Azure Entra ID Provisioning

Push users from Microsoft Entra ID (formerly Azure AD) into TheStorage automatically. Once configured, new hires appear in TheStorage shortly after they are assigned to the app in Entra, attribute changes flow through within the next sync cycle, and offboarded employees are deactivated without a manual step.

The integration uses SCIM 2.0 — the industry standard for cross-domain user provisioning — so the same setup also works for other SCIM-capable identity providers with minor adjustments.

Requirements

• A Global Administrator or Application Administrator role in your Microsoft Entra tenant.
• A TheStorage user with the Administrator role (needed to enable SCIM and copy the bearer token).
• A Microsoft Entra licence that includes automatic user provisioning (currently Entra ID P1 or higher).

Step 1: Enable SCIM in TheStorage

1. Sign in to TheStorage and open Settings > User Provisioning.

2. Toggle SCIM provisioning on. A dialog appears with a one-time bearer token.

3. Click Copy and store the token somewhere temporary (a password manager, or paste it directly into Step 11 below). TheStorage stores only a hash of the token — once you close the dialog the raw value is gone for good, and the only way to recover it is to regenerate, which invalidates the current token.

4. Copy the Tenant endpoint URL shown below the token. It looks like:

   https://service.thestorage.app/api/<your-tenant>/scim/v2

   Keep both values to hand for the Entra configuration in Step 11.

Step 2: Create the Enterprise Application in Entra

5. Sign in to the Microsoft Entra admin center with an administrator account.

6. Navigate to Identity > Applications > Enterprise applications.

7. Click New application > Create your own application.

8. Configure:

   Field	Value
   Name	TheStorage
   What are you looking to do with your application?	Integrate any other application you don't find in the gallery (Non-gallery)

9. Click Create and wait for the application to be provisioned.

Step 3: Assign Users and Groups

10. Inside the new application, go to Users and groups > Add user/group. Pick the users or security groups that should be synchronised to TheStorage.

    Only assigned principals are provisioned — start with a small test group, then widen the scope once the first sync succeeds.

Step 4: Connect Entra to TheStorage

11. Open Provisioning in the left-hand menu and click Get started, then set Provisioning Mode to Automatic.

12. Expand Admin Credentials and fill in:

    Field	Value
    Tenant URL	The endpoint URL from Step 4
    Secret Token	The bearer token from Step 3

13. Click Test Connection. Entra issues a GET /Users?count=1 request against the endpoint and expects a 200 OK. If the test fails, double-check the endpoint URL (no trailing slash, correct tenant slug) and re-paste the token.

14. Click Save. Entra creates a dormant provisioning configuration; the actual sync remains off until Step 17.

Step 5: Review Attribute Mappings

15. Expand Mappings. Two mappings are created by default — Provision Azure Active Directory Users and Provision Azure Active Directory Groups.

16. Open the Users mapping and confirm the defaults match the attributes TheStorage expects:

    Entra attribute	SCIM attribute
    userPrincipalName	userName
    mail	emails[type eq "work"].value
    givenName	name.givenName
    surname	name.familyName
    displayName	displayName
    jobTitle	title
    department	(custom — optional)
    Switch([IsSoftDeleted], , "False", "True", "True", "False")	active

    TheStorage does not currently support group provisioning. Open Settings below the mapping list and disable the Provision Azure Active Directory Groups mapping before proceeding — this avoids a category of failed mappings on every sync.

Step 6: Turn Provisioning On

17. Back on the Provisioning overview page, set Provisioning Status to On and click Save.

18. Entra runs the first cycle within a few minutes. Use View provisioning logs to track progress; each user should reach the status Provisioned in target system.

19. Open TheStorage's Users page and confirm the assigned users now appear with the Microsoft Entra badge on each row.

After the initial sync, Entra runs incremental cycles roughly every 40 minutes. To force an immediate sync (after testing a mapping change, for instance), use Provision on demand from the application's Provisioning page.

