---
title: Configure SCIM with Microsoft Entra ID
description: >-
  Set up automated user provisioning from Microsoft Entra ID to Datadog using
  SCIM with step-by-step configuration and attribute mapping.
breadcrumbs: >-
  Docs > Account Management > User Provisioning with SCIM > Configure SCIM with
  Microsoft Entra ID
---

# Configure SCIM with Microsoft Entra ID

{% alert level="info" %}
SCIM is available with the Infrastructure Pro and Infrastructure Enterprise plans.
{% /alert %}

{% alert level="danger" %}
Due to a Microsoft freeze on third-party app updates in Entra following a security incident in late 2024, Team provisioning via SCIM is unavailable. To create Teams in Datadog, use one of the supported alternatives: SAML mapping, Terraform, the public API, or direct calls to the SCIM server. SCIM can still be used to provision users.
{% /alert %}

See the following instructions to synchronize your Datadog users with Microsoft Entra ID using SCIM.

For capabilities and limitations of this feature, see [SCIM](https://docs.datadoghq.com/account_management/scim/).

## Prerequisites{% #prerequisites %}

SCIM in Datadog is an advanced feature available with the Infrastructure Pro and Infrastructure Enterprise plans.

This documentation assumes your organization manages user identities using an identity provider.

Datadog strongly recommends that you use a service account application key when configuring SCIM to avoid any disruption in access. For further details, see [using a service account with SCIM](https://docs.datadoghq.com/account_management/scim/#using-a-service-account-with-scim).

When using SAML and SCIM together, Datadog strongly recommends disabling SAML just-in-time (JIT) provisioning to avoid discrepancies in access. Manage user provisioning through SCIM only.

## Add Datadog to the Microsoft Entra ID application gallery{% #add-datadog-to-the-microsoft-entra-id-application-gallery %}

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as at least a [Cloud Application Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator)
1. Browse to **Identity** -> **Applications** -> **Enterprise Applications**
1. Click **New Application**
1. Type "Datadog" in the search box
1. Select the Datadog application from the gallery
1. Optionally, enter a name in the **Name** text box
1. Click **Create**

**Note:** If you already have Datadog configured with Microsoft Entra ID for SSO, go to **Enterprise Applications** and select your existing Datadog application.

## Configure automatic user provisioning{% #configure-automatic-user-provisioning %}

1. In the application management screen, select **Provisioning** in the left panel
1. In the **Provisioning Mode** menu, select **Automatic**
1. Open **Admin Credentials**
1. Complete the **Admin Credentials** section as follows:
   - **Tenant URL**: `https://  /api/v2/scim?aadOptscim062020`
     - **Note:** Use the appropriate subdomain for your site. To find your URL, see [Datadog sites](https://docs.datadoghq.com/getting_started/site).
     - **Note:** The `?aadOptscim062020` part of the Tenant URL is specifically for Entra ID. This is a flag that tells Entra to correct its SCIM behavior as outlined in this [Microsoft Entra documentation](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior). If you are not using Entra ID, you should not include this suffix on the URL.
   - **Secret Token**: Use a valid Datadog application key. You can create an application key on [your organization settings page](https://app.datadoghq.com/organization-settings/application-keys). To maintain continuous access to your data, use a [service account](https://docs.datadoghq.com/account_management/org_settings/service_accounts) application key.

{% image
   source="https://datadog-docs.imgix.net/images/account_management/scim/admin-credentials-entra-flag.b542971dc650a653a3efa5a1dd3d6fb0.png?auto=format"
   alt="Azure AD Admin Credentials configuration screen" /%}
Click **Test Connection**, and wait for the message confirming that the credentials are authorized to enable provisioning.Click **Save**. The mapping section appears. See the following section to configure mapping.
## Attribute mapping{% #attribute-mapping %}

### User attributes{% #user-attributes %}

1. Expand the **Mappings** section

1. Click **Provision Azure Active Directory Users**. The Attribute Mapping page appears.

1. Set **Enabled** to **Yes**

1. Click the **Save** icon

1. Under **Target Object actions**, ensure Create, Update, and Delete actions are selected

1. Review the user attributes that are synchronized from Microsoft Entra ID to Datadog in the attribute mapping section. Set the following mappings:

| Microsoft Entra ID Attribute | Datadog Attribute              |
| ---------------------------- | ------------------------------ |
| `userPrincipalName`          | `userName`                     |
| `Not([IsSoftDeleted])`       | `active`                       |
| `jobTitle`                   | `title`                        |
| `mail`                       | `emails[type eq "work"].value` |
| `displayName`                | `name.formatted`               |

   {% image
      source="https://datadog-docs.imgix.net/images/account_management/scim/ad-users-2.ca26d247142ba0e6ab8c8bf536a7f1a5.png?auto=format"
      alt="Attribute mapping configuration, Provision Azure Active Directory Users" /%}

1. After you set your mappings, click **Save**.

### Group attributes{% #group-attributes %}

Group mapping is not supported.