# Microsoft Entra ID SCIM integration

This guide explains how to configure user synchronization from Microsoft Entra ID to Twilio using SCIM provisioning with the OAuth 2.0 client credentials grant type. This integration works with custom (non-gallery) applications in Entra ID.

## Step 1: Create an OAuth 2.0 Client Credential App in the Twilio Console

Before configuring Entra ID, you must generate a secure **Client ID** and **Client Secret** from your Twilio Console to authorize the SCIM sync operations.

## Twilio Console

1. Log in to [Twilio Console](https://1console.twilio.com/) and navigate to [**Settings** > **Organization settings** > **Organization API access**](https://1console.twilio.com/organization/settings/oauth/apps).
2. Click **Create OAuth application**.
3. Select grant type as **Client credentials**.
4. Enter the **Application name** and **Application description**.
5. On the **Scopes & permissions** step, check all the **managed-users** permissions.
6. On the **Copy secret** page, copy the credentials and store them somewhere secure.
7. Select the **Got it!** checkbox and click **Finish**.

## Legacy Console

1. In the Legacy Console, go to [**Twilio Admin**](https://admin.twilio.com/) and navigate to [**Applications** > **OAuth apps**](https://admin.twilio.com/applications/oauth).
2. On the **OAuth apps** page, click **Create OAuth application**.
3. Select grant type as **Client credentials**.
4. Enter the **Application name** and **Application description**, then under **Scopes & permissions**, check all the **managed-users** permissions.
5. On the **Copy secret** page, copy the credentials and store them somewhere secure.
6. Select the **Got it!** checkbox and click **Finish**.

## Step 2: Create a non-gallery enterprise application

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as at least an [Application Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#application-administrator).
2. Browse to **Entra ID** > **Enterprise apps**.
3. Select **New application** at the top, then click **Create your own application**.
4. Enter a name for your application (e.g., `Twilio SCIM Provisioning`).
5. Under the choice for "What are you looking to do with your application?", select **Integrate any other application you don't find in the gallery (Non-gallery)**.
6. Click **Create** at the bottom of the pane.

## Step 3: Configure the SCIM provisioning engine

1. Select your application created in Step 2 and go to **Provisioning** from the left navigation menu.
2. Click on **Provisioning** again on the left navigation under **manage** (new experience) or click **Get started** (legacy experience).
3. Change the **Provisioning Mode** from **Manual** to **Automatic**.
4. Expand the **Admin Credentials** section.
5. In the **Authentication Method** dropdown, select **OAuth2 client credentials grant**.
6. Complete the following configuration fields:
   * **Tenant URL**: `https://iam.twilio.com/scim/v2`
   * **OAuth token endpoint**: `https://oauth.twilio.com/v2/token`
   * **Client identifier**: Enter the **Client ID** copied from Step 1.
   * **Client Secret**: Enter the **Client Secret** copied from Step 1.
7. Click **Test Connection**. Entra ID will attempt to retrieve an OAuth token from your Token Endpoint and then verify SCIM engine access via the Tenant URL.
8. Once the test succeeds, click **Save** at the top.

## Step 4: Finalize mappings and start syncing

Once the connection test in Step 3 succeeds:

1. In the Entra Portal, expand the **Mappings** section under the **Provisioning** tab.
2. Review the attribute mappings for **Provision Microsoft Entra ID Users**.
3. Disable **Provision Microsoft Entra ID Groups** as we don't support SCIM groups right now.
4. Navigate to **Users and Groups** from the left-hand navigation in your Enterprise Application and assign a few test users.
5. Go back to the **Provisioning** > **Overview** dashboard and click **Start provisioning** to begin the automated synchronization cycle.