Step 7 (Optional): Profile Photos via Microsoft Graph

Microsoft Entra's provisioning service cannot send the binary photo itself — thumbnailPhoto is not exposed as a source attribute, and no other photo source is selectable in the SCIM mapping UI. Instead, TheStorage pulls each user's photo directly from Microsoft Graph as part of the same directory sync that brings in display names and job titles. You do not need to add any photo mapping in the Entra Enterprise App — you only need to connect Microsoft Entra ID as a Directory Provider in TheStorage so the sync has Graph credentials to use.

Walk through the steps below to register the Azure app and connect it to TheStorage. If you already completed this during your initial Entra integration, you are done — photos appear on the next directory sync.

You will be jumping between two browser tabs throughout this section — the Azure portal and TheStorage. Open both before you start.

Create the App Registration in Azure

20. In TheStorage, open Settings > Integrations > Directory Providers and click Microsoft Entra ID. The setup form appears with empty Client ID, Tenant ID, and Secret Key fields — leave it open in a second tab; you will paste values into it as you go.

21. In a new tab, open the Azure portal and sign in with an account that has at least the Application Administrator role.

22. From Azure services, choose Microsoft Entra ID (formerly Azure Active Directory).

23. In the left sidebar, select App registrations, then click + New registration at the top of the page.

24. Configure:

    Field	Value
    Name	TheStorage
    Supported account types	Accounts in this organizational directory only (Single tenant)
    Redirect URI	Leave blank

    Click Register. Azure provisions the application and opens its overview page.

Copy the Client ID and Tenant ID

25. On the Overview page, locate Application (client) ID and Directory (tenant) ID. Copy each value and paste them into the matching fields in the TheStorage tab opened in Step 20.

Create a Client Secret

26. In the sidebar of the app registration, click Certificates & secrets, then under the Client secrets tab click + New client secret.

27. Configure:

    Field	Value
    Description	TheStorage
    Expires	24 months (the longest Azure allows; pick a shorter window only if your security policy requires it)

    Click Add.

28. Azure now shows the new secret with a Value column. Copy the Value (not the Secret ID) immediately and paste it into the Secret Key field on the TheStorage tab.

    warning

    Azure only displays the secret value once. As soon as you navigate away from this page the value is permanently masked — if you miss the copy, delete the secret and create another.

Grant API Permissions

29. In the sidebar, click API permissions, then + Add a permission.

30. Choose Microsoft Graph at the top of the Request API permissions panel.

31. Pick Application permissions (not Delegated).

32. In the search box, type Directory.Read.All and tick the checkbox. Then type User.Read.All and tick that one as well. Click Add permissions.

    Why two permissions?

    Directory.Read.All lets TheStorage enumerate your users and groups for directory sync. User.Read.All is the minimum scope that includes /users/{id}/photo/$value — the endpoint used to fetch each user's profile picture. Granting only the first will leave photo URLs returning 403.

33. Back on the API permissions page, click Grant admin consent for <your tenant> and confirm with Yes in the dialog. The Status column should change to a green check on both rows.

Save the Connection in TheStorage

34. Return to the TheStorage tab. All three fields should now be populated. Click Test Connection. TheStorage issues a test Graph call against your tenant — a green confirmation banner indicates success. If the test fails, the most common causes are: missing admin consent (Step 33), a typo in one of the IDs, or you pasted the secret's ID instead of its value.

35. Click Save. TheStorage stores the encrypted secret and schedules the first directory sync, which begins within a few minutes. Profile photos are downloaded as part of that sync — for every user with a photo set in Entra, the photo appears on their TheStorage profile within one cycle.

If a user has no photo in Entra, the user is left with whatever avatar they uploaded manually. Photos larger than 5 MB or unreachable within 15 seconds are skipped without failing the sync, and existing photos are reused on subsequent cycles without re-downloading.

Client secret expiry

The client secret stored under Directory Providers is what TheStorage uses to call Graph. Azure client secrets expire — at most 24 months from creation, often less depending on your tenant policy. When the secret expires, the user provisioning continues but photos stop updating silently (the failure is logged on the server, not surfaced in Entra's provisioning logs).

Set a calendar reminder for two weeks before the secret's expiry date, generate a new secret in the Azure portal, and paste it into Settings → Integrations → Directory Providers → Microsoft Entra ID. The same secret powers directory sync, so rotating it benefits both flows.