---
title: "Microsoft Entra ID (formerly Azure Active Directory) (SCIM)"
slug: "microsoft-entra-id-formerly-azure-active-directory-scim"
updated: 2026-04-07T09:06:42Z
published: 2026-04-07T09:06:42Z
canonical: "support.perimeter81.com/microsoft-entra-id-formerly-azure-active-directory-scim"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID (formerly Azure Active Directory) (SCIM)

## High-Level Procedure

- [Part 1: Configure Entra ID](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#phase-1-configure-entra-id)
  - [Creating an Application in Entra ID](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#step-1-creating-an-application-in-entra-id)
  - [Configuring API Permissions](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#step-2-configuring-api-permissions)
  - [Configuring Secret Key for the Application](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#step-3-configuring-secret-key-for-the-application)
- [Part 2: Configuring Harmony SASE IDP](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#phase-2-configuring-harmony-sase-idp)
- [Part 3: Configuring SCIM](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#phase-3-configuring-scim)

## Part 1: Configure Entra ID

### Step 1 - Creating an application in Entra ID

1. Access the Microsoft Azure Portal using administrator credentials.
2. From Azure services, click **Microsoft Entra ID**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771484945485.png)
3. Click **Overview.****![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Overview_License(1).PNG)**
4. From the **Basic information**section, make a note of the **License**.
5. Go to **Manage**> **Enterprise applications.**  
**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771485118350.png)**
6. Go to **All applications**.
7. Click **New application**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/ClickNewApplication.PNG)
8. In the **Browse Microsoft Entra****Gallery** page, click **Create your own application**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/BrowseMicrosoftCreateyourOwn(1).PNG)
9. In the **Create your own application** panel that appears on the right, enter the application name (for example, **Check Point SASE**) and click **Create**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/WhatsthenameofurApp.PNG)Once the application is created, the **Overview** page appears.
10. Click the ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/CopyIcon1.PNG)icon next to **Application ID**to copy it.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/AppliID_Assignusersandgroups.PNG)
11. Click **Assign users and groups**and then click **Add user/group**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/AddUser_Group.PNG)
12. In the **Users** section, click **None Selected**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/AddAssignment_NoneSelected.PNG)
13. Select the users and groups you want to add to the application and click **Select**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771485813324.png)
14. Click **Assign**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/AddAssignment_Users_Assign.PNG)Once assigned, the Home page appears.
15. Click **Microsoft Entra ID**.
16. From the left panel, click **App registrations.**  
**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771503639707.png)**
17. In the **All applications** tab, click the application you created.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771504259153.png)
18. Go to **Manage** > **Authentication (Preview)** and****click **Add Redirect URI.**  
**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771494566343.png)**
19. In the **Select a platform to add redirect URI******panel that appears on the right,****select **Web**.
20. In the **Redirect URIs**field, enter your workspace name and click **Configure**:
  - For EU based platform - [https://workspace.eu.sase.checkpoint.com](https://workspace.eu.sase.checkpoint.com)
  - For US based platform -  [https://workspace.perimeter81.com](https://workspace.perimeter81.com)
  - For AU based platform - [https://workspace.au.sase.checkpoint.com](https://workspace.au.sase.checkpoint.com)
  - For IN based platform - [https://workspace.in.sase.checkpoint.com](https://workspace.in.sase.checkpoint.com)  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771500403561.png)
21. In the **Redirect URI Configuration** section, click **Edit******and add these:
  - For EU based platform - [https://auth.eu.sase.checkpoint.com/login/callback](https://auth.eu.sase.checkpoint.com/login/callback)
  - For US based platform - [https://auth.perimeter81.com/login/callback](https://auth.perimeter81.com/login/callback)
  - For AU based platform - [https://auth.au.sase.checkpoint.com/login/callback](https://auth.au.sase.checkpoint.com/login/callback)
  - For IN based platform - [https://auth.in.sase.checkpoint.com/login/callback](https://auth.in.sase.checkpoint.com/login/callback)  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771500541617.png)
22. Click **Configure**.
23. Click **Settings**. In the **Front‑channel logout URL**section, enter your workspace name:
  - For EU based platform - https://workspace[.eu.sase.checkpoint.com](//.eu.sase.checkpoint.com)
  - For US based platform - https://workspace[.perimeter81.com](//.perimeter81.com)
  - For AU based platform - https://workspace[.au.sase.checkpoint.com](//.au.sase.checkpoint.com)
  - For IN based platform - https://workspace[.in.sase.checkpoint.com](//.in.sase.checkpoint.com)  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771501014688.png)
24. In the **Supported account types** section, select the applicable option for supported account types and click **Save**.

### Step 2 - Configuring API Permissions

1. From the left panel, click **Manage** > **API permissions** and then click **Add a permission**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/APIPermission_AddPermission.PNG)The **Request API permissions** panel appears to the right.
2. Select **Microsoft APIs** tab and then select **Microsoft Graph**.
3. Click **Delegated permissions**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/MicrosoftGraph_Delegatedpermissions.PNG)
4. Click **Directory** to view the permissions and then select **Directory.Read.All**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Directory_Access_User_Read_All.PNG)
5. Click **User**to view the permissions and then select **User.Read**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/User.Read_Checkbox.PNG)
6. Scroll to the top of the page and click **Application permissions**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/MicrosoftGraph_Applicationpermissions.PNG)
7. Click **Directory** to view the permissions and then select **Directory.Read.All**.
8. Click **Add permissions**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Directory.Read.All_AddPermissions.PNG)
9. Click **Grant admin.**  
The **Grant admin consent confirmation** window appears.
10. Click **Yes**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/GrantAdminConsentforRonaldLabs.PNG)

