Skip to main content

Microsoft Entra ID SCIM Integration

Learn how to integrate Verkada Command with Microsoft Entra ID for SCIM

Updated this week

Depending on your use case, Verkada Command has the ability to integrate with Microsoft Entra ID, amongst other Identify Providers [IdPs], in the following capacities:

  • Security Assertion Markup Language (SAML)

  • System for Cross-Domain Identity Management (SCIM)

SAML handles the authentication side of things allowing Microsoft Entra ID to be used to manage access to Command, the same as any other Software as a Service (SaaS) application already integrates into your Microsoft Entra ID tenant. This means that you can incorporate Command into your existing identity framework and authorize users based on your current policies.

SCIM allows you to leverage your existing users and groups already present in Microsoft Entra ID and synchronize these with Command. This allows you to retain the current central IdP, and configure permissions in Command using your existing users and groups.


Set up SCIM in Microsoft Entra ID

Before you configure SCIM in Microsoft Entra ID, you need to generate your secret token from Command:

  1. In Verkada Command, go to All Products > Admin .

  2. Under Org Settings, select Security & Access > SCIM Users Provisioning.

  3. Click Add Domain, and enter all relevant email domains you plan to use with SCIM.

    This generates a SCIM token, which is viewable only once.

    1. Click Copy and store the token in a secure place to use later in the configuration.

    2. Click Refresh to generate a new token if you did not copy your token or it is not visible.

  4. From the Microsoft Entra ID homepage, select Enterprise applications > New application > Create your own application.

  5. In the Create your own application side panel, type the application's name, select the non-gallery application, and click Create.

  6. Under Provision User Accounts, click Get started.

  7. On the provisioning page:

    1. Set the Provisioning Mode to Automatic.

    2. Set the Tenant URL as:

    3. Fill in the SCIM token generated in Verkada Command (step 2) as the secret token.

  8. Click Test Connection. You should see a confirmation that the SCIM connection is successful.

  9. Click Save.


Configure attributes for Microsoft Entra ID groups

  1. Click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Groups.

  2. Configure your mappings to match this screenshot of the data table:

    Note: The externalId attribute is added by default. Remove this attribute to avoid issues with the configuration.

  3. (Optional) If you need to add a mapping:

    1. Click Add New Mapping > select the Source attribute to match the Microsoft Entra IDattribute above.

    2. Set the Target attribute to match the customappsso attribute above.

    3. Click OK.

  4. Click Save and confirm changes, if necessary.

  5. At the top of the page, select Provisioning to return to the Provisioning page.


Configure attributes for Microsoft Entra ID users

  1. Click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Users to change the user mappings.

  2. Update your mappings to match the attribute table below.

    Note: The Switch attribute under Microsoft Entra ID Attribute is added as an Expression mapping type.

    Switch([IsSoftDeleted], , "False", "True", "True", "False")

    Note: Source Attribute is the Microsoft Entra ID Attribute and Target Attribute is the customerappsso Attribute. If any of the customappsso attributes are not available as a Target Attribute, you may need to add them to your Microsoft Entra ID platform as an option. To do so, check the Show advanced options box and click Edit attribute list for customappsso.

    Note: SCIM-managed users no longer have the option to edit their phone number in Command; instead, they can only be provisioned via SCIM. On the IDP side, you can set up your attribute mapping such that any field in your IDP instance maps to the phone number field in Command. You can also set it up such that the no field in the IDP maps to the phone number field in Command. However, even in this case, phone numbers remain a locked field in Command and can only be edited through SCIM.

  3. Click Save to confirm the changes.

  4. At the top, select Provisioning and toggle on Provisioning Status.

  5. Depending on the requirements, adjust the scope to one of the required options:

    • Sync all users and groups.

    • Sync only assigned users and groups.

      Note: Ensure users and groups are assigned to the enterprise application under Users and Groups. Those assigned are the ones provisioned and present in Command.

  6. Verify that users are assigned to the application. Once the initial provisioning cycle has elapsed:

    1. You should see the total number of users and groups that have been provisioned successfully under Overview.

    2. In Command, you should see these users and groups populated with the associated SCIM Managed tag. These synchronized users and groups can now be used in Command and assigned permissions to control access to the Command platform.

