Overview
SCIM (System for Cross-domain Identity Management) is an industry standard that enables organizations to automatically create, update, and remove users between their identity provider (such as Azure Active Directory) and Bureau Works. This integration helps your IT team keep user access up-to-date and secure—without manual user management.
This article explains step-by-step how to configure SCIM provisioning with Azure AD for Bureau Works.
Index
What is SCIM Provisioning?
Prerequisites
How to Enable SCIM Provisioning in Azure AD
3.1 Create or Access the Enterprise Application
3.2 Configure SCIM Provisioning
Assigning Users and Groups
Role Mapping in Bureau Works
Enabling Auto-Provisioning
Using the Same Azure Application for SCIM Provisioning a
1. What is SCIM Provisioning?
SCIM is an open standard used to automate the process of provisioning and deprovisioning users between your organization's identity provider (IdP) and Bureau Works. This allows you to manage user access centrally in Azure AD, making onboarding and offboarding more secure and efficient.
With Bureau Works SCIM provisioning, you can:
Automatically create, update, and remove users
Assign and update user roles based on Azure AD roles
Reduce manual administrative work
2. Prerequisites
To set up SCIM provisioning between Azure AD and Bureau Works, you’ll need:
An Azure AD administrator account
Bureau Works administrator access
The SCIM endpoint URL and Secret Token (found in Account Settings > SSO > Provisioning inside Bureau Works)
Access to Enterprise Applications in your Azure portal
3. How to Enable SCIM Provisioning in Azure AD
3.1 Create or Access the Enterprise Application
Go to the Azure portal and open Microsoft Entra ID (Azure AD).
Navigate to Enterprise Applications.
If you don’t have an Enterprise Application for Bureau Works yet:
Click + New Application
Select Create your own application
Enter a name (for example, "Bureau Works SCIM") and select Integrate any other application you don't find in the gallery (non-gallery)
Click Create.
3.2 Configure SCIM Provisioning
In your Enterprise Application, go to the Provisioning tab.
Set Provisioning Mode to Automatic.
Enter the SCIM endpoint URL and Secret Token provided by Bureau Works (Account Settings > SSO > Provisioning).
Click Test Connection to make sure Azure AD can connect.
Configure the attribute mapping:
Deactivate Provision Microsoft Entra ID Groups.
Edit the externalId attribute so that it maps to the user’s email (
mailfield).Add a new mapping:
Mapping Type: Expression
Value:
AssertiveAppRoleAssignmentsComplex([appRoleAssignments])Target Attribute:
roles[primary eq "True"].value
Click Save.
4. Assigning Users and Groups
Go to the Users and groups tab in your Enterprise Application.
Click Add user/group.
Select the users or groups you want to sync to Bureau Works.
Click Assign.
5. Role Mapping in Bureau Works
In Azure AD, open App Registration > App Roles and create roles matching your Bureau Works setup (for example: “admin”, “vendor”).
Assign users or groups to each role in Azure AD.
In Bureau Works, go to Account Settings > SSO > Provisioning > Role Mapping.
On the left, enter the Azure AD App Role value.
On the right, select the corresponding Bureau Works role.
Click Save.
When a role is assigned to a group in Azure AD, all members receive that role in Bureau Works automatically.
6. Enabling Auto-Provisioning
In your Enterprise Application, go to the Provisioning tab.
Set Provisioning Status to On.
Click Save.
Note: The first synchronization will start immediately and then run automatically every 20–40 minutes, depending on your data volume.
7. Using the Same Azure Application for SCIM Provisioning and SSO
It is possible—and recommended—to use a single Azure AD Enterprise Application to manage both user provisioning (SCIM) and Single Sign-On (SSO) with Bureau Works. This unified approach simplifies administration, ensures that user access and permissions are always in sync, and reduces the number of applications you need to manage in your Azure portal.
The SSO (Single Sign-On) configuration steps are not covered in this article. For a detailed, step-by-step guide on how to set up SSO with Bureau Works, please refer to our dedicated article: Bureau Works Single Sign-On (SSO).