Azure Entra ID Provisioning

Once Microsoft Entra ID (formerly Azure AD) is wired up to TheStorage, your directory becomes the source of truth for who has an account. New hires land in TheStorage minutes after you assign them to the app, attribute changes flow through on each sync cycle, and offboarded employees are deactivated without anyone clicking a button.

The integration uses SCIM 2.0, the open standard for moving users between identity providers and applications. Plan on about 15 minutes for the first-time setup, plus another 10 minutes if you want profile photos (see Step 7).

Requirements

• A Global Administrator or Application Administrator role in your Microsoft Entra tenant.
• A TheStorage user with the Administrator role (needed to enable SCIM and copy the bearer token).
• A Microsoft Entra licence that includes automatic user provisioning (currently Entra ID P1 or higher).

Step 1: Enable SCIM in TheStorage

1. Sign in to TheStorage and open Settings > User Provisioning.

2. Toggle SCIM provisioning on. A dialog appears with a one-time bearer token.

3. Click Copy and stash the token somewhere safe — a password manager, or paste it straight into Step 12 below. TheStorage only keeps a hash, so once the dialog closes the raw value is gone for good. The only way to recover it is to regenerate, which invalidates the previous one.

4. Copy the Tenant endpoint URL shown below the token. It looks like:

   https://service.thestorage.app/api/<your-tenant>/scim/v2

   Keep both values to hand for the Entra configuration in Step 12.

Step 2: Create the Enterprise Application in Entra

5. Sign in to the Microsoft Entra admin center with an administrator account.

6. Navigate to Identity > Applications > Enterprise applications.

7. Click New application > Create your own application.

8. Configure:

   Field	Value
   Name	TheStorage SCIM Provisioning
   What are you looking to do with your application?	Integrate any other application you don't find in the gallery (Non-gallery)

9. Click Create and wait for the application to finish being created.

Step 3: Assign Users and Groups

10. Inside the new application, go to Users and groups > Add user/group. Pick the users or security groups that should be synchronised to TheStorage.

    Only assigned principals are provisioned — start with a small test group, then widen the scope once the first sync succeeds.

Step 4: Connect Entra to TheStorage

11. Open Provisioning in the left-hand menu and click Get started, then set Provisioning Mode to Automatic.

12. Expand Admin Credentials and fill in:

    Field	Value
    Tenant URL	The endpoint URL from Step 4
    Secret Token	The bearer token from Step 3

13. Click Test Connection. Entra issues a GET /Users?count=1 request against the endpoint and expects a 200 OK. If the test fails, double-check the endpoint URL (no trailing slash, correct tenant slug) and re-paste the token.

14. Click Save. Entra stores the configuration in a dormant state — nothing is pushed yet. The sync starts when you flip the switch in Step 17, so it's safe to save here and walk away if you need to.

Step 5: Review Attribute Mappings

15. Expand Mappings. Two mappings are created by default — Provision Azure Active Directory Users and Provision Azure Active Directory Groups.

16. Open the Users mapping and confirm the defaults match the attributes TheStorage expects:

    Entra attribute	SCIM attribute
    userPrincipalName	userName
    mail	emails[type eq "work"].value
    givenName	name.givenName
    surname	name.familyName
    displayName	displayName
    jobTitle	title
    department	(custom — optional)
    Switch([IsSoftDeleted], , "False", "True", "True", "False")	active

    TheStorage doesn't currently provision groups. Before moving on, open Settings below the mapping list and disable the Provision Azure Active Directory Groups mapping — leaving it on produces a steady stream of failed-mapping entries in the provisioning log without any benefit.

Step 6: Turn Provisioning On

17. Back on the Provisioning overview page, set Provisioning Status to On and click Save.

18. Entra runs the first cycle within a few minutes. Use View provisioning logs to track progress; each user should reach the status Provisioned in target system.

19. Open TheStorage's Users page and confirm the assigned users now appear with the Microsoft Entra badge on each row.

From here on, Entra runs an incremental sync roughly every 40 minutes. If you've just changed a mapping and want to see the result without waiting, use Provision on demand from the application's Provisioning page to push a single user immediately.

