# Azure SCIM
source: https://docs.chalk.ai/docs/azure-scim

## Setting up Azure Entra ID to automatically provision and deprovision Chalk users.

Chalk implements SCIM in order to allow external
identity providers (IDPs) to automatically provision and
deprovision users as they are added and removed from
the external identity provider.

### Supported Features

- IDP-initiated user provisioning
- IDP-initiated user deprovisioning
- IDP-managed group assignment

### Setup Steps

This guide assumes that an SAML application has been already set up for Chalk.
To view the base setup steps, see the Chalk documentation for Entra ID SAML.

### Enable SCIM in Chalk

- Navigate to your environment's settings page
- Find the Single-Sign On Page on the Settings Sidebar
- Find the SCIM Tab on the page
- Generate an SCIM authentication token in your Chalk
settings dashboard.
- Important: This token is extremely sensitive and care should be taken to ensure that it is not leaked.
- Copy the SCIM connector Base URL. For self-hosted planes, this may differ.

### Set Up SCIM in Entra ID

- Navigate to your Entra ID admin dashboard, and find (or create) your application.
- In your application, find the provisioning tab and click on "Connect Your Application"
- Configure SCIM using:Authentication Method: "Bearer authentication"Tenant URL: https://api.chalk.ai/scim/v2Important: This URL will change if your metadata plane
is self-hosted. Confirm your team's SCIM connector base URL in the Settings > Single Sign-On.Secret token: The token generated in step 4 of the previous section
- Navigate to "attribute mapping" in the provisioning sidebar
- Add attribute mappings for users. The following attributes are supported:userName: Use your preferred email attributeactivedisplayNametitlename.givenNamename.familyName
- Add attribute mappings for groups. The following attributes are supported:displayNamemembersIf group syncs do not work as expected, it is potentially due to invalid attribute mappings and recommended to delete
mappings down to just these two.

App Integration Configuration