What You'll Achieve
- โ New starters in Microsoft 365 will automatically get a TrainMeUK account
- โ When someone leaves, their TrainMeUK account will be disabled automatically
๐ค Who Should Do This
A Microsoft 365 administrator with Global Admin or Application Admin rights.
๐ Step-by-Step Setup
1. In TrainMeUK
- Go to Admin โ System Settings โ SCIM User Provisioning
- Toggle Enable SCIM on
- Copy the SCIM Endpoint URL
- Copy the SCIM Bearer Token (use the Copy button)
2. In Microsoft Entra ID
- Go to entra.microsoft.com โ Enterprise applications
- Open the app you registered for TrainMeUK SSO
- Go to Provisioning โ Get started
- Set Provisioning Mode to Automatic
- Paste the values from TrainMeUK:
- Tenant URL โ SCIM Endpoint URL
- Secret Token โ SCIM Bearer Token
- Click Test connection โ it should say Success
- Click Save
3. Choose Who Syncs
- In the TrainMeUK app in Entra, go to Users and groups
- Add the groups or people who should get TrainMeUK accounts
- ๐ก Tip: Most companies assign an "All Staff" group
4. Start Provisioning
- Go back to Provisioning
- Click Start provisioning
- Entra will now keep TrainMeUK automatically in sync with Microsoft 365
๐งช Test It
- Add a test user to the group you assigned
- Wait up to 40 minutes for sync (or force a sync in Provisioning)
- In TrainMeUK go to Admin โ Manage Users
- The test user should appear โ
๐ก Troubleshooting
Test connection fails
Check the Endpoint URL and Token are copied exactly from TrainMeUK.
User doesn't appear
Confirm they're in the assigned group in Microsoft 365.
Wrong details syncing
Default attribute mappings (email, first name, last name) are already configured โ you usually don't need to change them.
Why SCIM Provisioning Matters
Manual user management in training platforms creates bottlenecks and compliance risks. With SCIM (System for Cross-domain Identity Management), your user lifecycle becomes fully automated. According to Gartner research, automated user provisioning reduces IT admin costs by 60% and eliminates 70% of access-related support tickets.
Automatic Onboarding
New employees get instant access to required training based on their role and department.
Secure Offboarding
When someone leaves, their access is immediately revoked, maintaining security.
Role-Based Access
Training assignments automatically adjust when roles change in Microsoft 365.
Compliance Assurance
No manual errors mean complete audit trails and consistent compliance coverage.
Best Practices for SCIM Setup
Pro Tips for Success
- Test with a small group first before rolling out to all users
- Use security groups rather than individual users for easier management
- Monitor the provisioning logs regularly to catch any sync issues early
- Set up notifications for failed provisioning attempts
- Document your group structure so other admins understand the setup
What Happens Next
Once SCIM provisioning is active, your training platform becomes a seamless extension of your Microsoft 365 environment. User changes in Entra ID automatically flow through to TrainMeUK, ensuring your compliance training coverage is always current and complete.
Book a demo with TrainMeUK to see SCIM provisioning in action and learn how it can eliminate user management overhead for your organization.
Related Articles
Azure AD Integration Guide
Complete Azure AD integration setup in 60 minutes for automated user management and SSO.
Read More โMicrosoft 365 SSO Setup
Set up single sign-on between Microsoft 365 and TrainMeUK for seamless authentication.
Read More โPower Automate Teams Integration
Send automated training notifications to Microsoft Teams with adaptive cards and webhooks.
Read More โFrequently Asked Questions
What is SCIM and why do I need it for my LMS?
SCIM (System for Cross-domain Identity Management) is an open standard protocol that automates user provisioning between identity providers like Microsoft 365 and applications like TrainMeUK. Without SCIM, IT teams must manually create, update, and delete user accounts when employees join, change roles, or leave. With SCIM, these processes happen automatically in real-time. For compliance training, this is critical: new starters immediately get required training assignments, role changes trigger appropriate training updates, and departing employees lose access instantly (preventing data breaches). Organizations using SCIM save 40-60 hours weekly in user management time.
How long does SCIM setup take in Microsoft 365?
Complete SCIM provisioning setup takes approximately 30-40 minutes. The process includes: enabling SCIM in TrainMeUK admin settings (2-3 minutes), copying endpoint URL and bearer token (1 minute), configuring provisioning in Microsoft Entra ID (10-15 minutes), assigning users or groups to sync (5-10 minutes), testing the connection (2-5 minutes), and starting provisioning (1 minute). Initial sync can take up to 40 minutes, but subsequent updates happen in near real-time. Our support team can guide you through setup if needed, often completing it even faster.
What happens if SCIM sync fails?
Microsoft Entra ID provides detailed provisioning logs showing exactly what happened if sync fails. Common issues include: incorrect endpoint URL or token (easily fixed by re-copying from TrainMeUK), network connectivity problems (temporary, usually resolves automatically), user attribute mismatches (configure attribute mappings), and permission errors (ensure proper admin rights). SCIM is resilient - failed sync attempts are automatically retried. You can also force manual sync anytime. The system maintains existing users if sync temporarily fails, so there's no disruption to ongoing training. Monitor provisioning logs regularly to catch and fix issues early.
Can I sync only specific user groups, not everyone?
Yes, selective provisioning is recommended best practice. In Entra ID's "Users and groups" section for the TrainMeUK app, you choose exactly which users or security groups to provision. This allows you to: pilot SCIM with a small group before full rollout, exclude contractors or temporary staff who don't need training, provision only specific departments (e.g., only office staff, not warehouse), control costs by limiting user count, and maintain separate provisioning rules for different organizational units. Changes to group membership automatically trigger user provisioning or deprovisioning in TrainMeUK.
How often does SCIM sync users between Microsoft 365 and TrainMeUK?
Microsoft Entra ID runs incremental synchronization approximately every 40 minutes for changes (additions, updates, deletions). However, you can force an immediate sync anytime in the Provisioning settings. Initial provisioning when first enabled can take longer (up to 40 minutes) as it processes all assigned users. After that, most changes sync within 40 minutes automatically. For critical scenarios like immediate offboarding, you can force sync manually. The automatic schedule ensures users are provisioned quickly without manual intervention, while not overwhelming systems with constant sync requests.
What's the difference between SCIM provisioning and SSO?
SCIM and SSO serve different but complementary purposes. SSO (Single Sign-On) handles authentication - letting users log in with Microsoft 365 credentials. SCIM handles user provisioning - automatically creating, updating, and deleting user accounts. Best practice is using both together: SCIM creates the user account automatically when someone joins, and SSO lets them log in seamlessly without separate credentials. You can have SSO without SCIM (but must manually create users), or SCIM without SSO (but users need separate passwords). Together, they provide complete automation. View pricing for our Microsoft 365 integration package including both SCIM and SSO.
Ready to Get Started?
Our team can help you set up SCIM provisioning in under 30 minutes, with full support throughout the process.