Overview
SCIM provisioning automates user and group management between Microsoft Entra ID and ThingLink.
With SCIM provisioning, Microsoft Entra ID can create and deactivate users, create and delete groups, and keep group memberships in sync in ThingLink.
SCIM provisioning does not manage how users sign in. User authentication is handled separately through Microsoft SSO, which should be configured before you set up SCIM.
Table of contents:
At the moment, SCIM provisioning is available for Microsoft Entra ID only. If you need SCIM provisioning for another identity provider, please contact support or your ThingLink account manager.
Why use SCIM provisioning?
With SCIM provisioning, user access is managed from Entra ID instead of manually in ThingLink. This reduces manual account administration and helps keep access and group membership in sync.
If you use groups in Entra ID to control access, you can also use provisioned ThingLink groups to share content with the right users automatically and ensure that your learners automatically see content assigned to their group(s). See this article for more details.
How to set up SCIM provisioning
Prerequisites
Make sure that:
Microsoft SSO is already set up for your ThingLink organization.
You have an administrator account in ThingLink.
You have a Microsoft Entra ID account with permission to manage enterprise applications.
Step 1: Enable SCIM in ThingLink
In ThingLink, go to Organization > Integrations > SCIM provisioning.
Click Enable and configure.
Copy the Tenant URL and Secret token. You will need both in Microsoft Entra ID.
Step 2: Configure provisioning in Microsoft Entra ID
Configure a new enterprise application
In the Microsoft Entra admin center, go to Enterprise applications.
Click New application.
Select Create your own application.
Choose Integrate any other application you do not find in the gallery.
Enter a name for the application and create it.
Set up a provisioning configuration
Open the application and go to Provisioning.
Create a new provisioning configuration.
Set Authentication method to Bearer authentication.
In Tenant URL, paste the Endoiunt URL copied from ThingLink.
In Secret token, paste the Secret token copied from ThingLink.
Click Test connection.
If the connection succeeds, click Create.
Review provisioning mappings
In Attribute Mapping, open the group mapping. Ensure Provision Microsoft Entra ID Groups is enabled and keep the default mapping.
-
In Attribute Mapping, open Provision Microsoft Entra ID Users
-
Keep only the following user attributes:
userNameactivedisplayNameexternalId
Leave the remaining settings unchanged
-
Make sure the following target object actions are enabled:
Create
Update
Delete
-
Adjust provisioning scope
Under the Provisioning tab, expand the Settings menu and set Scope to Sync only assigned users and groups.
Here is what the final configuration setup should look like:
Assign users and groups
In Users and groups, assign the users and groups that should be provisioned to ThingLink.
We recommend starting with a relatively small batch for the initial sync.
Start provisioning
Go to Overview
Click Start provisioning to run the initial sync.
Wait until the initial sync is complete and review the results on the Overview page.
How provisioning works
Users
Account creation
When a user is assigned to the application in Entra ID, ThingLink creates a user account for them. The user can then sign in with Microsoft SSO.
Provisioned accounts are always created with the lowest access level available in your organization: Learner or Student, depending on your organization type and subscription. Provisioning different roles is not currently supported.
Account deactivation
If a user is no longer assigned to the application, either directly or through a group, their ThingLink account is deactivated.
Accounts are not fully deleted to help prevent content or data loss. If you want accounts to be removed automatically after deactivation, consider enabling a data retention policy in ThingLink.
Groups
ThingLink creates groups for assigned Entra ID groups and keeps membership in sync.
If a group is unassigned in Entra ID, the corresponding ThingLink group is deleted. Users who were provisioned through that group are deactivated if they are no longer assigned in any other way.
Existing ThingLink groups are matched by name. Once a ThingLink group is matched to an Entra ID group, it will be managed automatically. Note that the group memberships will not be overriden: group membership for users assigned via Entra ID will be managed automatically, but any users that were added to the group manually and are not managed by automatic provisioning will remain in the group.
Troubleshooting
Check the provisioning logs in Microsoft Entra ID. You can find them under the enterprise application:
Provisioning > Monitor > Provisioning logsAllow time for provisioning changes to appear. After the initial sync, Entra provisioning runs in recurring cycles rather than instantly. You can check the provisioning interval under the Enterprise application you created > Provisioning > Overview > Provisioning details > Provisioning interval
If you run into issues, contact the ThingLink support team.
Limitations and notes
Changes made in Entra ID are not instant. Incremental syncs typically run about every 40 minutes.
Large syncs can take time. As a starting point, we recommend testing with fewer than 1,000 users.
Make sure your ThingLink license has enough user capacity for the users you plan to provision. If you attempt to provision more users than your license supports, additional accounts will not be created.
Assigning a group does not cascade to nested groups. When you assign a group to an application, only users directly in the group will have access.
If a user already has an independent ThingLink account that is not connected to your license, SCIM provisioning will not move that account into your organization automatically. The user must first be added or invited to your license manually.
Comments
0 comments
Please sign in to leave a comment.