This page explains the setup process for user provisioning with SCIM using the Client Credentials authentication method, which is necessary to integrate with Microsoft Entra. For an overview of the SCIM functionality, see Managing users with SCIM provisioning, and if you're using Okta instead of Entra as your IdP, see SCIM Setup with Authorization Code (Okta).

Step-by-Step Intructions

Please make sure to follow these setps carefully, as a misconfiguration may prevent the integration from working or result in unexpected provisioning behavior.

Step 1: Generate SCIM Credentials in Read AI

Go to Workspace Settings and expand the Advanced section.
Turn on the Enable SCIM provisioning setting.
Select the OAuth 2.0 Client Credentials option.
Click Generate Credentials to obtain your Client ID and Client Secret (copy these; the secret is only shown once and will need to be regenerated if you lose it).
Note the Tenant URL and Token URL, you'll also need these later.
Decide whether you want license auto-charge to be enabled. If disabled, provisioning will fail and throw errors in Entra whenever you run out of available licenses in your workspace. You can configure a limit for the maximum number of seats your workspace can reach via auto-charge (more can always be purchased manually).

Step 2: Configure SCIM in Microsoft Entra

In the Entra admin portal, go to Enterprise apps (under Entra ID in the left side menu).
Create a New application for Read AI.
Click Create your own application, provide a name (e.g. "Read AI SCIM"), and make sure to select Integrate any other application you don't find in the gallery (Non-gallery). Do not use the Read AI app from the gallery.
Click Create (it may take a minute or so for Entra to create the application).
Click Provisioning.
Click New configuration.
For the authentication method, select OAuth2 client credentials grant.
Now you'll need to paste the Tenant URL, Token URL, Client ID, and Client Secret from your Read AI workspace settings into the corresponding fields.
Click Test connection and you should eventually see a notification in the top right that your test was successful.
Click Create at the bottom to save the configuration (may take a minute or so to finish).

Step 3: Attribute Mapping

Click on Provisioning (the mode should be set to Automatic).
Expand Mappings and click on Provision Microsoft Entra ID Groups.
Set Enabled to No (we do not currently support mapping groups to e.g. workspace teams)
Click Save and then Yes to confirm.
Click the X in the top right or the link in the top navigation to return to the Provisioning page.
Click Provision Microsoft Entra ID Users.
Under Attribute Mappings, you must delete all attributes except for:
- userName
- active
- emails[type eq "work"].value
- name.givenName
- name.familyName
- externalId
Click Save and then Yes to confirm.
Click the X in the top right or the link in the top navigation to return to the Provisioning page.
Click Attribute mapping (Preview) to confirm that Groups is not enabled and Users is.

Step 4: Select Users and Groups to Sync

Click on Users and groups.
Use Add user/group to assign individual users and/or groups to the application (these are the people you want to authorize to use Read AI).
Only the users you assign here will be provisioned and managed by SCIM/Entra.

Step 5: Complete and Monitor Provisioning

Click Overview (Preview) and then Start provisioning.
Provisioning runs automatically every ~40 minutes, creating and deactivating users in your Read AI workspace as necessary to keep it in sync with your Entra application.
You can monitor sync status and errors in Entra. We will also send you email notifications if users fail to get provisioned for any reason.

Notes and Troubleshooting

Make sure to review the notes here to fully understand how SCIM provisioning works, and if you have any issues, check the troubleshooting tips.

For detailed attribute mapping and advanced scenarios, see the official Microsoft Entra SCIM documentation.