TrainMeUK LogoTrainMeUK

Setting Up Azure AD SSO and SCIM

Configure automatic user provisioning through Microsoft Azure AD (Entra ID). Users are created, updated, and deactivated automatically based on your Microsoft 365 directory.

When to use this method

  • You use Microsoft 365 / Azure AD (Entra ID)
  • You want users to log in with their existing work credentials
  • You want automatic user creation when new employees join
  • You want automatic deactivation when employees leave
  • You have 50+ users and want to reduce admin overhead

👤 Who Should Do This

A Microsoft 365 administrator with Global Admin or Application Admin rights.

Overview

🔐 Single Sign-On (SSO)

Staff log into TrainMeUK using their Microsoft 365 work account — no extra passwords.

  • One password for all work apps
  • Improved security with MFA
  • 70% reduction in IT support tickets

👥 SCIM Provisioning

Automatically syncs user accounts from Microsoft 365 to TrainMeUK.

  • Auto-create users when they join
  • Auto-update details when they change
  • Auto-deactivate when they leave

Note

SSO and SCIM are independent features. You can use SSO without SCIM (users created manually), or set up both for full automation. We recommend setting up both.

Part 1: Setting Up SSO

1

In TrainMeUK: Get the Redirect URI

  1. Go to Admin → Settings → SSO & Provisioning
  2. Copy the Redirect URI shown on screen
  3. Keep this page open — you'll paste values back here later
2

In Microsoft Entra ID: Create App Registration

  1. Go to entra.microsoft.com → App registrations → New registration
Navigate to App registrations in Microsoft Entra ID
Go to App registrations and click New registration
  1. Enter:
    • Name: TrainMeUK SSO
    • Supported account types: Accounts in this organisational directory only (Single tenant)
    • Redirect URI: Paste the Redirect URI you copied from TrainMeUK
  2. Click Register
New App Registration form in Microsoft Entra ID
Fill in the app name and paste the Redirect URI from TrainMeUK
3

Collect Details from Microsoft

From the app you just created in App registrations:

What to CopyWhere to Find ItUse In TrainMeUK
Application (client) IDOverview pageClient ID
Directory (tenant) IDOverview pageTenant ID
Client secret valueCertificates & secrets → New client secretClient Secret

Tip

The client secret value is only shown once when you create it — copy it immediately!
4

Enable ID Tokens

  1. In your app registration, go to Authentication
  2. Under "Implicit grant and hybrid flows", tick ID tokens
  3. Click Save
Enable ID tokens in Authentication settings
Tick 'ID tokens' under Implicit grant and hybrid flows, then Save
5

Back in TrainMeUK: Enable SSO

  1. Paste the values you collected:
    • Tenant ID → from Directory (tenant) ID
    • Client ID → from Application (client) ID
    • Client Secret → the secret value you created
  2. Click Enable SSO
  3. Click Save
6

Test SSO

  1. Log out of TrainMeUK
  2. Click Sign in with Microsoft
  3. Use a normal staff account → you should go straight in ✅

Part 2: Setting Up SCIM Provisioning

1

In TrainMeUK: Enable SCIM

  1. Go to Admin → Settings → SSO & Provisioning
  2. Toggle Enable SCIM on
  3. Copy the SCIM Endpoint URL
  4. Copy the SCIM Bearer Token (use the Copy button)
Enable SCIM in TrainMeUK settings
Toggle Enable SCIM on and copy the Endpoint URL and Bearer Token
2

In Microsoft Entra ID: Configure Provisioning

  1. Go to entra.microsoft.com → Enterprise applications
  2. Open the app you registered for TrainMeUK SSO
  3. Go to Provisioning → Get started
  4. Set Provisioning Mode to Automatic
  5. Paste the values from TrainMeUK:
    • Tenant URL → SCIM Endpoint URL
    • Secret Token → SCIM Bearer Token
  6. Click Test connection → it should say Success
  7. Click Save
Configure SCIM provisioning in Microsoft Entra ID
Configure provisioning settings in Enterprise applications
3

Choose Who Syncs

  1. In the TrainMeUK app in Entra, go to Users and groups
  2. Add the groups or people who should get TrainMeUK accounts

Tip

Most companies assign an "All Staff" group to automatically provision everyone.
Assign users and groups for SCIM provisioning
Add users or groups to automatically provision in TrainMeUK
4

Start Provisioning

  1. Go back to Provisioning
  2. Click Start provisioning
  3. Entra will now keep TrainMeUK automatically in sync with Microsoft 365
5

Test SCIM

  1. Add a test user to the group you assigned
  2. Wait up to 40 minutes for sync (or force a sync in Provisioning)
  3. In TrainMeUK go to Admin → User Management
  4. The test user should appear ✅

What Happens Automatically

EventWhat Happens in TrainMeUK
New employee added to Microsoft 365User account automatically created, welcome email sent
Employee details change (department, title)User profile automatically updated
Employee removed or disabled in Microsoft 365User account automatically deactivated
Employee role changesDepartment and job title updated automatically

Troubleshooting

"Needs admin approval" error

A Microsoft admin must log in once to approve the connection. After the first admin approval, all users can use SSO.

Redirect error during SSO login

Check the Redirect URI in TrainMeUK and Microsoft Entra ID match exactly, including https:// and any trailing slashes.

SCIM test connection fails

Check the SCIM Endpoint URL and Bearer Token are copied exactly from TrainMeUK. Ensure SCIM is enabled in TrainMeUK settings.

User doesn't appear after SCIM sync

Confirm the user is in the assigned group in Microsoft 365. Check the Provisioning logs in Entra ID for any errors.

📚 Detailed Setup Guides

For more detailed instructions with screenshots, see our comprehensive guides:

Microsoft 365 SSO Setup Guide

Complete step-by-step SSO configuration with troubleshooting tips

Read →

SCIM Auto-Provisioning Guide

Detailed SCIM setup with attribute mapping and best practices

Read →

Related Guides