Microsoft Entra ID SCIM Integration
Learn how to integrate Verkada Command with Microsoft Entra ID for SCIM
Verkada Command integrates with Microsoft Entra ID using System for Cross-Domain Identity Management (SCIM) for automated user and group provisioning.
SCIM synchronizes users and groups from Microsoft Entra ID directly into Command. This lets you:
Retain Microsoft Entra ID as your central IdP.
Automatically update users and groups in Command as changes occur in Entra ID.
Assign and manage permissions in Command using your existing identity structure.
See Microsoft Entra ID SAML Integration for the SAML integration steps.
SCIM in Microsoft Entra ID configuration
Before you configure SCIM in Microsoft Entra ID, you need to generate your secret token in Command.
Click Add Domain, and enter all relevant email domains you plan to use with SCIM.
This generates a SCIM token, which is viewable only once.
a. Click Copy and store the token in a secure place to use later in the configuration. b. Click Refresh to generate a new token if you did not copy your token or it is not visible.
On the provisioning page:
a. Set the Provisioning Mode to Automatic. b. Set the Tenant URL as:
For US orgs: https://api.command.verkada.com/scim
For EU orgs: https://scim.prod2.verkada.com/scim
For AUS orgs: https://scim.prod-ap-syd.verkada.com/scimNote: To confirm which region you’re located in, refer to where your organization was created for Verkada.
f. Fill in the SCIM token generated in Verkada Command (step 2) as the secret token.
Configure attributes for Microsoft Entra ID groups
Configure attributes for Microsoft Entra ID users
Update your mappings to match the attribute table below.
Note: The Switch attribute under Microsoft Entra ID Attribute is added as an Expression mapping type.
Switch([IsSoftDeleted], , "False", "True", "True", "False")
Note: Source Attribute is the Microsoft Entra ID Attribute and Target Attribute is the customerappsso Attribute. If any of the customappsso attributes are not available as a Target Attribute, you may need to add them to your Microsoft Entra ID platform as an option. To do so, check the Show advanced options box and click Edit attribute list for customappsso.
Note: SCIM-managed users no longer have the option to edit their phone number in Command; instead, they can only be provisioned via SCIM. On the IDP side, you can set up your attribute mapping such that any field in your IDP instance maps to the phone number field in Command. You can also set it up such that the no field in the IDP maps to the phone number field in Command. However, even in this case, phone numbers remain a locked field in Command and can only be edited through SCIM.
Depending on the requirements, adjust the scope to one of the required options:
Sync all users and groups.
Sync only assigned users and groups.
Note: Ensure users and groups are assigned to the enterprise application under Users and Groups. Those assigned are the ones provisioned and present in Command.
Verify that users are assigned to the application. Once the initial provisioning cycle has elapsed:
a. You should see the total number of users and groups that have been provisioned successfully under Overview. b. In Command, you should see these users and groups populated with the associated SCIM Managed tag. These synchronized users and groups can now be used in Command and assigned permissions to control access to the Command platform.
Attribute table
Delete SCIM-managed users from Command
When a SCIM-managed user is deactivated in your identity provider, you can remove the user from Command in two ways:
Delete the user – The account moves to the Deleted Users page but keeps historical records, roles, and permissions.
Permanently remove the user – All roles, credentials, access logs, and associated data are erased. If the user is re-provisioned via SCIM, Command creates a new user record.
You must deactivate the user in your identity provider (IdP) before either deletion option is available in Command.
(Optional) Add access credentials to SCIM users
Log in to your Azure portal.
Go back to Provision Microsoft Entra ID Users and select Add New Mapping.
a. Use extensionAttributes 1-5 as Source Attributes and map them to the new attributes we created using Card Format, Card Number, Card Number Hex, Credential Status, and Facility Code as the target attributes.
Reference Acceptable Card Formats for accepted card formats and their associated facility code, card number, and/or card number hex lengths.
Credential Status can be "active", "deactivated", or "deleted"
d. Click Save.
Attribute table
Name
Type
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardFormat
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumber
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumberHex
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:credentialStatus
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:facilityCode
String
Edit the App Registration
Every SCIM enabled Enterprise Application created on Entra AD typically requires its own App Registration.
On the left navigation, click Manage.
a. Under Certificates & secrets:
Click New client secret.
Set the Description to "Verkada SCIM Credentials" and set your preferred certificate expiration date.
Copy and store the value displayed in the Value of the new Client Secret created. This will only be displayed once.
e. Under API Permissions:
Click Add Permissions > Microsoft Graph.
Select Application Permissions and search for "User.ReadWrite.All".
Check the box to assign the permissions.
Click Add Permissions.
To avoid having to manually review and approve all stage changes communicated between Azure Entra and your Command application, select Grant admin consent for Default Director.
Refer to this list of credentials for acceptable card formats.
Access and update your credentials
To set the extension attributes and the credential information for a particular user, use the Graph API instructions at: https://learn.microsoft.com/en-us/graph/extensibility-overview.
Note: Setting the credentialStatus attribute to active when setting up a credential for a user is necessary to successfully sync credentials with Command. Where credential status (credentialStatus) is extensionAttribute4.
Example:
curl --location --request PATCH 'https://graph.microsoft.com/v1.0/users/<UserID>' \
--header 'Authorization: Bearer <secure token>' \
--header 'Content-Type: application/json' \
--data '{
"onPremisesExtensionAttributes": {
"extensionAttribute1": "Standard 26-bit Wiegand",
"extensionAttribute2": "7777",
"extensionAttribute3": "7",
"extensionAttribute4": "active",
"extensionAttribute5": "111"
}
}'Sync External ID to Verkada
The externalId field allows you to assign a persistent, globally unique identifier to your users through Microsoft Entra that Verkada can reference across integrations. This is especially useful for large enterprise environments where users may need to be disambiguated across systems, or where syncing credentials (e.g., access cards) must be tied to a unique identity key. Verkada supports receiving and storing this value as part of its SCIM user schema. The field is case-sensitive and is typically configured to accept a string value from a designated attribute in your Microsoft Entra instance. This feature supports advanced workflows such as custom credential management, employee lifecycle automation, and consistent user mapping across orgs.
Map externalId from Azure to Verkada
To sync a custom externalId value from Microsoft Entra ID (Azure) to Verkada, follow these steps:
Once provisioned, the external_id value will be stored in the user’s SCIM record within Verkada. This provides users with a flexible, API-queryable ID that remains unique to their org and fully under their control, without being tied to Verkada’s internal identifiers or exposed in the user interface.
Need more help? Contact Verkada Support.
Last updated
Was this helpful?