Configure Systam Visit for automatic user provisioning with Microsoft Entra ID

Capabilities supported

• Create users in Systam
• Update users in Systam (including primary workspace, name, emails, phone numbers, and active state)
• Remove (Hard Delete) users in Systam when they do not require access anymore
• Keep user attributes synchronized between Microsoft Entra ID and Systam
• Note: Group provisioning is not currently supported.

Prerequisites

• A Microsoft Entra tenant.
• A user account in Microsoft Entra ID with permission to configure provisioning (for example, Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator).
• A Systam organization account.
• A user account in Systam with Admin permissions.

Step 1: Plan your provisioning deployment

1. Learn about how the provisioning service works.
2. Determine who will be in scope for provisioning.
3. Determine what data to map between Microsoft Entra ID and Systam.

Step 2: Configure Systam to support provisioning with Microsoft Entra ID

1. Contact your Systam representative or Onboarding Team.
2. Provide them with the list of Workspace Identifiers you intend to map.
3. Obtain the SCIM Endpoint URL and the Bearer Token.

Step 3: Add Systam as a Non-Gallery Application

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
2. Browse to Identity > Applications > Enterprise applications > New application.
3. Select Create your own application.
4. Enter a name for your application (e.g., "Systam").
5. Select Integrate any other application you don't find in the gallery (Non-gallery).
6. Click Create.

Step 4: Define who is in scope for provisioning

• Start small. Test with a small set of users and groups before rolling out to everyone.
• When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app.

Step 5: Configure automatic user provisioning to Systam

Part A: Admin Credentials

1. In the Systam application in Entra ID, select the Provisioning tab.
2. Set the Provisioning Mode to Automatic.
3. Under the Admin Credentials section, input the values provided by the Systam team:
   • Tenant URL: https://<api-endpoint>/scim/v2
   • Secret Token: Enter the Bearer Token provided by Systam.
4. Select Test Connection to ensure Microsoft Entra ID can connect to Systam. If the connection fails, ensure your Token is valid and try again.
5. Select Save.

Part B: Configure Custom Attributes (Crucial)

1. Under Mappings, select Provision Microsoft Entra ID Users.
2. Scroll to the bottom of the page and check Show advanced options.
3. Click Edit attribute list for Systam.
4. At the bottom of the attribute list, enter the following new attribute:
   • Name: urn:ietf:params:scim:schemas:extension:systam:2.0:User:primaryWorkspace
   • Type: String
5. Click Save.

Part C: Attribute Mappings

1. Back in the Attribute Mapping blade, review the default mappings.
2. Ensure the following standard mappings are present:
   
   

1. Add the Workspace Mapping:
   • Click Add New Mapping.
   • Source attribute: Select the attribute in Entra ID that contains the Workspace ID (e.g., department, physicalDeliveryOfficeName, or an extension attribute).
   • Target attribute: Select the custom attribute you added in Part B: urn:ietf:params:scim:schemas:extension:systam:2.0:User:primaryWorkspace.
   • Click OK.
2. Select Save to commit the changes.

Step 6: Monitor your deployment

• Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully.
• Check the progress bar to see the status of the provisioning cycle.

Important Considerations

• Organization Owners: Users designated as "Organization Owners" in Systam are protected. Any attempt to update or delete these users via SCIM will result in a 403 Forbidden error in the provisioning logs. This is expected behavior.
• No Soft Delete: Systam does not support a suspended or "soft-deleted" state. When a user is removed from scope or disabled in Entra ID (sending active: false), Systam permanently deletes the user account. If the user returns to scope later, they will be re-created as a new user.
• Matching Logic: If a user already exists in Systam with the same email address, provisioning links that account to the SCIM userName for this tenant; otherwise, a new user is created.
• Attributes: The custom Systam extension requires primaryWorkspace. Phone numbers are optional. Systam respects the primary flag (sent by default by Entra) to identify the main contact; specific type values (like "work" or "mobile") are ignored.

Additional resources

• Managing user account provisioning for Enterprise Apps
• What is application access and single sign-on with Microsoft Entra ID?