Gallery Apps vs Generic SCIM
When configuring application provisioning, you choose between two main approaches: using a pre-integrated gallery app connector or configuring a generic SCIM endpoint. Both use the same provisioning engine, but they differ in setup effort, available features, and the level of customization required.
Gallery App Provisioning
The Microsoft Entra application gallery contains hundreds of pre-integrated SaaS applications with provisioning connectors built and tested by Microsoft and the app vendors. Examples include Salesforce, ServiceNow, Slack, Dropbox, Zoom, and Snowflake.
What gallery apps give you:
- Pre-configured attribute mappings. Default mappings between Entra ID user attributes and the target app’s user schema are already set up. You can customize them, but you do not have to start from scratch.
- Guided setup. Each gallery app has a configuration tutorial that walks through the specific credentials, permissions, and settings needed.
- Tested compatibility. The connector has been validated against the app’s API. Edge cases in the app’s SCIM implementation (or proprietary API) have been handled.
- App-specific behaviors. Some gallery apps support features beyond basic SCIM, such as role provisioning, group provisioning, or custom attribute types.
Setting up a gallery app:
- Navigate to Entra ID > Enterprise apps > New application.
- Search the gallery for your application.
- Add the application and go to the Provisioning tab.
- Set mode to Automatic and enter the admin credentials (usually a tenant URL and secret token or OAuth flow).
- Test the connection, review the default mappings, adjust scoping, and start provisioning.
Gallery apps are the path of least resistance. If your target application is in the gallery, use the gallery connector.
Generic SCIM Provisioning
For applications not in the gallery, generic SCIM provisioning lets you connect to any application that exposes a SCIM 2.0-compliant endpoint. You provide the endpoint URL and a bearer token or other credentials, and the provisioning service handles the rest.
This requires more setup work because there are no pre-configured mappings. You build the attribute mappings yourself based on the application’s SCIM schema.
When to use generic SCIM:
- The application is not in the gallery but has a SCIM 2.0 endpoint.
- You have built a custom SCIM endpoint for your own application.
- You need to provision to a third-party system with a SCIM API that Microsoft has not pre-integrated.
Setting up generic SCIM:
- Navigate to Entra ID > Enterprise apps > New application > Create your own application.
- Select “Integrate any other application you don’t find in the gallery.”
- Go to the Provisioning tab, set mode to Automatic.
- Enter the Tenant URL (your SCIM endpoint) and the Secret Token (bearer token).
- Test the connection.
- Build attribute mappings from scratch based on the target application’s SCIM schema.
- Configure scoping, test with on-demand provisioning, and start.
SCIM Protocol Basics
Both gallery and generic SCIM provisioning use SCIM 2.0 under the hood. For operators, the key things to know:
SCIM is a REST API standard. It defines a common schema for user and group resources, and standard HTTP operations for managing them:
| Operation | HTTP Method | Purpose |
|---|---|---|
| Create | POST /Users | Create a new user |
| Read | GET /Users/{id} | Retrieve a user |
| Update | PATCH /Users/{id} | Update specific attributes |
| Replace | PUT /Users/{id} | Replace all attributes |
| Delete | DELETE /Users/{id} | Remove a user |
| Search | GET /Users?filter=... | Find users matching criteria |
The same operations apply to /Groups.
Core user attributes defined by SCIM include userName, name (with givenName, familyName), emails, active, displayName, and externalId. Applications can extend the schema with custom attributes.
Filtering uses a query syntax like userName eq "jsmith" or externalId eq "12345". The provisioning engine uses these filters for matching operations.
The provisioning service acts as a SCIM client. It sends SCIM requests to the target application’s SCIM server endpoint. The application must implement the server side of the SCIM spec.
Comparison
| Aspect | Gallery App | Generic SCIM |
|---|---|---|
| Setup effort | Low; pre-configured mappings and guided tutorials | Medium; manual attribute mapping required |
| Credential type | App-specific (OAuth, API key, etc.) | Typically bearer token |
| Attribute mappings | Pre-configured defaults, customizable | Built from scratch |
| Compatibility | Tested and validated by Microsoft | Depends on the quality of the SCIM implementation |
| Available apps | Hundreds in the gallery | Any SCIM 2.0-compliant endpoint |
| Group provisioning | App-dependent; many gallery apps support it | Depends on the endpoint’s group support |
| Support | Microsoft and app vendor have tested the integration | You own the integration |
When to Choose Which
Use a gallery app when the application is available in the gallery. Even if you think you might want more control, start with the gallery connector. The pre-configured mappings and tested compatibility save significant time. You can always customize the mappings after setup.
Use generic SCIM when the application is not in the gallery but has a SCIM endpoint. Also use it for custom-built applications where you control the SCIM server implementation.
Build a SCIM endpoint if your application does not have one and you want to enable automated provisioning from Entra ID. The SCIM 2.0 spec is well-documented, and Microsoft provides guidance and a reference validator for testing compliance.
Request gallery integration if you are an ISV and want your application to appear in the gallery with a pre-integrated connector. Microsoft provides a process for submitting applications through the Entra application gallery listing.
What About Non-SCIM Applications?
Not all applications support SCIM. For these, Entra provides additional options:
- On-premises connectors via the ECMA connector host can provision to LDAP directories, SQL databases, and REST/SOAP APIs without a SCIM endpoint on the target.
- Inbound API-driven provisioning accepts data from external systems that push identity data into Entra ID.
These are covered in separate deep-dive pages: On-Premises Connectors and Inbound API Provisioning.
Next Steps
- Configure Provisioning walks through setting up a gallery app, scoping, mappings, and testing.
- Monitoring and Logs covers how to track provisioning health after setup.