You can automate user and group provisioning in Ironclad by integrating Microsoft Entra ID (Azure) using the SCIM protocol. This setup allows you to create, update, and deactivate users and groups from Azure, ensuring your Ironclad user base stays synchronized with your organization’s identity provider. Automating this process saves time, reduces manual errors, and helps maintain secure, up-to-date access controls.
Supported Microsoft Entra ID Active Directory Features
- Create Users
- Update User Attributes
- Deactivate Users
- Create Groups
- Update Groups
- Delete Groups
Use Case
At Classics Inc., the IT team wants to streamline onboarding and offboarding for the Legal department. They configure Ironclad to integrate with Microsoft Entra ID using SCIM. After enabling the integration, any changes to users or groups in Azure—such as adding new employees to the Legal group or removing departed staff—are automatically reflected in Ironclad. The IT admin navigates to Company Settings > Integrations > SAML in Ironclad, generates a SCIM token, and completes the Azure configuration. Now, user provisioning is hands-off and secure, ensuring only authorized users have access to Ironclad.
Permissions
| Features | Company Settings, Integrations, SAML/SCIM |
| Permissions | Admin Role |
| Prerequisites | To provision users with Microsoft Entra ID: You must have a SAML SSO connector configured in your Ironclad company before provisioning users with SCIM. You must be able to create Ironclad API bearer tokens in your Ironclad company. |
Step 1: Create a SCIM Scoped Token
- In Ironclad, navigate to Company Settings > Integrations > SAML
- At the top, select the SCIM Configuration tab.
- Under Token Generation, enter a descriptive name for the token.
- Click + Generate New Token.
- Copy and paste the new token into your identity provider's setup.
- Save this token in a safe place. Once you close the window, you will not be able to access it again.
Step 2: Enable API Integration in Microsoft Entra ID
You may need to change the default settings for Switch to the following if the default does not allow for you to remove users:
- Log in to your Microsoft Entra admin center with your admin account. In the Entra ID panel on the left, click Enterprise Apps then find the Ironclad app you created to enable SSO (e.g. Ironclad).
- Select the Ironclad application you previously configured.
- From the application's configuration screen, click the Provisioning tab.
- Click Connect your application.
- Select Bearer Authentication as the authentication method.
- In the Tenant URL field, enter https://ironcladapp.com/scim/v2.
- If you are in the European Union and/or your SSO SAML Callback URL begins with [https://eu1.ironcladapp.com,](https://eu1.ironcladapp.com,) you must enter https://eu1.ironcladapp.com/scim/v2 instead.
- In the Secret Token field, enter the user’s Ironclad API Token.
- Click Test connection to verify the connection.
- Click Create. The admin credentials are created.
-
Click the Attribute Mapping section, and then click Provision Microsoft Entra ID Users and unmap the following array type fields. You can remap these in the future:
- physicalDelivery
- OfficeName
- streetAddress
- city
- state
- postalCode
- country
- telephoneNumber
- mobile
- facsimileTelephoneNumber
- mailNickname
The Manager attribute is not compatible with Ironclad's reference chains.
- Click Save.
Step 3: Assign Users And Groups to the Ironclad Application
Pushing users into Ironclad with SCIM is only supported when a single SAML configuration is in place in your Ironclad company.
Any subsequent updates to users or groups within Microsoft Entra ID Active Directory are periodically updated in Ironclad.
- In your Microsoft Entra ID Active Directory admin account, under the application, click the Users and Groups tab.
- Click the Add User button and select the users and groups to assign the to application.
- On the bottom left-hand side of the screen, click the Assign button. These users will be added or updated in the next provisioning cycle (typically around 45 minutes).
- From the Users and Groups tab, you can also remove users and groups from the application.
Step 4: Start Provisioning
Click the Provisioning section, and then click the Get Started tab. Click Start provisioning.
Step 5: Configure Group Permissions in Ironclad
You must manage group permissions in Ironclad after pushing groups via SCIM. Refer to the Group Permissions Overview for more information.
Resources
Explore articles, courses, and support options to get the most out of Ironclad.
Help Center
Academy
- No relevant resources at this time.