# SCIM Provisioning using Azure Active Directory
The System for Cross-Domain Identity Management (SCIM) user management API enables automatic provisioning of users between the Code Ocean Platform and Azure Active Directory (AAD).
{% hint style="info" %}
Setting up Groups is the best way to ensure that new users will have all relevant Capsules, Data, and Pipelines available to them when they join, and that there will be no lost assets when team members leave.
It is best practice to utilize Group sharing when working with shared assets.
{% endhint %}
## Requirements
* Cloud application administrator role or higher in Azure Active Directory
* An administrator in Code Ocean
## Creating a Custom Application
1. Login into your Microsoft Azure Portal and click **Azure Active Directory** in the left-hand portal menu. Alternatively, you can search for it in the top search bar
2. Once inside your AAD Tenant, find and click **Enterprise applications** in the left-hand menu
3\. Click **New Application**, then **Create your own application**. In the menu that appears, fill out a name for the app to integrate and leave the bubble selected for **Integrate any other application you don't find in the gallery (Non-gallery)**
{% hint style="warning" %}
It may take a few minutes for the application to be deployed. The status can be monitored under the Notifications dropdown on the top ribbon.
{% endhint %}
4\. Once the deployment is finished click **Enterprise applications link** beneath the search bar to find your newly created application
## Configuring Provisioning
### Get the Code Ocean SCIM Provisioning Information (URL and token)
1. Go to the Code Ocean Admin Panel
2. Click **Integrations**
3. Scroll down to the SCIM section and copy the Provisioning URL and save it for a later stage
4\. Click **Generate new token**, copy the token and save it for a later stage
###
### Configuring Provisioning in Azure AD
1. Click **Provisioning**, then **Get Started**
2\. Use the dropdown box to select **Automatic** (1), enter the **Tenant URL** of the Provisioning URL copied from Code Ocean and your Provisioning Token (2, 3)
3\. Click **Test Connection** and observe the successful test (4)
4\. Click **Save** (5)
{% hint style="info" %}
Provisioning sync is done every 40 minutes. See more information [here](https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user).
{% endhint %}
## Assigning Users & Groups
### Set Up User Provisioning
1. Go back to the application main page
2. Navigate to **Users and groups**
3. Click **Add user/group**
3\. Click **Users and groups** from the list in None Selected
4\. Search for users/groups and select them from the list
5\. Click **Select**
6\. Click **Assign**
### User Attributes
These fields are supported for mapping user attributes:
* Name (first and last name)
* Email (must be lowercase)
* Active (whether or not a user is enabled or disabled)
{% hint style="warning" %}
Logging in to Code Ocean requires an email address. To sync users to Code Ocean, users in AD must have their email addresses included in their profiles.
{% endhint %}
### Set-Up Group Provisioning
You can provision groups from Azure AD to Code Ocean by assigning a group to the codeocean-scim application. This will create a new group in your Code Ocean account with all the users that are assigned to that group in Azure AD.
1. Go to the application main page
2. Navigate to **Users and groups**
3. Click **Add user/group**
4\. Search for a group and select it from the list,
5\. Click **Select**
6\. Click **Assign**
