Entra SCIM Integration

This document outlines the various flows involved in managing group and user assignments within the Entra SCIM App and explains how these operations impact Campaign Manager via the SCIM API.

It provides a detailed breakdown of how user and group provisioning, updates, and deletions are handled, including role management logic, placeholder role handling, and cleanup operations for unassigned users or groups.

This document includes the following information:

• How to setup Entra SCIM application, see Setup Entra SCIM Application.

• How users are provisioned when a group is assigned to the Entra SCIM App, see Group Assigned to Entra App.

• What happens when a group is unassigned from the app, see Group Unassigned from Entra App.

• How user removal from a specific group is processed, see User Unassigned from a Group.

• The flow for assigning a new user to an existing group, see New User Assigned to Existing Group.

• Handling overlapping users when a second group is assigned, see Group2 Assigned with Overlapping Users.

• Processing of completely new users when they are added via a newly assigned group, see Group2 Assigned with Completely New Users.

Entra SCIM Integration with Campaign Manager

This illustrates how user and group provisioning flows from Microsoft Entra ID to the Campaign Manager using SCIM 2.0 via Amazon API Gateway. Groups and users are assigned or unassigned in Entra, which triggers provisioning requests validated through the API Gateway. The SCIM API then creates, updates, or removes users and roles in Campaign Manager based on the changes. For example, assigning a group in Entra creates users with that role in Campaign Manager, unassigning a group removes the role, and removing a user from a managed group deletes or updates their role accordingly.

Prerequisites

Create all required roles before assigning groups. Ensure that each group name in Entra matches the corresponding role name.