This article describes the steps you need to perform in both Systam and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and de-provisions users to Systam using the Microsoft Entra provisioning service.
For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID.
Capabilities supported
- Create users in Systam.
- Update users in Systam (including primary workspace, name, emails, phone numbers, and active state).
- Remove (Hard Delete) users in Systam when they do not require access anymore.
- Keep user attributes synchronized between Microsoft Entra ID and Systam.
- Note: Group provisioning is not currently supported.
Prerequisites
The scenario outlined in this article assumes that you already have the following prerequisites:
- A Microsoft Entra tenant.
- A user account in Microsoft Entra ID with permission to configure provisioning (for example, Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator).
- A Systam organization account.
- A user account in Systam with Admin permissions.
Important Considerations
- Organization Owners: Users designated as "Organization Owners" in Systam are protected. Any attempt to update or delete these users via SCIM will result in a
403 Forbiddenerror in the provisioning logs. This is expected behavior. - No Soft Delete: Systam does not support a suspended or "soft-deleted" state. When a user is removed from scope or disabled in Entra ID (sending
active: false), Systam permanently deletes the user account. If the user returns to the scope later, they will be re-created as a new user. - Matching Logic: If a user already exists in Systam with the same email address, provisioning links that account to the SCIM
userNamefor this tenant; otherwise, a new user is created. - Groups: Systam does not currently support groups provisioning.
Step 1: Plan your provisioning deployment
- Learn about how the provisioning service works.
- Determine who will be in scope for provisioning.
- Determine what data to map between Microsoft Entra ID and Systam.
Step 2: Configure Systam to support provisioning with Microsoft Entra ID
Before configuring the provisioning in Microsoft Entra ID, you will need the Tenant URL and Secret Token from Systam.
- Contact your Systam representative or Onboarding Team.
- Provide them with the list of Workspace Identifiers you intend to map.
- Obtain the SCIM Endpoint URL and the Bearer Token.
Note: Ensure you have these credentials ready before proceeding to Step 3.Step 3: Add Systam as a Non-Gallery Application
Since Systam is a custom integration, you must add it as a non-gallery application.
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- Browse to Identity > Applications > Enterprise applications > New application.
- Select Create your own application.
- Enter a name for your application (e.g., "Systam").
- Select Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create.
Step 4: Define who is in scope for provisioning
The Microsoft Entra provisioning service allows you to scope who is provisioned based on assignment to the application or based on attributes of the user or group. If you choose to scope who is provisioned to your app based on assignment, you can use the following steps to assign users and groups to the application.
- Start small. Test with a small set of users and groups before rolling out to everyone.
- When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app.
Step 5: Configure automatic user provisioning to Systam
This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in Systam.
Part A: Admin Credentials
- In the Systam application in Entra ID, select the Provisioning tab.
- Under "Manage", select Provisioning and set the Provisioning Mode to Automatic.
- Under the Admin Credentials section, input the values provided by the Systam team:
- Tenant URL:
https://<api-endpoint>/scim/v2 - Secret Token: Enter the Bearer Token provided by Systam.
- Tenant URL:
- Select Test Connection to ensure Microsoft Entra ID can connect to Systam. If the connection fails, ensure your Token is valid and try again.
- Continue to part B.
Part B: Configure Custom Attributes (Crucial)
Systam requires a custom attribute
primaryWorkspace to be sent during user creation. You must add this to the schema before mapping it.- Within the same page, open Mappings.
- Under Mappings, select Provision Microsoft Entra ID Users.
- Scroll to the bottom of the page and check Show advanced options.
- Click Edit attribute list for Systam.
- At the bottom of the attribute list, enter the following new attribute:
- Name:
urn:ietf:params:scim:schemas:extension:systam:2.0:User:primaryWorkspace - Type:
String
- Name:
- Click Save.
Part C: Attribute Mappings
Systam uses a focused set of user attributes from Microsoft Entra ID for provisioning.
