How to enable SCIM for Azure AD (Microsoft Entra ID)

Solution

You must register an OAuth2 client for SCIM provisioning with Azure AD (Microsoft Entra ID) by following the steps below:

1. Contact LaunchDarkly Support to request an OAuth2 client ID and secret.

2. When submitting your request, include the following information:

   • LaunchDarkly Account ID
   • Azure AD / Entra domain (e.g. https://example.onmicrosoft.com)
   • Maintainer name (optional): A technical contact within your organization
   • Maintainer URL (optional): The website for your company

3. Once verified, you’ll receive an encrypted file containing your  CLIENT_ID and CLIENT_SECRET. LaunchDarkly Support will provide instructions for decrypting this file.

4. Use your CLIENT_ID and CLIENT_SECRET to request an access token via curl:

curl --location 'https://app.launchdarkly.com/trust/oauth/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=<your_client_id>' \
  --data-urlencode 'client_secret=<your_client_secret>' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'scope=scim'

The response will include an ACCESS_TOKEN that is valid for one year. Use this token as the Secret Token when configuring SCIM in Entra.

5. Configure SCIM in Entra Create a new enterprise application (do not use the LaunchDarkly gallery app or any existing SAML integration with LaunchDarkly).

   1. Go to Provisioning > Automatic.

   2. Set the Tenant URL to: https://app.launchdarkly.com/trust/scim/v2

   3. Set the Secret Token to your ACCESS_TOKEN.

   4. Click Test Connection, then Save.

6. Ensure that user attribute mappings are configured appropriately to match LaunchDarkly’s SCIM schema.

If the Provisioning tab is unavailable in your Entra application, it may be because the prebuilt SAML-based LaunchDarkly gallery app was used. In this case, you’ll need to create a custom enterprise application separately for SCIM provisioning.

Resources

• Enable SCIM provisioning in LaunchDarkly