Configure SCIM with Microsoft Entra ID

Postman supports SCIM provisioning through Microsoft Entra ID (formerly Azure Active Directory), allowing you to automate user provisioning and de-provisioning for your team.

You must be a Postman Team Admin or Super Admin to enable SCIM for your team. It's recommended that you enable SCIM with a service account assigned the Super Admin role.

With SCIM enabled, users won't have the option to leave your team on their own, and won't be able to change their account email or password. Only Team Admins and Super Admins have permission to remove team members. Only administrators in Microsoft Entra ID have permission to use SCIM to change user account emails if they're associated with a domain your team verified.

Enabling SCIM in Microsoft Entra ID

Postman is available as an app in the Microsoft Entra application gallery. Once connected, Microsoft Entra ID queries the Postman SCIM endpoint every 40 minutes for assigned users, and creates or modifies them according to the assignment details you set.

To set up provisioning with Microsoft Entra ID, do the following:

  1. In Postman, enable SCIM and generate a SCIM API key.
  2. Sign in to the Microsoft Entra ID portal.
  3. Select Applications, then select Enterprise applications in the left pane.
  4. Select the Postman app if you've already configured SSO with Microsoft Entra ID. Otherwise, select + New application, search for "Postman", select the Postman app from the results, then select Create.
  5. In the app management screen, select Provisioning in the left pane.
  6. In the Provisioning Mode menu, select Automatic.
  7. In the Tenant URL field, enter the Postman SCIM endpoint: https://api.getpostman.com/scim/v2/.
  8. In the Secret Token field, enter your SCIM API key.
  9. Select Test Connection to have Microsoft Entra ID attempt to connect to the Postman SCIM endpoint. There will be an error message if the attempt fails. If the attempt is successful, the response is HTTP 200 OK with an empty SCIM ListResponse message.
  10. Select Save to save the admin credentials.

Next, you will configure the Microsoft Entra ID integration.

Configuring the Microsoft Entra ID SCIM integration

After you set up SCIM in Microsoft Entra ID, you can configure the integration with Postman for users. Optionally, you can also configure the integration for groups.

The attributes you select as Attribute Mappings are used to match the users or groups in Postman for update operations.

Mapping user attributes

To map Postman user attributes to Microsoft Entra ID user attributes, do the following:

  1. In the Microsoft Entra ID Mappings section, select Yes to turn on Provision Azure Active Directory Users. This is the set of attribute mappings for user objects.

  2. Under Target Object Actions, select Create, Update, and Delete.

  3. Under Attribute Mappings, select Add New Mapping to map the following attributes:

    Microsoft Entra ID attributeTarget attributePostman attributeMapping typeMatch objects using this attributeApply this mapping
    userPrincipalName *userNameemailDirectYesAlways
    surnamename.familyNamenameDirectNoAlways
    givenNamename.givenNamenameDirectNoAlways
    Not([IsSoftDeleted])activeactiveExpressionNoAlways

    * For userPrincipalName, set the value for Matching precedence to 1.

    You must remove any existing attribute mappings that aren't on this list to avoid any conflicts or mismatches. Select Delete next to any mappings that aren't on this list to remove them.

  4. Select Save to commit any changes.

Mapping group attributes (Optional)

To map Postman group attributes to Microsoft Entra ID group attributes, do the following:

  1. In the Microsoft Entra ID Mappings section, select Yes to turn on Provision Azure Active Directory Groups. This is the set of attribute mappings for group objects.

  2. Under Target Object Actions, enable Create, Update, and Delete.

  3. Under Attribute Mappings, select Add New Mapping to map the following attributes:

    Microsoft Entra ID attributeTarget attributePostman attributeMapping typeMatch objects using this attributeApply this mapping
    displayName *displayNameGroup nameDirectYesAlways
    membersmembersGroup membersDirectNoAlways

    * For displayName, set the value for Matching precedence to 1.

    You must remove any existing attribute mappings that aren't on this list to avoid any conflicts or mismatches. Select Delete next to any mappings that aren't on this list to remove them.

  4. Select Save to commit any changes.

Completing the configuration

  1. Under Settings, the Scope field defines which users are synchronized. Select Sync only assigned users and groups to only sync users assigned in the Users and groups tab.
  2. Once your configuration is complete, set the Provisioning Status to On.
  3. Select Save.

Once the first cycle has started, you can select Provisioning logs in the Microsoft Entra ID left pane to monitor the actions done in Postman by the provisioning service.

Last modified: 2022/11/30

Additional resources

Blog posts

Introducing User Management in Postman via Azure AD SCIM
Postmanaut dancing. Illustration.