***

title: Configure SCIM with Microsoft Entra ID
updated: 2025-05-30T00:00:00.000Z
search\_keyword: azure ad
max-toc-depth: 2
----------------

Postman supports [SCIM](https://datatracker.ietf.org/doc/html/rfc7642) (System for Cross-domain Identity Management) provisioning through [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/) (formerly Azure Active Directory), allowing you to automate user provisioning and de-provisioning.

You must be a [Postman Admin or Super Admin](/docs/administration/roles-and-permissions/#team-roles) to enable SCIM for your team. If you have Postman Organizations enabled, then you must be an [Organization Manager](/docs/administration/roles-and-permissions/#team-roles). It's recommended that you enable SCIM with a [service account assigned the Super Admin role](/docs/administration/enterprise/enterprise-onboarding/#the-super-admin-role) or the Organization Manager role{/*link to Org manager role*/}.

With SCIM enabled, users won't have the option to leave your team on their own, and won't be able to change their account email or password. Only Admins, Super Admins, and Organization Managers have permission to remove team members. Only administrators in Microsoft Entra ID have permission to use SCIM to change user account emails if they're associated with a domain your team [verified](/docs/administration/domain-verification-and-capture/add-and-verify-a-domain/).

## Enabling SCIM in Microsoft Entra ID

Postman is available as an app in the Microsoft Entra application gallery. Once connected, Microsoft Entra ID queries the Postman SCIM endpoint every 40 minutes for assigned users, and creates or modifies them according to the assignment details you set.

To set up provisioning with Microsoft Entra ID, do the following:

1. In Postman, [enable SCIM](/docs/administration/scim-provisioning/scim-provisioning-overview/#enabling-scim-in-postman) and [generate a SCIM API key](/docs/administration/scim-provisioning/scim-provisioning-overview/#generating-scim-api-key).
2. Sign in to the [Microsoft Entra ID portal](https://entra.microsoft.com/).
3. Click **Applications**, then select **Enterprise applications** in the left pane.
4. Select the Postman app if you've already configured [SSO with Microsoft Entra ID](/docs/administration/sso/azure-ad/). Otherwise, click **+ New application**, search for "Postman", select the Postman app from the results, then click **Create**.
5. In the app management screen, select **Provisioning** in the left pane.
6. In the **Provisioning Mode** menu, click **Automatic**.
7. In the **Tenant URL** field, enter the Postman SCIM endpoint: `https://api.getpostman.com/scim/v2/`.
   <Warning title="Important" class="important-callout">
     If you're using the EU Data Residency plan, enter `https://api.eu.postman.com/scim/v2`.
   </Warning>
8. In the **Secret Token** field, enter your SCIM API key.
9. Click **Test Connection** to have Microsoft Entra ID attempt to connect to the Postman SCIM endpoint. An error message displays if the attempt fails. If the attempt is successful, the response is `HTTP 200 OK` with an empty SCIM `ListResponse` message.
10. Click **Save** to save the admin credentials.

Next, you will configure the Microsoft Entra ID integration.

## Configuring the Microsoft Entra ID SCIM integration

After you set up SCIM in Microsoft Entra ID, you can configure the integration with Postman for users. Optionally, you can also configure the integration for groups.

The attributes you select as **Attribute Mappings** are used to match the users or groups in Postman for update operations.

### Mapping user attributes

To map Postman user attributes to Microsoft Entra ID user attributes, do the following:

1. In the Microsoft Entra ID **Mappings** section, click **Yes** to turn on **Provision Azure Active Directory Users**. This is the set of attribute mappings for user objects.

2. Under **Target Object Actions**, click **Create**, **Update**, and **Delete**.

3. Under **Attribute Mappings**, click **Add New Mapping** to map the following attributes:

   | Microsoft Entra ID attribute | Target attribute  | Postman attribute | Mapping type | Match objects using this attribute | Apply this mapping |
   | ---------------------------- | ----------------- | ----------------- | ------------ | ---------------------------------- | ------------------ |
   | `user.email` \*              | `userName`        | `email`           | Direct       | Yes                                | Always             |
   | `surname`                    | `name.familyName` | `name`            | Direct       | No                                 | Always             |
   | `givenName`                  | `name.givenName`  | `name`            | Direct       | No                                 | Always             |
   | `Not([IsSoftDeleted])`       | `active`          | `active`          | Expression   | No                                 | Always             |

   \* For `user.email`, set the value for **Matching precedence** to `1`.

   <Info class="iconless-callout">
     **Notes**:

     * To avoid creating duplicate accounts, ensure that the SAML and SCIM values used for `user.email` match.
     * You must remove any existing attribute mappings that aren't on this list to avoid any conflicts or mismatches. Click **Delete** next to any mappings that aren't on this list to remove them.
   </Info>

4. Click **Save**.

### Mapping group attributes (Optional)

To map Postman group attributes to Microsoft Entra ID group attributes, do the following:

1. In the Microsoft Entra ID **Mappings** section, click **Yes** to turn on **Provision Azure Active Directory Groups**. This is the set of attribute mappings for group objects.

2. Under **Target Object Actions**, enable **Create**, **Update**, and **Delete**.

3. Under **Attribute Mappings**, click **Add New Mapping** to map the following attributes:

   | Microsoft Entra ID attribute | Target attribute | Postman attribute | Mapping type | Match objects using this attribute | Apply this mapping |
   | ---------------------------- | ---------------- | ----------------- | ------------ | ---------------------------------- | ------------------ |
   | `displayName` \*             | `displayName`    | `Group name`      | Direct       | Yes                                | Always             |
   | `members`                    | `members`        | `Group members`   | Direct       | No                                 | Always             |

   \* For `displayName`, set the value for **Matching precedence** to `1`.

   <Info class="iconless-callout">
     You must remove any existing attribute mappings that aren't on this list to avoid any conflicts or mismatches. Click **Delete** next to any mappings that aren't on this list to remove them.
   </Info>

4. Click **Save**.

### Completing the configuration

1. Under **Settings**, the **Scope** field defines which users are synchronized. Select **Sync only assigned users and groups** to only sync users assigned in the **Users and groups** tab.
2. Once your configuration is complete, set the **Provisioning Status** to **On**.
3. Click **Save**.

Once the first cycle begins, click **Provisioning logs** in the Microsoft Entra ID left pane to monitor the actions done in Postman by the provisioning service.