Table of Content
Create a new Azure SCIM Token
Azure AD needs a long-lived OAuth2 token that it can send with each request as a Bearer token in order to authenticate with Bridge. This token has to be generated by an Implementation Consultant, please reach out for assistance in obtaining this token.
Configuring Azure AD for SCIM
These are step-by-step instructions to create a new enterprise application and configure the provisioning as needed for Bridge.
1. Log on to the Azure portal and select the Azure AD tile at the top
2. Select Enterprise Applications from the Manage menu on the left

3. Create a new application by clicking the + New Application button

4. Click + Create your own application to create a custom application

5. Enter a name for the application (any name is fine) and make sure the Integrate any other application you don't find in the gallery (Non-gallery) radio button is selected, then click Create

6. After the application finishes creating, the application Overview page will be displayed
7. Select Provisioning from the Manage menu on the left

8. Click the Get Started button
9. Change the Provisioning Mode to Automatic

10. Fill in the Tenant URL, which should be the same as their Bridge URL with /api/scim
on the end. Example: https://azurescimcustomer.bridgeapp.com/api/scim
11. Fill in the Secret Token generated by support
12. Click Test Connection to validate the configuration

13. After the connection test completes, save the configuration
14. Expand the Mappings section

15. Click the Provision Azure Active Directory Groups mapping, disable the mapping, and click Save

16. Click the Provision Azure Active Directory Users mapping
17. Remove unnecessary mappings (see following sections for mappings)
18. Use the Add New Mapping link to add additional mappings

19. If the desired target attributes do not exist, click the Show advanced options checkbox at the bottom of the page and then click the Edit attribute list for customappsso link

20. Scroll to the bottom of the page and enter the attribute name and select type String

21. Once the new attributes have been added, click the Save button to save the newly added attributes
22. The Attribute Mapping page will need to be refreshed to allow mapping of the newly added attributes
Attributes Mappings
Required Attributes
This is the minimum set of attributes that are recommended for use.
Azure Active Directory Attribute (Source) |
customappsso Attribute (Target) | Bridge Attribute |
---|---|---|
Switch([IsSoftDeleted], , "False", "True", "True", "False")
|
active
|
Create or delete user |
|
|
Email
|
|
|
|
|
|
|
|
|
|
Optional Attributes
These are additional attributes you can specify that will map to standard attributes on the Bridge user.
Azure Active Directory Attribute (Source) |
customappsso Attribute (Target) | Bridge Attribute |
---|---|---|
Various* |
|
|
?** |
|
|
|
urn:ietf:params:scim:schemas:core:2.0:User:title
|
|
department
|
urn:ietf:params:scim:schemas:core:2.0:User:department
|
Department
|
manager |
|
* The HRIS Identifier needs to be a unique value for each user. employeeId
might be a good source attribute, if populated in Azure AD.
** There is no good source attribute by default in Azure AD. If a custom Azure AD attribute is present that could be used here, it can be passed to Bridge.
Custom Attributes
Any other attribute from Azure AD that is desired to be stored in Bridge as a Bridge custom attribute can be added with a Target attribute of urn:scim:schemas:extension:custom:2.0:User:<attribute name>
Example: urn:scim:schemas:extension:custom:2.0:User:StreetAddress
To delete a custom attribute, you need to ensure it is not configured as a rule in a smart group, once this is done, you can delete an attribute by selecting "Add via CSV" and clicking the 'x' next to the attribute; there's no need to process a user import.
Example attribute mapping configuration
Here is a full attribute mapping example with required, optional, and custom attributes.

Deleting a user in Bridge (soft delete)
To delete a user in Bridge, we actually have to unassign the user from the Bridge SCIM Azure app and then run a provisioning cycle or wait for the provisioning cycle to process that user.

NOTE: if you DEACTIVATE the user in Azure before unassigning them, they will NOT be deleted in Bridge. They must first be unassigned in Azure from the Bridge SCIM app.
The Azure admin on the client-side can also utilize “Provision on-demand” if they do not want to wait for the provisioning cycle.


You can find out more about Azure provisioning here: Understand how Application Provisioning in Azure Active Directory
List of SCIM endpoints
SCIM endpoints can only be reached using a SCIM API token generated by a Bridge support user
- GET /api/scim/Users/ - Retrieves all SCIM users
- GET /api/scim/Users/:user_id - Retrieves a specific SCIM user based on it’s Bridge ID
- PATCH/PUT /api/scim/Users/:user_id - Updates a specific SCIM user based on its Bridge ID (this will also soft delete the user if a “deleted_at” field is populated or “active”:false).
- POST /api/scim/Users/ - Creates a new user with SCIM
- GET /api/scim/Groups - Retrieves all SCIM groups