The attribute mappings are configured on the Provisioning tab of the Systam Visit enterprise application.
Identity and status
userName- Unique identifier for the user in Systam.
- This is taken from the source attribute you configure in the
userNamemapping (typically the user’s sign-in name, such as UPN or email address). active- Indicates whether the user account should exist in Systam.
- The value is determined by the expression you configure in the active mapping.
Contact details
Systam uses contact details from Microsoft Entra ID only when the type is set to
work or other. Any other types used in the mappings are rejected and cause provisioning to fail for those users.- Email addresses
- The value mapped as "work" email attribute (for example
emails[type eq "work"].value) is used as the user’s primary email address in Systam. - A "work" email address is required. If a user does not have a "work" email, provisioning for that user will fail.
- The value mapped as "work" email attribute (for example
- Phone numbers
- If you choose to map phone numbers, the value mapped as the "work" phone attribute (for example
phoneNumbers[type eq "work"].value) is used as the user’s primary phone number in Systam. - A "work" phone number is required if any phone numbers are mapped.
- If you do not want to manage phone numbers in Systam, leave phone numbers unmapped.
- If you do map phone numbers, make sure every in-scope user has a "work" phone number, or provisioning for those users will fail.
- If you choose to map phone numbers, the value mapped as the "work" phone attribute (for example
In practice:
- The "work" email address is always the main email used for the user in Systam.
- When phone numbers are mapped, the "work" phone number is the main number used for the user in Systam.
Part D: Custom Attribute mapping
Systam requires a custom
primaryWorkspace attribute that defines the user’s primary workspace.- The value mapped to
primaryWorkspaceis used as the user’s main workspace in Systam. primaryWorkspaceis required. If this attribute is not provided for a user, provisioning for that user will fail.- The value must match one of the workspace identifiers configured in Systam. If the value does not match any existing workspace, provisioning for that user will fail.
- If the
primaryWorkspacevalue changes in Microsoft Entra ID, the change is applied to the user in Systam on the next provisioning cycle.
- Back in the Attribute Mapping blade, review the default mappings.
- Add the Workspace Mapping:
- Scroll to the bottom of the mapping list and click Add New Mapping.
- Source attribute: Select the attribute in Entra ID, that will be used to determine the employees primary physical location (e.g.,
department,physicalDeliveryOfficeName,country,city, or an extension attribute). - Target attribute: Select the custom attribute you added in Part B:
urn:ietf:params:scim:schemas:extension:systam:2.0:User:primaryWorkspace. - Click OK.
- Select Save to commit the changes.
The following table shows an example of a possible mapping configuration:
Systam Attribute | Microsoft Entra ID Attribute (examples) | Required |
userName | userPrincipalName | Yes |
active | Switch([IsSoftDeleted], , "False", "True", "True", "False") | Yes |
name.givenName | givenName | Yes |
name.familyName | surname | Yes |
emails[type eq "work"].value | Coalesce(mail, userPrincipalName) | Yes (user must have at least single email address mapped) |
emails[type eq "other"].value | first([otherMails]) | No |
phoneNumbers[type eq "work"].value | mobile | No |
phoneNumbers[type eq "other"].value | telephoneNumber | No |
preferredLanguage | preferredLanguage | No |
urn:ietf:params:scim:schemas:extension:systam:2.0:User:primaryWorkspace | department | Yes |
Step 6: Test and start provisioning
- Test with on-demand provisioning
- Select Provision on demand, choose a test user that is in scope, and run the operation.
- Enable automatic provisioning
- Set Provisioning status to On and choose the desired scope for provisioning.
- Monitor provisioning
- Use the provisioning logs to determine which users have been provisioned successfully
- Check the progress bar to see the status of the provisioning cycle.
Additional resources
- Managing user account provisioning for Enterprise Apps
- What is application access and single sign-on with Microsoft Entra ID?
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article