1️⃣ Activating SCIM on Riot
Connect to your Riot workspace, and go to Settings > Workforce.
There is a section called “SCIM Provisioning”. Click the “Connect” button to get started.
Select “Microsoft” as your identity provider, and click “Continue”.
As the first step, you will need to connect via SSO with Microsoft.
Click on the “Connect” button, and sign-in on Microsoft. You will be redirected back to Riot after the sign-in is complete.
2️⃣ Creating a Microsoft Entra application for SCIM provisioning
Connect to the Microsoft Entra admin center . In the left sidebar, go to Entra ID > Enterprise apps.
Click “New application”. This will lead you to the Microsoft Entra App Gallery.
Click “Create your own application”.
In the right panel that just opened, enter “Riot SCIM Provisioning”. Any name will do, so you can use something else if you prefer. Make sure the option “Integrate any other application you don't find in the gallery (Non-gallery)” is selected.
Click “Create”.
After the application is created, you will be redirected to the application settings.
Go to “Provisioning”.
Click “Connect your application”.
Make sure that “Bearer Authentication” is selected for the field “Select authentication method”.
Go to Riot, and copy the “SCIM Endpoint URL” into the “Tenant URL” field in Microsoft Entra.
Click “Generate Bearer Token” on Riot, and copy the value into the “Secret Token” field in Microsoft Entra.
Click “Test Connection”. A toast notification should appear and tell you the test was successful.
You can now click “Create”.
3️⃣ Configuring the provisioning of groups
Go to “Attribute Mapping”.
The default configuration is to allow provisioning of Groups. If you do not want Microsoft Entra to create groups in Riot, click “Provision Microsoft Entra ID Groups” and in the following screen, make sure to switch the “Enabled” option to “No" and click “Save”.
The recommended Attribute Mappings for groups is the default configuration, as illustrated in the following screenshot :
4️⃣ Configuring the provisioning of employees
Go to “Attribute Mapping” one more time, and click “Provision Microsoft Entra ID Users”.
As the default configuration of the “Attribute Mapping” section results in sending data that the Riot platform cannot actually use, we will need to make the following modifications:
displayName: Delete
emails[type eq "work"].value:
If the “mail” attribute is properly filled in your Entra tenant, you can leave as it is
If the “mail” attribute is not properly filled in your Entra tenant, and you use emails as the userPrincipalName, you can click “Edit” and select “userPrincipalName” as the Source Attribute instead.
name.formatted: Delete
Everything containing “addresses[type eq "work"]”: Delete
Everything containing “phoneNumber”: Delete
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber: Delete
Click “Save” to save the changes made so far.
externalId: Edit > Select “objectId” in the “Source attribute” option and click “OK”
Click “Save”.
Click “Show advanced options”, and then “Edit attribute list for customappsso”, and make the following changes:
emails[type eq "work"].value : Click Required
name.givenName : Click Required
name.familyName : Click Required
The recommended Attribute Mappings are illustrated in the following screenshot:
5️⃣ Configuring the remaining settings
In the application settings, go to “Provisioning” and click “Settings” to reveal some additional settings that might be of interest:
Send an email notification when a failure occurs: Enable this if you want to be notified in case of errors during the provisioning, enter your email address, and click “Save”.
Scope: By default, Entra will provision only assigned users and groups. If you want to provision all users and all groups, you can select this here, and click “Save”.
If you kept the Scope on “Sync only assigned users and groups”, now is the time to assign them.
Go to “Users and groups” and Click “Add user/group”.
Click “None Selected” and select some users and/or groups, and click “Assign”.
6️⃣ Trying the provisioning on a few users
If you want to try on a few users, go to “Provisioning on Demand” and search for the users and/or groups you want to provision on demand. If provisioning a group, you will need to pick at most 5 users for the provisioning on demand, and then click “Provision” to see if it works.
7️⃣ Start the provisioning
When you are ready, go to “Overview”, and click “Start Provisioning”.
Provisioning happens at fixed hours during the day, every 40 minutes. This means the provisioning will not start immediately, and you will have to wait before the Microsoft Entra Provisioning Service will provision all your users and groups.