Microsoft Entra ID SCIM configuration guide

Configure Azure SSO, now known as Microsoft Entra ID, as a custom SAML application for limited automatic provisioning with ClickUp!

Microsoft Entra ID has limited automatic provisioning including user creation and removal. Roles, Custom Roles, and Teams cannot be assigned. You can set a default role, but you can't set roles per-user.

What you'll need

  • Before you can set up provisioning, you need to have Microsoft Entra ID enabled for your Workspace.
  • Only Microsoft Entra ID admins can configure Microsoft Entra ID SCIM.

Step 1: Set up Microsoft Entra ID custom SAML application

To set up the custom SAML application:

  1. Create a new custom SAML application in Microsoft Entra ID.

    This is not the official ClickUp Microsoft Entra ID Gallery application titled ClickUp Productivity Platform.

    Screenshot of someone setting us a new custom SAML app in Microsoft Entra ID.
  2. In ClickUp, click your Workspace avatar and select Settings.
  3. In the Sidebar, click Security & Permissions.
  4. In the Single sign-on (SSO) section, select SAML.
    Screenshot of the SAML option in ClickUp's Security and Permissions settings.
  5. For a new Microsoft Entra ID app, copy the SP Entity ID from ClickUp.
    Screenshot of the SP Entity ID from ClickUp.
  6. Paste the SP Entity ID from ClickUp into the Identifier (Entity ID) field in Microsoft Entra ID.
    Screenshot of someone pasting the SP Entity ID into the Identifier field.
  7. Copy the Single sign-on URL (ACS URL) from ClickUp and paste it into the Reply URL (Assertion Consumer Service URL) field in Microsoft Entra ID.
  8. Click Save in Microsoft Entra ID.
    Screenshot of the save button in Microsoft Entra.

Step 2: Link SSO in ClickUp

Now that the application is set up, you can complete the SSO connection in ClickUp:

  1. Ensure the person setting up the SSO integration is assigned in the Microsoft Entra ID app. Others can be added later.
  2. Copy the Login URL and the IDP Public Certificate from Microsoft Entra ID.
    Screenshot of the login URL and IDP public certificate in Microsoft Entra ID.
  3. Paste these values in plaintext to the corresponding empty ClickUp fields when selecting the SAML connector.
    • To get the certificate in plaintext, download and right-click the file to open it with a text editor of your choice. The text begins with -----BEGIN CERTIFICATE-----. Paste the entire text value without any edits into the IDP Public Certificate field.
      Screenshot of a certificate. 
  4. Select Save metadata.
    Screenshot of the Save metadata button.
  5. You'll be prompted to complete the link by logging in with SSO. If successful, you'll be redirected to ClickUp.
  6. On the Security & Permissions page in ClickUp, you'll see three new options:
    • SCIM Base URL
    • SCIM API Token
    • Login policy

Step 3: Set up automatic provisioning with ClickUp

With SSO linked, you can now set up automatic provisioning:

  1. In Microsoft Entra ID, open the Provisioning tab and change the dropdown from Manual to Automatic. This will cause the Admin Credentials window to appear in the Provisioning tab.
    Screenshot of the admin credential window in the Provisioning tab.
  2. Input the SCIM Base URL from your ClickUp Security & Permissions page into the Tenant URL field.
  3. Input the SCIM API Token from your ClickUp Security & Permissions page into the Secret Token field.
  4. Click Test Connection.
    Screenshot of the test connection button.
  5. Once the test is successful, SCIM is now set up in your Workspace. Users can sign in to ClickUp using Microsoft Entra ID.

People assigned to the application can be added immediately using the Provision on demand tab in Microsoft Entra ID, or you can wait until it is done automatically.

Screenshot of the provision on demand button.

Automatic provisioning runs on a timed cycle controlled by Microsoft Entra ID, and users assigned to the application will only be added when the next automatic provisioning cycle runs.

Custom Role attributes

The following Custom Role attributes are available:

Model Custom Role Attributes
Base

id

userName

Name: {givenName and familyName}

active

emails

Array of emails with value property and primary (boolean) property

title

manager

Extension

role

clickupRole

customRoleId

customRoleName

Enterprise

manager

 

Was this article helpful?