Configure SCIM for Azure Active Directory

Important:

The SCIM feature is only available for advanced preview customers.
Microsoft has changed the name of Azure Active Directory to Microsoft Entra ID. However, Nintex Workflow and the help still refer to this product as Azure Active Directory.

An administrator role is required. For information, see User roles.

Use SCIM to provision users and groups for Nintex Workflow within Azure Active Directory. SCIM supports role assignments and user and group management, ensuring streamlined integration across applications. To learn more about SCIM, see the SCIM help topic.

Jump to:

Create a Nintex Workflow application in Azure Active Directory
Add a group to Nintex Workflow groups in Azure Active Directory
Assign members to the Nintex Workflow group in Azure Active Directory
Provision users on demand
Delete user from the groups
Verify users in Nintex Workflow tenants
Onboarding a Large Organization to SCIM: Best Practices

Create a Nintex Workflow application in Azure Active Directory

Sign in to the Azure portal as an administrator and navigate to the Azure Active Directory service.
Create a new enterprise application.
1. On the left, navigate to the Manage section, and then click Enterprise applications.
2. Click New application and then select Create your own application.
3. Type the name of the application.
4. From the list of reasons for creating the application, select Integrate any other application you don't find in the gallery.
5. Click Create.
6. Provision user accounts.
  - On the left, navigate to the Manage section, and then click Provisioning.
  - Click Get started.
  - Set the provisioning mode to Automatic.
  - Open the Admin Credentials.
    
    Note: Use the credentials provided after creating a directory in Nintex Workflow. For more information, see Create a directory.
    - In the Tenant URL field paste the base URL you copied from Nintex Workflow.
    - In the Secret token field paste the API key you copied from Nintex Workflow.
    - Click Test connection.
7. Click Save.

Add a group to Nintex Workflow groups in Azure Active Directory

Important: Add only the users and groups that need access to Nintex Workflow. Avoid adding all users and groups in your organization to prevent delays when syncing large organizations.

Open the Nintex Workflow application you created in Azure Active Directory.
On the left, navigate to the Manage section, and then click Users and groups.

The Add assignment dialog is displayed.
Click Add user/group and in the search box, enter the Nintex Workflow group name to add. For information, see Configure SCIM for Azure Active Directory.
Click Select.
Click Assign.

Assign members to the Nintex Workflow group in Azure Active Directory

Open the Nintex Workflow application you created in Azure Active Directory.
On the left, navigate to the Manage section, and then click Users and groups.
Click the group name to assign members.
On the left, navigate to the Members section, and then click Add members.
In the search box, enter the member name you want to select.
Click Select.

Note: Azure Active Directory performs SCIM synchronization every 40 minutes. If SCIM synchronization hasn’t started, refresh the application to update the provisioning logs.

Provision users on demand

Important: In Azure Active Directory, the provisioning service synchronizes user and group data with integrated applications approximately every 40 minutes. This interval is fixed and cannot be customized.

For immediate updates, such as urgent provisioning or deprovisioning of users, groups, or group memberships, the Provision on demand feature allows administrators to manually initiate provisioning for specific users or groups. This ensures that changes are reflected immediately without waiting for the next scheduled synchronization.

Open the Nintex Workflow application you created in Azure Active Directory.
On the left, click Provision on demand.
Select a user or group.
Under Selected users, select View members only.
In the drop-down list, search for and select the group member you want to sync.
Click Provision.

Delete user from the groups

Open the Nintex Workflow group in Azure Active Directory.
Select the user whose membership you want to remove.
Click Remove membership.

Note: In Nintex Workflow, a user in multiple groups is assigned the highest role based on group memberships. If the user leaves a group, their role changes to the next highest available.

Verify users in Nintex Workflow tenants

Sign in to Nintex Workflow using an email address with administrator privileges.
Click Settings.
Click User management.
Under Users, search for the user name to which you assigned a role.

Onboarding a Large Organization to SCIM: Best Practices

These steps should be followed when creating rules based on custom-named Azure Active Directory groups.

Pause auto-provisioning in Azure Active Directory.

When creating an application for SCIM in Azure Active Directory, pause auto-provisioning. Do not start it immediately.
Provision groups using Provision on demand.

Use the Provision on Demand feature in Azure Active Directory to provision only the groups into Nintex Workflow, without selecting any users.
Create rules in NAC.

On the SCIM page in Nintex Workflow, create rules for the provisioned groups.
Activate auto-provisioning in Azure Active Directory.

Once the rules are created in Nintex Workflow, turn on auto-provisioning in Azure Active Directory.