1. Greenhouse Support
  2. All Recruiting topics
  3. Integrations
  4. Single sign-on (SSO)

Configure SCIM for Microsoft Entra ID

Permissions: Site Admin who can manage and configure SSO and SCIM

Product tier: Available for Advanced and Expert subscription tiers

This feature is currently in beta and may not be available to your organization. 

SCIM (System for Cross-domain Identity Management) is an open standard that allows you to create, update, and deactivate users between identity providers (like Microsoft Entra ID) and service providers (like Greenhouse Recruiting) more efficiently. When paired with Single-Sign On, implementing SCIM allows you to seamlessly manage user access to Greenhouse Recruiting:

  • SCIM: Automatically creates, updates, and removes user accounts based on when they're added in your identity provider.
  • SSO: Authenticates the user's account and allows them to sign in.

Notes:

  • Your organization must already use SSO for Microsoft Entra ID to use SCIM. 
  • The Microsoft Entra ID connection is set up by creating a custom app in your Microsoft Entra ID workspace.
  • Users who were deactivated in Entra ID before configuring SCIM will not automatically be deactivated in Greenhouse Recruiting.

In this article

Overview

To configure SCIM, you'll need to already be set up with Microsoft Entra ID SSO (Single Sign-On) as outlined in this article. If you have not already configured SSO for Entra ID, you won't have the custom application needed for SCIM provisioning.

Enabling SCIM involves the following steps: 

  • Turning on SCIM in Greenhouse Recruiting and using that information to update the Provisioning section of the custom application.
  • Configuring user mappings and updating default settings
  • Adding users in your custom application to the SCIM setup
  • Kicking off the auto-provisioning process

Activate SCIM for the GHR Organization

Navigate to the SCIM Configuration page (Configure > Dev Center > SCIM Configuration) and turn on the SCIM toggle.

Click Generate Token to create a unique identifier for this connection.  

Keep this page open, since you'll need both the Base URL and the SCIM token to configure the custom application in Entra ID, and open your custom application in Entra ID.

Configure SCIM in Entra ID Application

Next, you'll need to open Microsoft Entra ID and configure your custom application.

Under your custom Greenhouse Recruiting tile, click Provisioning on the left side of the Applications page. 

Click + New configuration and select Automatic. Under Admin Credentials, enter Base URL from the Greenhouse Recruiting SCIM configuration page in the Tenant URL field. Then, enter the token you generated in the Token field

Click Test connection to ensure the credentials are correct

When the test is successful, click Create to complete the configuration

Configure user attribute mappings in Entra ID

These attribute mappings control how data from Entra ID users will be mapped to the provisioned Greenhouse users. 

Opening attribute mappings

From the Entra ID Application page, click Provisioning > Mappings > Provision Microsoft Entra ID Users.

Under Target Object Actions, select Create and Update, and un-check Delete.

Notes: 

  • Greenhouse only supports provisioning Users via SCIM, not Groups.
  • Greenhouse does not support deleting users via SCIM, but users can be deactivated in Greenhouse via Entra or by removing their access from the application. 
  • For more information on this process, see the following Microsoft documentation.

Supported attributes

When creating a custom application, you'll need to configure the following mappings to connect the Microsoft Entra ID attributes to Greenhouse user accounts.

All other attributes in the mapping must be deleted to avoid errors.

Attribute Greenhouse field
userName User's primary email address.
active

Whether or not the user account is active in Greenhouse. When "active" is "false," the user account is disabled. When "active" is "true," the account is active.
name.givenName User's first name
name.familyName User's last name

urn:ietf:params:scim:schemas:extension:
enterprise:2.0:User:employeeNumber

User’s employee ID

When you're finished, click Save.

Add Users to the Entra ID application

All Users assigned to the Entra ID application will be provisioned into GHR.

To assign users in Entra ID,  click Users and groups in the left panel, and select Add user/group.

Select the Entra ID Users that you wish to be provisioned in GHR and click Assign.

Begin the automatic provisioning process

Once your initial setup is complete, you can enable the automatic provisioning process to automatically create and update user accounts via SCIM.

To start this process, click Users and groups in the left panel in Entra ID and click Start provisioning.

The first provisioning cycle will start immediately, and Entra ID will repeat this cycle every 40 minutes.

This is a set interval by Microsoft and means that any user account updates may take up to 40 minutes to be reflected in Greenhouse.

However, Microsoft offers the ability to automatically provision certain users with a manual sync. Read more here.