Skip to content
Contact us
  • There are no suggestions because the search field is empty.

How to set up SCIM provisioning with Vatix 

This guide walks you through connecting Microsoft Entra ID (formerly Azure Active Directory) to Vatix using SCIM (System for Cross-domain Identity Management). Once SCIM is configured, changes you make in Entra ID, such as adding new joiners, removing leavers, or updating user roles, are automatically synced to Vatix.

Note: This guide covers Microsoft Entra ID. If you use a different identity provider, contact your Vatix account manager for tailored instructions.

Before you start

Before you begin, make sure you have:

  • Administrator access to your Microsoft Entra ID tenant.
  • SSO already configured with Vatix. SCIM provisioning builds on your existing SSO setup.
  • SCIM credentials from Vatix. Your Vatix account manager will provide a Tenant URL (the SCIM endpoint) and a Secret Token (the access token for authentication).

If you haven't received your SCIM credentials yet, contact your Vatix account manager before proceeding.

Step 1: Create an Enterprise Application in Entra ID

You'll create a dedicated Enterprise Application that acts as the connector between Entra ID and Vatix.

  1. Log in to the Microsoft Entra admin centre.
  2. Go to 'Identity'.
  3. Select 'Applications'.
  4. Select 'Enterprise Applications'.
  5. Click 'New Application'.
  6. Select 'Create your own application'.
  7. Enter a name for the application, for example 'Vatix SCIM Provisioning'.
  8. Select 'Integrate any other application you don't find in the gallery (Non-gallery)'.
  9. Click 'Create'.

For more details, see Microsoft's documentation.

Step 2: Set up groups for roles and licences

Vatix uses your Entra ID groups to automatically assign roles and product licences to provisioned users. Set up the groups that will control access in Vatix before assigning users to the application.

How it works

Each Entra ID group that you assign to the Vatix application can be mapped to a Vatix role and a set of product licences. When a user is added to a group, they automatically receive the corresponding role and licences in Vatix.

Your Vatix account manager will work with you to configure the mapping between your Entra ID groups and Vatix roles and licences. To prepare, decide which groups should map to which Vatix access levels and share this mapping with your account manager.

Recommended group structure

Create dedicated security groups in Entra ID that correspond to how you want users to access Vatix.

For example:

Entra ID Group

Vatix Role

Vatix Licences

Vatix - Account Owners

Account Owner

All product licences

Vatix - Managers

Manager

Events, Documents

Vatix - Standard Users

User

Events, Audits

The exact group names and mappings are flexible. Use whatever naming convention works for your organisation. Groups don't need to map to both a role and licences. Either can be left empty.

For example, you might have one group that only assigns a role and separate groups that grant specific product licences. This gives you flexibility to manage roles and licences independently.

Creating groups in Entra ID

  1. In the Entra admin centre, go to 'Identity'.
  2. Select 'Groups'.
  3. Select 'All groups'.
  4. Click 'New group'.
  5. Set 'Group type' to 'Security'.
  6. Enter a name, for example 'Vatix - Managers'.
  7. Add the relevant users as members.
  8. Click 'Create'.
  9. Repeat for each access level you need.

Tip: If you have Entra ID P1 or P2 licences, consider using dynamic membership rules to automatically add users to groups based on attributes. Group membership stays up to date without manual management.

Key things to know about group-based access

  • Users in multiple groups receive the union of all licences from their groups and are assigned the highest role among them. For example, a user in both 'Vatix - Managers' and 'Vatix - Standard Users' would get the Manager role plus all licences from both groups.
  • Removing a user from a group doesn't immediately revoke permissions. Changes are applied during the next provisioning sync cycle, at which point Vatix evaluates all of the user's current group memberships to determine their correct role and licences.
  • Users who are not in any mapped groups default to the basic User role with no product licences.
  • Removing a user from all groups revokes their elevated role and licences, reverting them to the baseline.
  • Deactivating a user in Entra ID removes their access and licences in Vatix entirely, regardless of group membership.

Share your mapping with Vatix

Once your groups are ready, provide your Vatix account manager with a mapping table listing each group name and the Vatix role and licences it should grant. Your account manager will configure this on the Vatix side once provisioning is active and the groups have synced.

Note: Until the mapping is configured, no changes will be made to your users' existing roles or licences.

Step 3: Assign users and groups to the application

Only users and groups assigned to the Enterprise Application will be synchronised with Vatix. This gives you full control over which users are provisioned.

  1. In your Enterprise Application, go to 'Users and groups'.
  2. Click 'Add user/group'.
  3. Select the groups you created in Step 2 (and any individual users) to provision to Vatix.
  4. Click 'Assign'.

Note: Assigning a group to the application provisions all members of that group. Make sure your group memberships are correct before starting provisioning.

Step 4: Configure the provisioning connection

This is where you connect Entra ID to Vatix using the SCIM credentials provided by your Vatix account manager.

  1. In the Enterprise Application, go to 'Provisioning'.
  2. Click 'Get started' (or 'Edit provisioning' if provisioning has been opened before).
  3. Set 'Provisioning Mode' to 'Automatic'.
  4. Under 'Admin Credentials', paste the SCIM endpoint URL provided by Vatix into the 'Tenant URL' field.
  5. Paste the access token provided by Vatix into the 'Secret Token' field.
  6. Click 'Test Connection' to verify that Entra ID can connect to the Vatix SCIM endpoint. You should see a confirmation that the credentials are authorised.
  7. Click 'Save'.

Step 5: Start provisioning

Once the connection is verified, you're ready to begin synchronising users.

  1. Still in the 'Provisioning' section, set the 'Provisioning Status' toggle to 'On'.
  2. Click 'Save'.

Entra ID will now run an initial provisioning cycle, synchronising all assigned users and groups to Vatix. After the initial cycle, Entra ID automatically syncs changes approximately every 40 minutes.

Tip: To sync a user immediately, use the 'Provision on demand' feature in Entra ID to push individual user changes to Vatix without waiting for the next automatic cycle. Go to 'Provisioning', then select 'Provision on demand', search for the user, and click 'Provision'.

What happens next

Once provisioning is active:

  • New users assigned to the application are automatically created in Vatix with the role and licences determined by their group membership.
  • Group membership changes are synchronised during the next provisioning cycle. Adding a user to a mapped group grants them the corresponding role and licences. Removing a user from a group triggers a full re-evaluation of their access based on their remaining group memberships.
  • Updated user details (such as name or manager) are kept in sync automatically.
  • Deactivated or unassigned users are deprovisioned from Vatix, and their licences are released.

Your Vatix account manager will confirm that provisioning is working correctly and that your group-to-role mappings are applied as expected.

Troubleshooting

Issue

What to do

Testing connection fails

Double-check the Tenant URL and Secret Token. Make sure there are no trailing spaces. If the problem persists, contact your Vatix account manager to verify the credentials.

Users not appearing in Vatix

Confirm the users are assigned to the Enterprise Application. Check the 'Provisioning logs' in Entra ID for errors.

Sync is slow

Entra ID syncs approximately every 40 minutes. Use 'Provision on demand' for immediate updates.

User has wrong role or licences

Check the user's group membership in Entra ID. Roles and licences are determined by group mappings. Contact your Vatix account manager if the mapping needs to be adjusted.

Error in provisioning logs

Share the error details with your Vatix account manager for investigation.

If you run into any issues or have questions about the setup process, contact your Vatix account manager or reach out to the Vatix support team.