# Set Up Enterprise SSO and SCIM

Your organization uses Microsoft Entra ID. You want users to log in with their corporate credentials and have Entra ID automatically manage which users exist in Aritma.

**Approach:** Configure Azure AD SSO for authentication, then enable SCIM so Entra ID manages the full user lifecycle — creating and deprovisioning users in Aritma as they are assigned or removed in the directory.

## Prerequisites

- An access token with IAM admin permissions
- A configured tenant
- Access to the Azure portal to configure Entra ID


## Step 1: Register an Azure AD SSO provider

Note the `scheme` you chose — you will use it in the next step.

Auto-provisioning
`autoProvisioningEnabled` controls just-in-time user creation at login time. With SCIM configured, users are pre-created by Entra ID before they ever log in, so `autoProvisioningEnabled` is not required for this setup. Enable it only if you also want to support logins from users not yet provisioned via SCIM.

## Step 2: Create a SCIM token linked to the provider

The `provider` field must match the `scheme` you chose for the SSO provider above. Store the returned token value securely — it is only shown once.

## Step 3: Configure Entra ID

In the Azure portal, go to **Entra ID → Enterprise Applications** and create a new application. Under **Provisioning**, set:

- **Tenant URL** — your Aritma SCIM endpoint
- **Secret Token** — the token from step 2


Once saved, Entra ID will begin provisioning users assigned to the application. And users can log in using Entra ID.

## Next steps

- To update the SSO provider configuration later, see [SSO Setup](/apis/platform/iam/sso/overview)
- To manage SCIM tokens, see [SCIM Provisioning](/apis/platform/iam/scim/overview)
- To verify your domain, see [Domains](/apis/platform/iam/guides/domains)