Setting up SCIM group synchronisation with Microsoft Entra

Below is a sample support article you can use to guide your customers or team members through the process of configuring SCIM-based group synchronization with Microsoft Entra (Azure AD). This assumes:

  • You already have SCIM provisioning set up between Microsoft Entra and Hut Six.
  • Users (and perhaps a small number of groups) are successfully syncing.
  • You want to scale that setup and ensure full group syncing is working properly.

Overview

SCIM (System for Cross-Domain Identity Management) allows automated provisioning and management of identities between your identity provider (in this case, Microsoft Entra) and Hut Six. Although you may already see some users and certain groups syncing, extra steps are often required to synchronize additional or specific groups (and their members) to Hut Six.

This guide walks you through:

  1. Reviewing existing SCIM provisioning settings in Microsoft Entra.
  2. Configuring group attribute mappings and provisioning scope.
  3. Assigning additional groups (and their members) to sync.
  4. Validating that groups sync correctly in the Hut Six platform.

Prerequisites

  • Microsoft Entra Admin Access: You need sufficient privileges to manage Enterprise Applications and their Provisioning/Assignments in Microsoft Entra.
  • SCIM Endpoint and Credentials: You have already set-up user provisioning with SCIM.
  • Groups in Microsoft Entra: Groups that you plan to provision should exist in your tenant. If not, create or identify the groups you wish to sync.

1. Verify Your Current SCIM Provisioning Setup

  1. Open the Microsoft Entra Portal (Azure Active Directory).
  2. In the left-hand navigation menu, under "Identity", select Enterprise applications.
  3. Locate and select the enterprise application for Hut Six which you have been syncing with (the one configured for SCIM).
  4. Under Manage, choose Provisioning.
  5. Confirm that Provisioning mode is set to Automatic and that the Tenant URL (SCIM endpoint) and Secret Token are entered correctly.
    • If your user sync is already working, these values should already be present and correct.

This ensures your SCIM connection details are accurate.

2. Enable Group Provisioning

  1. On the Provisioning page, scroll down to find Attribute Mappings.
  2. In the Mappings section, you will see two options: Provision Microsoft Entra ID Users and Provision Microsoft Entra ID Groups.
    • Click Provision Microsoft Entra ID Groups to review or edit group-specific mappings.
  3. Ensure the relevant Attribute Mappings are enabled, particularly:
    • displayNamedisplayName
    • membersmembers
  4. If you do not see an active Group mapping, click Edit attribute mappings and enable the top toggle for group provisioning.

3. Assign Groups to the Application

Even if you have group provisioning enabled, you must explicitly assign groups for them to sync. This is a common oversight.

  1. In Microsoft Entra Portal, return to the Enterprise application for the Hut Six platform.
  2. Select Users and groups on the left-hand side.
  3. Click Add user/group (or Assign).
  4. In the assignment panel, search for the groups you wish to sync and select them.
  5. Click Assign to finalize.

5. Start or Restart the Provisioning Cycle

Microsoft Entra’s provisioning service runs in cycles, typically every 40 minutes. If you want to check immediate results:

  1. Return to the Provisioning page under the enterprise application.
  2. In the upper section, you may see a Provisioning status toggle. It should be set to On.
  3. Scroll down to Current Status or Provisioning details, and click Restart provisioning if available. This triggers an immediate check/sync rather than waiting for the scheduled cycle.

6. Verify Group Synchronization in Hut Six

After the provisioning completes or after the next scheduled sync, log in to Hut Six:

  1. Go to Manage and then Groups.
  2. Confirm that newly assigned groups appear, along with their correct display name and membership.
  3. Troubleshooting:
    • If you do not see new groups, wait a few minutes and refresh.
    • Review the Microsoft Entra Provisioning logs in ProvisioningView provisioning logs to see if there are any errors or warning messages indicating attribute mismatches or permission issues.

7. Best Practices

  1. Use a Test Group First: Before assigning all production groups, start with a small pilot group to confirm the sync flow.
  2. Monitor Provisioning Logs: Microsoft Entra's provisioning logs can provide insight into errors such as missing attributes, invalid tokens, or insufficient permissions.

8. Frequently Asked Questions

Q: I see users provisioning successfully, but no groups—what did I miss?
A: Usually, this indicates you haven’t assigned the groups to the application, or group provisioning isn’t enabled in attribute mappings. Double-check the “Assign Groups to the Application” step, and verify group mappings are enabled in the Provisioning settings.

Q: Can I force an immediate sync?
A: Yes. You can restart provisioning from the ProvisioningCurrent Status section of the Microsoft Entra enterprise application or use the “Provision on demand” button in some Entra's interfaces. If unavailable, the service will run automatically on its next cycle (every ~40 minutes).

Q: Why do I see ‘invalid member reference’ errors in the logs?
A: This often occurs if a group contains a user who isn’t in scope or if the user’s attributes aren’t fully provisioned. Make sure each member object is also assigned or in scope for syncing.

Enjoyed using our product?

Help us out by leaving a review for on Gartner Peer Insights!

It only takes 5 minutes of your time and every review helps us immensely to reach new clients. Thank you so much.

Leave a Review

Related Articles

Automatic User Provisioning with SCIM
Bulk Uploading Users To A Group
Leaderboards
Deleting Groups