Step 7 (Optional): Profile Photos via Microsoft Graph

Entra can't push the binary photo over SCIM — thumbnailPhoto isn't exposed as a source attribute, and there's no other photo source in the mapping UI. TheStorage works around this by pulling each photo directly from Microsoft Graph during the same directory sync that brings in display names and job titles. You don't need any extra mapping on the Enterprise App side; you only need to connect Microsoft Entra ID as a Directory Provider in TheStorage so the sync has Graph credentials to use.

If you've already connected Entra as a Directory Provider during a previous integration, you're done — photos arrive on the next sync. Otherwise, follow the steps below. You'll be moving between two browser tabs (the Azure portal and TheStorage), so open both before you start.

Create the App Registration in Azure

20. In TheStorage, open Settings > Integrations > Directory Providers and click Microsoft Entra ID. The setup form appears with empty Client ID, Tenant ID, and Secret Key fields — leave it open in a second tab; you will paste values into it as you go.

21. In a new tab, open the Azure portal and sign in with an account that has at least the Application Administrator role.

22. From Azure services, choose Microsoft Entra ID (formerly Azure Active Directory).

23. In the left sidebar, select App registrations, then click + New registration at the top of the page.

    Why a separate app registration?

    The Enterprise Application from Step 2 can't be reused here — the two apps run in opposite directions. The Enterprise App holds a bearer token so Entra can push users to TheStorage; the App Registration you're about to create holds a client secret so TheStorage can pull from your tenant over Microsoft Graph. The Non-gallery flow you used in Step 2 also produces a service-principal-only entry, which can't host the client secrets and Graph permissions this side needs.

24. Configure:

    Field	Value
    Name	TheStorage Directory Sync
    Supported account types	Accounts in this organizational directory only (Single tenant)
    Redirect URI	Leave blank

    Click Register. Azure provisions the application and opens its overview page.

Copy the Client ID and Tenant ID

25. On the Overview page, locate Application (client) ID and Directory (tenant) ID. Copy each value and paste them into the matching fields in the TheStorage tab opened in Step 20.

Create a Client Secret

26. In the sidebar of the app registration, click Certificates & secrets, then under the Client secrets tab click + New client secret.

27. Configure:

    Field	Value
    Description	TheStorage Directory Sync
    Expires	24 months (the longest Azure allows; pick a shorter window only if your security policy requires it)

    Click Add.

28. Azure now shows the new secret with a Value column. Copy the Value (not the Secret ID) immediately and paste it into the Secret Key field on the TheStorage tab.

    warning

    Azure shows the secret value exactly once. Navigate away from this page and the value is permanently masked — there's no way to retrieve it later. If you miss the copy, delete the secret and create a new one.

Grant API Permissions

29. In the sidebar, click API permissions, then + Add a permission.

30. Choose Microsoft Graph at the top of the Request API permissions panel.

31. Pick Application permissions (not Delegated).

32. In the search box, type Directory.Read.All and tick the checkbox. Then type User.Read.All and tick that one as well. Click Add permissions.

    Why two permissions?

    Directory.Read.All lets TheStorage enumerate users and groups for directory sync. User.Read.All is the lowest scope that covers /users/{id}/photo/$value, the endpoint used to fetch each user's photo. Skip the second one and photo requests return 403.

33. Back on the API permissions page, click Grant admin consent for <your tenant> and confirm with Yes in the dialog. The Status column should change to a green check on both rows.

Save the Connection in TheStorage

34. Back in the TheStorage tab, all three fields should now be populated. Click Test Connection — TheStorage issues a test Graph call against your tenant, and a green banner confirms success. If the test fails, the usual suspects are missing admin consent (Step 33), a typo in one of the IDs, or pasting the secret's ID instead of its value.

35. Click Save. TheStorage encrypts the secret, schedules the first directory sync, and starts within a few minutes. Profile photos ride along with that sync — every user who has a photo set in Entra will see it on their TheStorage profile within one cycle.

Plan for the secret to expire

The client secret stored under Directory Providers is what TheStorage uses to call Graph, and Azure client secrets are short-lived — at most 24 months, often less depending on your tenant policy. When it expires, SCIM user provisioning keeps working, but photo sync goes quiet. The failure shows up in TheStorage's server logs, not in Entra's provisioning logs, so it's easy to miss.

Set a calendar reminder for two weeks before the expiry date. When it fires, generate a fresh secret in the Azure portal and paste the new value into Settings → Integrations → Directory Providers → Microsoft Entra ID. The same secret backs directory sync, so a single rotation covers both flows.