### Step 3 - Configuring Secret Key for the Application

1. From the left panel, select **Certificates & secrets** and click the **Client secrets** tab.
2. Click **New client secret**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/ClientSecretsTab.PNG)Note - You must use this client secret (password) as the Client Secret when connecting with the Check Point SASE IDP.
3. In the **Add a client secret**panel that appears on the right, specify these:
  1. **Description** - Enter a description.
  2. **Expires** - Select the secret expiration from the list.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Addaclientsecret_Description_Expires.PNG)
4. Click **Add**.
5. To copy the secret value, in the**Value** field, click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/CopyIcon1.PNG).  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Value_SecretID(2).PNG)

## Part 2: Configuring Check Point SASE IDP

1. Access the Check Point SASE Administrator Portal.
2. Go to **Settings** > **Identity Providers.**
3. Click **Add Provider**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/ClickAddProvider.PNG)The **Add identity provider** window appears.
4. Select **Microsoft Azure AD**and click **Continue**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/MicrosoftAzureID_Continue.PNG)
5. Enter these details (available on the Microsoft Entra ID Overview page):
  - **Microsoft Azure AD Domain**
  - (Optional) **Domain Aliases**
  - **Client ID**(you copied while [Creating an application in Entra ID](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#step-1-creating-an-application-in-entra-id))
  - **Client Secret**(you copied while [configuring the key](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#step-3-configuring-secret-key-for-the-application))****![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/M-AD(1).PNG)****
6. Select the **SCIM Integration**checkbox**.**
7. Click**Done.**The Azure AD gets created successfully.
8. In the **Microsoft Azure AD**section**,**click**Settings.**  
**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Click_Settings.PNG)**
9. Click **Generate Token. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Click_GenerateToken.PNG)**The **Azure AD SCIM Data** window appears.
10. Copy the URL and Token and then click **Close.****![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/CopyToken_Close.PNG)**

## Part 3: Configuring SCIM

1. Access the Microsoft Azure Portal using administrator credentials.
2. Go to **Microsoft****Entra ID**> **Enterprise Applications** and locate the application previously created in [**Step 1 - Creating an application in Entra ID**](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#step-1-creating-an-application-in-entra-id).
3. Click the application name to open the configuration.
4. Click **Get Started**in the **Provision User Accounts** tile.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771502084425.png)
5. Click **Provisioning**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771502206788.png)
6. From the **Provisioning Mode** list, select **Automatic**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/ClickTestConnection.PNG)
7. Expand **Admin Credentials**.
8. In the **Tenant URL**field, enter the SCIM URL that corresponds to your Check Point SASE tenant region:
  - For US based platform - [https://api.perimeter81.com/api/scim](https://api.perimeter81.com/api/scim)
  - For EU based platform -  [https://api.eu.sase.checkpoint.com/api/scim](https://api.eu.sase.checkpoint.com/api/scim)
  - For AU based platform - [https://api.au.sase.checkpoint.com/api/scim](https://api.au.sase.checkpoint.com/api/scim)
  - For IN based platform - [https://api.in.sase.checkpoint.com/api/scim](https://api.in.sase.checkpoint.com/api/scim)
9. In the **Secret Token** field, paste the token you copied in [**Part 2: Configuring Check Point SASE IDP**](/v1/docs/microsoft-entra-id-formerly-azure-active-directory-scim#part-2-configuring-harmony-sase-idp) section **step 10**.
10. Click **Test Connection**.
11. Click **Save** at the top left corner.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Provisioning_Save(1).PNG)
12. Expand **Mappings**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/ExpandMapping.PNG)
13. Make sure that these options are enabled:
  1. **Provision Microsoft Entra ID Groups**
  2. **Provision Microsoft Entra ID Users**
14. Click **Provision Microsoft Entra ID Users**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/ProvisionMicrosoftEntraIDUsers_Yes.PNG)
15. In the **Attribute Mappings** section, for **userName**, click **Edit**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/AttributeMappings_userName.PNG)
16. From the **Source attribute** list, select **mail**.
17. From the **Match precedence** list, select **2**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/EditAttribute_OK.PNG)
18. Click **OK**.
19. Locate the **emails[type eq “work”].value**attribute and click **Edit.**
20. From the **Source attribute** list, select **userPrincipalName**.
21. From the **Match objects using this****attribute**list,****select**Yes**.
22. From the **Matching precedence** list, select **3**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1767844069755.png)
23. Click **OK**.
24. Go back to **Attribute Mappings** section and click **Add New Mapping**.
25. From the **Source attribute** list, select **objectId**.
26. From the **Target attribute list**, select **nickName**.
27. From the **Match objects using this attribute** list, select **Yes**.
28. From **Matching precedence** list, select **1****.**
29. From the **Apply this mapping** list, select **Only during object creation**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1767842744122.png)
30. Click **O****k**
31. Retain these attributes and delete other attributes:
  - **nickName**
  - **emails[type eq “work”].value**
  - **userName**
  - **active**
  - **name.givenName**
  - **name.familyNamesurname**  
**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1767844251148.png)**
32. Click **Save**.
33. Go to SCIM Application and select **Users and groups**.
34. Click **Add users/group**.
35. In the **Users** section, click **None Selected**.
36. Select the user(s).
37. Click **Select** and then click **Assign**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Users_SelectUserCheckbox_Select.PNG)
38. Go to the SCIM application.
39. Go to **Overview**.
40. Click **Start provisioning**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1771502635436.png)