Attribute table


(Optional) Add access credentials to SCIM users

Configure Attributes on your Entra SCIM Application

  1. Log in to your Azure portal.

  2. In the search bar, type and select Enterprise Applications.

  3. Select your Verkada SCIM application.

  4. On the left panel, click Manage > Provisioning.

  5. Expand the Mappings submenu and select Provision Microsoft Entra ID Users.

  6. At the bottom, click Show advanced options > Edit attribute list for customappsso.

    1. Add the attributes from the table below.

    2. Click Save.

  7. Go back to Provision Microsoft Entra ID Users and select Add New Mapping.

    1. Use extensionAttributes 1-5 as Source Attributes and map them to the new attributes we created using Card Format, Card Number, Card Number Hex, Credential Status, and Facility Code as the target attributes.

      1. Reference Acceptable Card Formats for accepted card formats and their associated facility code, card number, and/or card number hex lengths.

      2. Credential Status can be "active" or "deactivated."

    2. Click Save.

Attribute table

Name

Type

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardFormat

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumber

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumberHex

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:credentialStatus

String

urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:facilityCode

String

Edit the App Registration

Every SCIM enabled Enterprise Application created on Entra AD typically requires its own App Registration.

  1. In the search bar, type and select App registrations.

  2. Switch to the All Applications tab and search for the name of your Verkada SCIM application.

  3. On Overview, note your App Registration’s Application (client) ID and Directory (tenant) ID. You will need these later to configure credentials for your Command application from your app registration.

  4. On the left navigation, click Manage.

    1. Under Certificates & secrets:

      1. Click New client secret.

      2. Set the Description to "Verkada SCIM Credentials" and set your preferred certificate expiration date.

      3. Copy and store the value displayed in the Value of the new Client Secret created. This will only be displayed once.

    2. Under API Permissions:

      1. Click Add Permissions > Microsoft Graph.

      2. Select Application Permissions and search for "User.ReadWrite.All”.

        1. Check the box to assign the permissions.

        2. Click Add Permissions.

      3. To avoid having to manually review and approve all stage changes communicated between Azure Entra and your Command application, select Grant admin consent for Default Director.

Refer to this list of credentials for acceptable card formats.

Access and update your credentials

To set the extension attributes and the credential information for a particular user, use the Graph API instructions at: https://learn.microsoft.com/en-us/graph/extensibility-overview.

Note: Setting the credentialStatus attribute to active when setting up a credential for a user is necessary to successfully sync credentials with Command. Where credential status (credentialStatus) is extensionAttribute4.

Example:

curl --location --request PATCH 'https://graph.microsoft.com/v1.0/users/<UserID>' \
--header 'Authorization: Bearer <secure token>' \
--header 'Content-Type: application/json' \
--data '{
"onPremisesExtensionAttributes": {
"extensionAttribute1": "Standard 26-bit Wiegand",
"extensionAttribute2": "7777",
"extensionAttribute3": "7",
"extensionAttribute4": "active",
"extensionAttribute5": "111"
}
}'

Syncing External ID to Verkada

The externalId field allows you to assign a persistent, globally unique identifier to your users through Microsoft Entra that Verkada can reference across integrations. This is especially useful for large enterprise environments where users may need to be disambiguated across systems, or where syncing credentials (e.g., access cards) must be tied to a unique identity key. Verkada supports receiving and storing this value as part of its SCIM user schema. The field is case-sensitive and is typically configured to accept a string value from a designated attribute in your Microsoft Entra instance. This feature supports advanced workflows such as custom credential management, employee lifecycle automation, and consistent user mapping across orgs.

How to Map externalId from Azure to Verkada

To sync a custom externalId value from Microsoft Entra ID (Azure) to Verkada, follow these steps:

  1. Log in to your Azure portal.

  2. In the search bar, type and select Enterprise Applications.

  3. Select your Verkada SCIM application.

  4. On the left panel, click Manage > Provisioning.

  5. Expand the Mappings submenu and select Provision Microsoft Entra ID Users.

  6. Scroll to the bottom and click Show advanced options > Edit attribute list for customappsso.

  7. Add the following new attribute:

    urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:externalId

    • Type: String

    • Case-sensitive: Yes

  8. Click Save.

  9. Go back to Provision Microsoft Entra ID Users and click Add New Mapping.

  10. For Source Attribute, select the field from Azure AD where your external ID is stored (e.g., extensionAttribute1, employeeId, etc.).

  11. For Target Attribute, use: urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:externalId

  12. Click OK and then Save.

Once provisioned, the external_id value will be stored in the user’s SCIM record within Verkada. This provides users with a flexible, API-queryable ID that remains unique to their org and fully under their control, without being tied to Verkada’s internal identifiers or exposed in the user interface.

Prefer to see it in action? Check out the video tutorial.

Need more help? Contact Verkada Support.

Did this answer your question?