Microsoft Entra ID User Provisioning (SCIM)

Last updated: February 9, 2026

Microsoft Entra ID (formerly Azure AD) is an identity provider that supports Single Sign-On (SSO) and SCIM provisioning. If your company has added SSO to its ModernLoop plan, you can manage login access to ModernLoop and maintain consistent security across your organization through Microsoft Entra ID.

By enabling SCIM (System for Cross-domain Identity Management), you can proactively remove users from ModernLoop when they are deleted in your directory, ensuring secure and efficient user management.

For instructions on setting up SSO for Microsoft Entra ID, see📄 Microsoft Entra ID Single Sign-on (SAML)

Enabling SCIM

  1. Log in to the Azure Portal as an administrator.

  1. Navigate to the previously created Enterprise Application for ModernLoop.

  1. Open the Provisioning tab within the application settings.

    image.png

  1. Click Get Started.

    image 1.png

  1. In the Provisioning Mode field, select Automatic.

    image 2.png

  1. Enter the following values:

    • Tenant URL:

      https://mloop.prod.modernloop.io/org/scim/v2

    • Secret Token: Use the token provided by ModernLoop (Organization settings → Secrets → SCIM token)

      image 3.png

  1. Click Save to enable SCIM provisioning.

Manage ModernLoop Role Assignment Using SCIM (Using Microsoft Entra ID)

When SCIM role management is enabled, user roles must be managed through Microsoft Entra ID and cannot be edited directly in ModernLoop. To allow manual role editing within the platform, navigate to Organization settings → Members and adjust the role management setting.

This toggle allows organizations to choose between:

  • SCIM-managed roles: All role assignments handled through Microsoft Entra ID

  • Platform-managed roles: Direct role editing available within ModernLoop

  1. Navigate to App Registrations and select the SAML application created for ModernLoop.

    image 4.png

  1. Open the App Roles section.

  1. Create a new app role:

    • Name: ML_ADMIN

    • Allowed Member Types: Users/Groups

    • Value: ADMIN

    • Description: Add a description for the role.

    • Click Apply to save.

    image 5.png

  1. Repeat this process to create additional roles such as SCHEDULER and INTERVIEWER.

    image 6.png

SCIM Interviewer Attributes

The following properties, if provided by Microsoft Entra ID, will be mapped directly to the ModernLoop SCIMUser object and stored in the ModernLoop database.

Attribute

Description

userName

Maps to the userName property from SCIM.

name

Maps to the name property from SCIM.

familyName

The user's last name (e.g., "Jensen" in "Ms. Barbara Jane Jensen, III").

givenName

The user's first name (e.g., "Barbara" in "Ms. Barbara Jane Jensen, III").

emails

Maps to the emails multivalued property from SCIM.

displayName

Maps to the displayName property from SCIM.

locale

Maps to the locale property from SCIM.

active

Denotes if the user is active (true) or inactive (false).

modernloopRole

A custom property mapping ModernLoop roles (ADMINSCHEDULERINTERVIEWER).

Create a Custom Attribute

You must enable the creation of custom attributes for the SAML Application on Azure AD / Entra ID.

  1. Open the SAML Enterprise App in Azure.

  1. Navigate to the Provisioning section.

  1. Click Edit Attribute Mappings.

  1. Test the connection by entering the correct Tenant URL and Secret Token, then click Test Connection.

  1. Expand the Mappings section and select Provision Microsoft Entra ID Users.

  1. Scroll to the bottom and select Show Advanced Options.

  1. Click Edit Attribute List for Custom SSO App.

  1. Add a custom attribute:

    • Name: modernloopRole

    • Data Type: String.

  1. Save the configuration and click Save, then Yes.

    image 7.png

Map Custom Attributes to App Roles Using Expression Language

  1. Navigate to Enterprise SAML Application → Provisioning.

    image 8.png

  1. Click Edit Attribute Mapping.

  1. Expand the Mappings section and click Provision Microsoft Entra ID Users.

    image 9.png

  1. Add a new mapping for the ModernLoop Role Parameter:

    • Mapping Type: Expression

    • Expression:

      Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "ML_ADMIN", "ADMIN", "ML_SCHEDULER", "SCHEDULER", "ML_INTERVIEWER", "INTERVIEWER")

    • Default Value: INTERVIEWER

    • Target: modernloopRole

  1. Click OK to save.

Set Up Security Groups for Member Role Settings

  1. Navigate to AD Groups.

    image 10.png

  1. Create a new group (e.g., ModernLoop Admins) and click Create to save the group.

    image 11.png

  1. Open the SAML Enterprise App.

  1. Navigate to Users and Groups.

  1. Click Add User/Group.

    • Group Name: Select ModernLoop Admin.

    • Select a Role: Choose the app role ML_ADMIN.

  1. Click Assign.

  1. Repeat the process to create additional groups with corresponding app roles as needed.

    image 12.png

Run SCIM Provisioning

Once the setup is complete, run SCIM provisioning again to sync these roles with ModernLoop.

image 13.png