Docs/SCIM provisioning

Microsoft Entra ID

~15 minutes

Provision members from Entra ID into Wando automatically. Entra pushes user and group changes to Wando's SCIM 2.0 endpoint over a bearer token, and Wando maps groups to roles.

Before you start

SSO already configured for this organisation in Wando (see the Microsoft Entra ID SSO guide).
An Entra ID tenant on a plan that includes app provisioning (Microsoft Entra ID P1 or higher).
A SCIM bearer token issued by your Wando contact — request one before you start, you'll paste it in step 4.

Steps

1
Open the Enterprise application
In the Entra admin center, open Entra ID → Enterprise applications and pick the application you created for Wando (or "New application" → "Create your own application" → non-gallery if you haven't yet — name it "Wando").
2
Request a SCIM token from your Wando contact
Email your Wando contact (hej@wando.app) and ask them to issue a SCIM token for this organisation. They'll send back a bearer string in the form `<rawToken>:<providerId>` — keep it handy for step 4.
Wando only shows the token once when it's issued. If you lose it, ask for a fresh one — old tokens can be revoked.
3
Open the Provisioning tab
Back in Entra, on the Wando enterprise application, open "Provisioning" from the left menu. Click "Get started" (or "Edit provisioning" if returning later) and switch "Provisioning Mode" to "Automatic".
4
Enter Wando's SCIM endpoint and token
Fill in the "Admin Credentials" section:
Tenant URL
https://www.wando.tromb.com/api/auth/scim/v2
Secret Token
The bearer token from step 2
5
Test the connection
Click "Test Connection". Entra calls Wando's `/ServiceProviderConfig` endpoint and verifies the bearer token. A green banner confirms success.
6
Confirm the attribute mappings
Expand "Mappings" → "Provision Microsoft Entra ID Users". The defaults are fine for Wando: `userPrincipalName → userName`, `mail → emails[type eq "work"].value`, `displayName → displayName`, `active → active`. Click "Save".
7
Push groups (optional, recommended)
Expand "Mappings" → "Provision Microsoft Entra ID Groups". Keep the default mappings. Wando uses pushed groups to drive role assignment (see step 9).
8
Assign users and groups
Back on the application's overview, open "Users and groups" → "Add user/group". Pick the groups you want provisioned. Only assigned users and groups will be pushed.
9
Map groups to Wando roles
After Entra runs its first provisioning cycle (Entra polls every ~40 minutes; click "Start provisioning" to trigger one), the pushed groups land in Wando. Send your Wando contact a list of which group should map to which role — "admin", "boss" or "member" — and they'll wire it up. Users in multiple groups get the highest role.
10
Start the provisioning cycle
On the Provisioning page, set "Provisioning Status" to "On" and click "Save". Entra will start pushing assigned users and groups to Wando within a few minutes.

Hand off to Wando

Send your values to your Wando contact

hej@wando.app

Once Entra has pushed its first provisioning cycle, send your Wando contact the group-to-role mapping you want. They'll apply it to the SCIM groups Entra pushed and confirm when provisioning is live.

SCIM base URL (already configured): https://www.wando.tromb.com/api/auth/scim/v2
Group → role mapping: Send your contact a list: which group should map to admin / boss / member

Steps

Open the Enterprise application

In the Entra admin center, open Entra ID → Enterprise applications and pick the application you created for Wando (or "New application" → "Create your own application" → non-gallery if you haven't yet — name it "Wando").

Request a SCIM token from your Wando contact

Email your Wando contact (hej@wando.app) and ask them to issue a SCIM token for this organisation. They'll send back a bearer string in the form `<rawToken>:<providerId>` — keep it handy for step 4.

Wando only shows the token once when it's issued. If you lose it, ask for a fresh one — old tokens can be revoked.

Open the Provisioning tab

Back in Entra, on the Wando enterprise application, open "Provisioning" from the left menu. Click "Get started" (or "Edit provisioning" if returning later) and switch "Provisioning Mode" to "Automatic".

Enter Wando's SCIM endpoint and token

Fill in the "Admin Credentials" section:

Tenant URL: https://www.wando.tromb.com/api/auth/scim/v2
Secret Token: The bearer token from step 2

Test the connection

Click "Test Connection". Entra calls Wando's `/ServiceProviderConfig` endpoint and verifies the bearer token. A green banner confirms success.

Confirm the attribute mappings

Expand "Mappings" → "Provision Microsoft Entra ID Users". The defaults are fine for Wando: `userPrincipalName → userName`, `mail → emails[type eq "work"].value`, `displayName → displayName`, `active → active`. Click "Save".

Push groups (optional, recommended)

Expand "Mappings" → "Provision Microsoft Entra ID Groups". Keep the default mappings. Wando uses pushed groups to drive role assignment (see step 9).

Assign users and groups

Back on the application's overview, open "Users and groups" → "Add user/group". Pick the groups you want provisioned. Only assigned users and groups will be pushed.

Map groups to Wando roles

After Entra runs its first provisioning cycle (Entra polls every ~40 minutes; click "Start provisioning" to trigger one), the pushed groups land in Wando. Send your Wando contact a list of which group should map to which role — "admin", "boss" or "member" — and they'll wire it up. Users in multiple groups get the highest role.

Start the provisioning cycle

On the Provisioning page, set "Provisioning Status" to "On" and click "Save". Entra will start pushing assigned users and groups to Wando within a few minutes.