SCIM (System for Cross-domain Identity Management) is an open standard that allows you to create, update, and deactivate users between identity providers (like Microsoft Entra ID) and service providers (like Greenhouse Recruiting) more efficiently. When paired with Single-Sign On, implementing SCIM allows you to seamlessly manage user access to Greenhouse Recruiting:
- SCIM: Automatically creates, updates, and removes user accounts based on when they're added in your identity provider.
- SSO: Authenticates the user's account and allows them to sign in.
Notes:
- Your organization must already use SSO for Microsoft Entra ID to use SCIM.
- The Microsoft Entra ID connection is set up by creating a custom app in your Microsoft Entra ID workspace.
- Users who were deactivated in Entra ID before configuring SCIM will not automatically be deactivated in Greenhouse Recruiting.
Overview
To enable SCIM, you'll complete the following steps:
- Activate SCIM in Greenhouse Recruiting and use that information to update the Provisioning section of the custom application.
- Configure user mappings and update default settings
- Add users in your custom application to the SCIM setup
- Kick off the auto-provisioning process
Activate SCIM for the GHR Organization
In Greenhouse Recruiting, navigate to the SCIM Configuration page (Configure > Dev Center > SCIM Configuration) and turn on the SCIM toggle.
Click Generate Token to create a unique identifier for this connection.
Keep this page open, since you'll need both the Base URL and the SCIM token to configure the custom application in Entra ID, and open your custom application in Entra ID.
Configure SCIM in the Entra ID Application
Next, open Microsoft Entra ID to configure your custom application.
Under your custom Greenhouse Recruiting tile, click Provisioning on the left side of the Applications page.
Click + New application.
Under Admin Credentials, enter Base URL from the Greenhouse Recruiting SCIM configuration page in the Tenant URL field. Then, enter the token you generated in the Token field.
Click Test connection to ensure the credentials are correct
When the test is successful, click Create to complete the configuration
Configure user attribute mappings in Entra ID
These attribute mappings control how data from Entra ID users will be mapped to the provisioned Greenhouse users.
Open attribute mappings
From the Entra ID Application page, click Provisioning > Mappings > Provision Microsoft Entra ID Users.
Under Target Object Actions, select Create and Update, and un-check Delete.
Notes:
- Greenhouse only supports provisioning Users via SCIM, not Groups.
- Greenhouse does not support deleting users via SCIM, but users can be deactivated in Greenhouse via Entra or by removing their access from the application.
- For more information on this process, see the following Microsoft documentation.
Supported attributes
When creating a custom application, you'll need to configure the following mappings to connect the Microsoft Entra ID attributes to Greenhouse user accounts.
The Attribute Mappings section will include these default attributes:
- User name
- Active
- Given name
- Family name
- Employee ID
| Attribute | Greenhouse field |
userName |
User's primary email address. |
active |
Whether or not the user account is active in Greenhouse. When "active" is "false," the user account is disabled. When "active" is "true," the account is active. |
name.givenName |
User's first name |
name.familyName |
User's last name |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber
|
User’s employee ID |
Note: To avoid errors, delete all unsupported attributes.
When you're finished, click Save.
Additional attributes
If your organization uses values outside of the supported attributes, you can add custom attributes. From the Attribute Mapping page, select “Show advanced options.”
Select Edit attribute list for "customappsso" to view and configure the list of available Entra ID attributes.
Note: Greenhouse only supports single-valued custom fields: Yes/No, Single-Select, and User. To learn more about attribute mapping, read Microsoft’s attribute mappings in Microsoft Entra ID article.
Name field
urn:ietf:params:scim:schemas:extension:greenhouse:2.0:CustomField:<field_key> To find this field key in Greenhouse, go to Configure > Custom Options > User to view all existing user custom fields. Edit or create a new custom field. At the bottom of that page, the new field_key value will be shown.
Type fields
To add a single-select attribute, set your field type to "String." The value will be mapped to the corresponding dropdown selection in Greenhouse.
To add a yes/no attribute, select "Boolean." Greenhouse attributes are not case sensitive and are mapped in the table below.
| Attribute | Greenhouse field |
| yes | yes |
| true | yes |
| no | no |
| false | no |
User fields
To add a Greenhouse user attribute, set the type field to "Reference" and ensure that the "Referenced Object Attribute" is set to:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:UserNote: The Entra ID value for a Greenhouse “User” attribute should be a User referenced attribute type in Entra ID.
User attributes values
| Column | Value |
| type | reference |
| referenced object attribute | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User |
When you’ve configured your custom attributes, save your changes then return to Entra ID.
Map Entra ID attributes to Greenhouse attributes
Return to Entra ID, then go to the Attribute Mapping page. Click “Add new mapping” in the Attribute Mappings table. To create a new mapping, complete the following fields.
| Field | Definition | Notes |
|---|---|---|
| Mapping type | How the target value is calculated | See the table below for mapping types and definitions. |
| Source attributes | The Entra ID attribute value that will be synchronized with Greenhouse | |
| Target attributes | The Greenhouse attribute value that will be set from Entra ID data |
Must match one of the newly added attributes in this format: urn:ietf:params:scim:schemas:extension:greenhouse:2.0:CustomField:<field_key> |
| Match objects using this attribute | Whether Entra ID should match users using a specific attribute | Always set to “No.” Greenhouse matches users based on email address (userPrincipalName). |
Mapping types
| Type | Definition |
| Direct | Uses the source value unchanged |
| Constant | Always uses a fixed specified value |
| Expression |
Transforms source attributes before mapping Example: invert isSoftDeleted before mapping to Greenhouse active — when isSoftDeleted is true, active is false, and vice versa. For help defining expressions, see Microsoft’s Reference for writing expressions for attribute mappings in Microsoft Entra ID. |
Add and provision users in Entra ID
Users assigned to the Entra ID application will be provisioned into Greenhouse Recruiting.
To assign users in Entra ID, click Users and groups in the left panel, and select Add user/group.
Select the Entra ID Users that you want to provision and click Assign.
Test your attribute mappings
During initial setup, use “Provision on demand” to test your configuration. When you’re happy with your mappings, you can use automatic provisioning to provision users in bulk.
From the lefthand menu, select Provision on demand.
Enter the name or email address of a user, then review your mappings. If your mappings are correct, save time by provisioning users in bulk with automatic provisioning.
Automatically provision users
When you’re ready to automatically sync all user accounts from Entra ID to Greenhouse, go to Overview > Start provisioning.
The first provisioning cycle will start immediately, and Entra ID will repeat this cycle every 40 minutes.
This is a set interval by Microsoft and means that any user account updates may take up to 40 minutes to be reflected in Greenhouse.
However, Microsoft offers the ability to automatically provision certain users with a manual sync. Read more here.