Setting up Microsoft Entra SSO and SCIM

✍️

Note

This article has been updated to reflect Microsoft's rebranding of Azure Active Directory to Microsoft Entra ID. The setup process remains the same.

Guru supports Single Sign-On (SSO) and SCIM provisioning through Microsoft Entra ID. Follow the steps below to configure both..

Create a new app in Microsoft Entra

1. Open the SSO/SCIM page in Guru. Keep this tab open — you'll need to copy values from it throughout setup.
2. In a new tab, sign in to the Microsoft Entra admin center as an Admin.
3. Navigate to Identity > Applications > Enterprise Applications and click + New Application.
4. Click + Create Your Own Application, enter "Guru" as the display name, and select Integrate any other application you don't find in the gallery (Non-gallery).
5. Click Create.

✍️

Note

Entra may suggest an existing app named Guru during this step. That is a different company. After typing "Guru" as the name, select Create Your Own Application to create a new, separate app

Configure SSO (SAML)

1. Under Manage in the left-hand column, select Single sign-on, then select SAML.
2. In step 1, click the edit icon to open Basic SAML Configuration.
3. Under Identifier (Entity ID), click Add identifier and paste the Audience URI from your Guru SSO/SCIM page.
4. Under Reply URL, click Add reply URL and paste the Single Sign-On URL from your Guru SSO/SCIM page.
5. Click Save.

Next, copy the following values from Entra into your Guru SSO/SCIM page:

• Login URL → paste into the Identity Provider Single Sign-On URL field in Guru.
• Microsoft Entra Identifier → paste into the Identity Provider Issuer field in Guru.
• Certificate (Base64) → download the certificate file, open it as a text file, and paste the contents into the X.509 Certificate field in Guru.

Once you've saved these values in Guru, toggle SSO to Enabled.

Configure SCIM provisioning

1. On your Guru SSO/SCIM page, toggle Authorize SCIM Provisioning on.
2. Copy the SCIM Username and SCIM Token from your Guru SSO/SCIM page.
3. In Entra, paste both values into the Secret Token field, separated by a colon — for example, scimuser:token123.
4. Click Test Connection to verify the setup. You should see a success message in the top right corner.

Set up attribute mappings

User mappings

1. Under Mappings, select Provision Microsoft Entra ID Users.
2. Set Enabled to Yes.
3. Under Target Object Actions, confirm that Create, Update, and Delete are all checked. These allow Entra to add new users, sync changes, and remove users in Guru.
4. Review your Attribute Mappings and confirm they match what's listed in your Guru documentation. Capitalization matters.
5. Find the customappsso attribute externalID and update its value from the default to objectId.
6. Click Save.

Attribute Mappings for Users

Group mappings

1. Under Mappings, select Provision Microsoft Entra ID Groups.
2. Confirm that Create, Update, and Delete are all checked.
3. Click Save.

Things to know

• SCIM 2.0 support. Guru works with any identity provider that supports SCIM 2.0.
• Office 365 is not supported. Guru doesn't support automatic provisioning through Office 365.
• Synced users and groups. Once SCIM is enabled, users and groups sync from Microsoft Entra ID to Guru. Existing Guru users whose emails match are merged into the sync and become uneditable in Guru. Synced users and groups display a sync icon next to their names.
• Removing users. Once SCIM is on, you can't remove users directly from the Guru web app. If you need to remove a user and can't do it in Entra, temporarily turn off SCIM (this won't affect existing users), remove the user, then turn SCIM back on.