial cycle completes.

Step 4. Define the provisioning scope

Choose which users and groups Entra ID provisions to Pendo.

  1. Expand the Settings section.
  2. Under Scope, select one of the following:
    • Sync only assigned users and groups. Only users and groups assigned to the app on the Users and groups tab are provisioned. We recommend this option for most setups.
    • Sync all users and groups. Every user and group in your tenant is provisioned to Pendo.

Step 5. Turn on provisioning

  1. Set Provisioning Status to On.
  2. Select Save.

Entra ID starts the initial provisioning cycle, which can take from 20 minutes to several hours depending on the number of users and groups. To monitor progress and review individual create or update actions, check the Provisioning logs.

Troubleshooting

If provisioning fails or behaves unexpectedly, check the Provisioning logs first. The following errors are the most common.

  • 401 Unauthorized. The Secret Token has expired or is incorrect. Generate a new token in Pendo and update the Admin Credentials section.
  • 400 Bad Request. A required attribute was sent as null. Add a default value for the attribute in the user or group mappings.
  • Schema mismatch. Some setups require custom SCIM attributes. To add unique fields, select Show advanced options > Edit attribute list for CustomApps in the user mappings.
  • Group skipped in logs. If a group doesn't appear in Pendo after a sync, check the provisioning logs for a "Skipped" event. Entra ID skips groups that don't meet a configured scoping filter.

Frequently asked questions

How do I force a sync?

By default, Entra ID syncs every 40 minutes. To sync sooner, for example, after changing attribute mappings or removing a user, you can either provision on demand or restart provisioning.

How do I provision a specific user or group on demand?

Use Provision on demand to sync a specific user or group immediately without affecting other assignments.

  1. Open your enterprise application in the Entra admin center.
  2. Go to Provisioning > Provision on demand.
  3. Search for the user or group.
  4. Select Provision.

Entra ID immediately syncs the selected user or group and shows the result in a real-time log.

How do I restart provisioning for all assigned users and groups?

Use Restart provisioning after a major change, such as updated attribute mappings, when you want Entra ID to re-evaluate every assigned user and group from scratch.

  1. Go to the Provisioning tab of your app.
  2. Select Restart provisioning.

Warning: Restarting provisioning resets the sync watermark, so Entra ID re-evaluates every assigned user and group from scratch. This can take a long time for large directories.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section