Skip to main content
SCIM automatically creates, updates, and deprovisions users in Retrac based on your Microsoft Entra ID directory — reducing manual invite management for large teams. SCIM is available on Enterprise plans alongside SAML SSO.
Configure Azure AD SAML first so provisioned users can sign in. SCIM manages workspace membership; SAML handles authentication.

Prerequisites

  • Microsoft Entra ID admin access
  • Retrac workspace owner role
  • Enterprise plan with SCIM enabled
  • SAML SSO configured (recommended)

Set up Azure AD SCIM

1

Open Retrac SCIM settings

In Retrac, go to Settings → Security and open SCIM configuration. Generate or copy your:
  • SCIM endpoint URL
  • Bearer token (shown once — store in a secrets manager)
2

Enable provisioning in Entra ID

In the Microsoft Entra admin center, open your Retrac enterprise application.Go to Provisioning and set Provisioning Mode to Automatic.
3

Enter SCIM credentials

Under Admin Credentials:
  • Tenant URL — Retrac SCIM endpoint URL
  • Secret Token — Retrac bearer token
Click Test Connection to verify Entra can reach Retrac.
4

Configure attribute mappings

Review Provisioning → Mappings → Provision Microsoft Entra ID Users. Ensure mappings include:
Entra attributeSCIM field
userPrincipalName or mailuserName / emails
givenNamename.givenName
surnamename.familyName
Switch([IsSoftDeleted], , "False", "True", "True", "False")active
Adjust mappings so the email Entra sends matches how users are identified in Retrac.
5

Assign users and start provisioning

  1. Assign users or groups to the Retrac enterprise app under Users and groups.
  2. Set Provisioning Status to On.
  3. Review the Provisioning logs for successful create and deactivate events.
Pair SCIM with location access — provision users into Retrac, then let owners assign location permissions in Settings → Members.

Rotate credentials

If your bearer token may have been exposed, regenerate it in Settings → Security and update Entra with the new token before revoking the old one.

Remove SCIM

Disconnect SCIM from the Security page when decommissioning automated provisioning. Review active members afterward. See Security documentation.