Skip to main content

Microsoft Entra SCIM Integration Guide

SCIM (System for Cross-domain Identity Management) is an open standard protocol that automates user and group synchronization between identity providers (such as Microsoft Entra) and business applications. Instead of a human manually creating, updating, or deactivating user accounts across multiple systems, SCIM automatically handles the entire user lifecycle.

This guide enables organizations to automatically synchronize users and groups from Microsoft Entra to HERE Enterprise Browser using the SCIM standard.

Key Features

  • One-way sync: From Entra to HERE Enterprise Browser
  • Automatic scheduling: Runs every 40 minutes
  • Read-only entities: Users and groups created via sync cannot be modified in HERE
  • Active/inactive status: Managed by Entra via PATCH requests
  • Audit trail: All sync activities are logged with the designated sync user

Prerequisites

  • HERE Enterprise Browser with SCIM service enabled
  • Microsoft Entra administrative access
  • Admin privileges in HERE Enterprise Browser

Set up the integration

Setting up the integration requires several major tasks.

Create a user for the service

  1. In your organization, create a user email account that will be used to access the SCIM service; for example SCIM_USER@EXAMPLE.COM.

  2. In the HERE Admin Console, create a HERE user for the email address you just created.

  3. In the Admin Security page of the HERE Admin Console, add the user as an admin with the "Full Admin" admin type.

Request the SCIM service for your HERE deployment

The SCIM service must be enabled for your HERE Enterprise Browser deployment by HERE staff. Notify your HERE customer contact HERE Support. Provide the email address you created in the previous step.

HERE staff will enable SCIM for your deployment and provide you with a JSON web token (JWT) to be used to access the service.

Configure an enterprise application in Entra

A user with administrative access in Microsoft Entra is required to perform the steps in this section.

  1. Create a new application

    1. In the Microsoft Entra admin center, create a new "enterprise application".

    2. Select Integrate any other application you don't find in the gallery.

    3. Provide a meaningful name for the application.

  2. Configure provisioning

    1. In the Entra application definition you just created, navigate to Manage > Connectivity.

    2. Create a new provisioning configuration with the following information:

      • Tenant URL: https://TENANT.is.here.io/scim/api/v2 where TENANT is your organization's subdomain for HERE Enterprise Browser

      • Secret Token: The encoded string for the JWT provided by HERE.

    3. Test the connection and click Create when successful.

  3. Set up users and groups

    1. In the Entra application definition you just created, navigate to Manage > Users and Groups.

    2. Define or select the users and groups that you want Entra to synchronize with HERE.

    3. Navigate to Manage > Attribute Mapping.

    4. Enable mappings for both users and groups.

    5. Configure Group mappings:

      • Custom App Attribute: displayname
      • MS Entra Attribute: displayName

  4. On the Overview page of the new application, click Start provisioning.

Synchronization of users and groups proceeds on the automatic schedule, every 40 minutes.

Table of Contents