Enabling SCIM: Entra
SCIM is not required for SSO to work, but can provide the following benefits for larger teams:
Creating profiles in Claras ahead of time.
Automatically applying changes to user names, emails, and roles
Revoking access and archiving the profile in Claras immediately once a user is unassigned from the enterprise application or leaves your business.
Automatic updating of billing when users are assigned or removed from the enterprise application.
Without SCIM, users may continue to have access to Claras and billing will not be updated until you archive their profile in Claras.
Navigate to the SSO page in Claras and edit the provider using the three dots. Toggle on Enable SCIM.
By default, all new profiles will be created with the Adviser role, but you can use group based provisioning in Azure to optionally automate role mapping.
To do so, simply add the name of the group(s) you'd like to assign to a role under the Role Mapping tab.
Some important things to note when taking this approach:
The group must be assigned to the enterprise application for this to work
You do not need to set a value for all roles
Users will be assigned the highest level of privilege in order of owner > manager > adviser > assistant
The mappings can be updated after groups are assigned and the provisioning cycle has run, and the roles of users already in Claras will be re-checked / updated
If existing users in Claras don't match a group, we won't change their role
For security reasons, this automation will not downgrade the role of someone who is an Owner. This must be done through the Team page.
While this is convenient for large scale rollouts, you can also choose to leave these fields blank and manually update user roles in the Team page on an as needed basis.
Once done, click Update Provider. The provider will then show a green SCIM badge. This will not affect the existing SSO flow for users.
Still in Claras, Navigate to Settings > API and click + New API Key. Set a name and select scim.full for the scope. rest.full should be deselected.
Create the key and copy the value. This is the only time you'll be shown the key.
In your Entra Enterprise Application, navigate to Manage > Provisioning and click + New Configuration.
For the Secret token, paste the API key you just generated in Claras. For the Tenant URL, set https://claras.ai/api/scim/v2. You do not need to prepend anything to the token.
After testing the connection successfully, click Create.
Unlike Single Sign-on, attribute mappings for users and groups do not need to be configured.
Once ready, you can Start Provisioning from the Overview page. If you have assigned users or groups to the application, they will show in the Claras team page shortly after.
When a user is removed from the application, removed from an assigned group, or no longer active in your Entra account, they will be archived in Claras when the next provisioning cycle runs.
Nice work getting everything done! If you haven't already, be sure to read the Frequently Asked SSO Questions.
Creating profiles in Claras ahead of time.
Automatically applying changes to user names, emails, and roles
Revoking access and archiving the profile in Claras immediately once a user is unassigned from the enterprise application or leaves your business.
Automatic updating of billing when users are assigned or removed from the enterprise application.
Without SCIM, users may continue to have access to Claras and billing will not be updated until you archive their profile in Claras.
Step 1: Enable SCIM in Claras
Navigate to the SSO page in Claras and edit the provider using the three dots. Toggle on Enable SCIM.
By default, all new profiles will be created with the Adviser role, but you can use group based provisioning in Azure to optionally automate role mapping.
To do so, simply add the name of the group(s) you'd like to assign to a role under the Role Mapping tab.
Some important things to note when taking this approach:
The group must be assigned to the enterprise application for this to work
You do not need to set a value for all roles
Users will be assigned the highest level of privilege in order of owner > manager > adviser > assistant
The mappings can be updated after groups are assigned and the provisioning cycle has run, and the roles of users already in Claras will be re-checked / updated
If existing users in Claras don't match a group, we won't change their role
For security reasons, this automation will not downgrade the role of someone who is an Owner. This must be done through the Team page.
While this is convenient for large scale rollouts, you can also choose to leave these fields blank and manually update user roles in the Team page on an as needed basis.
Once done, click Update Provider. The provider will then show a green SCIM badge. This will not affect the existing SSO flow for users.
Step 2: Generate an API key
Still in Claras, Navigate to Settings > API and click + New API Key. Set a name and select scim.full for the scope. rest.full should be deselected.
Create the key and copy the value. This is the only time you'll be shown the key.
Step 3: Setup the Configuration
In your Entra Enterprise Application, navigate to Manage > Provisioning and click + New Configuration.
For the Secret token, paste the API key you just generated in Claras. For the Tenant URL, set https://claras.ai/api/scim/v2. You do not need to prepend anything to the token.
After testing the connection successfully, click Create.
Unlike Single Sign-on, attribute mappings for users and groups do not need to be configured.
Step 4: Start provisioning
Once ready, you can Start Provisioning from the Overview page. If you have assigned users or groups to the application, they will show in the Claras team page shortly after.
When a user is removed from the application, removed from an assigned group, or no longer active in your Entra account, they will be archived in Claras when the next provisioning cycle runs.
Next steps
Nice work getting everything done! If you haven't already, be sure to read the Frequently Asked SSO Questions.
Updated on: 12/05/2025
Thank you!