---
title: "How to integrate Azure Entra to DocuWare User provisioning"
slug: "how-to-integrate-azure-entra-to-docuware-user-provisioning"
tags: ["#version  Cloud"]
updated: 2026-05-20T10:04:27Z
published: 2026-05-20T10:04:27Z
canonical: "knowledgecenter.docuware.com/how-to-integrate-azure-entra-to-docuware-user-provisioning"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledgecenter.docuware.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to integrate Azure Entra to DocuWare User provisioning

If your organization uses Azure Entra to manage employee access to tools and services, you can utilize **Azure**"**Provisioning**" feature to automatically provide your users with access to **DocuWare**via **SCIM**. This guide will walk you through the steps to configure both **DocuWare**and **Azure Entra**to set up provisioning for your organization.

The current version of UserSync (v3) supports the following provisioning features:

- **Automatic User Creation:** Users assigned to the Enterprise application in Azure are automatically created as users in DocuWare.
- **Attribute Synchronization:** Any updates to user attributes (userName, email, activeness) in Azure will be reflected in DocuWare.
- **User Deactivation:** When users are deactivated in Azure, they are marked as 'disabled' in DocuWre, preventing them from logging in.

### Creating a new application in Microsoft Azure Entra

1. Login to the Azure portal via the following link - [Home - Microsoft Azure](https://portal.azure.com/#home)
2. Go to **Enterprise Applications** page.
3. Click **New Application**:

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(464).png)

1. Click **Create your own application**:****

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(465).png)

1. Choose a **Name**for your app and select the option **Integrate any other application you don’t find in the gallery (Non-gallery)**
2. Click **Create.**
3. After the creation of the application navigate to **Provisioning**
4. Select **Provisioning Mode** > **Automatic**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(467).png)

1. Open **Admin Credentials**section.
2. Don’t close the Azure configuration and switch to **DocuWare Configurations**.

### Embedding the new Azure application in DocuWare

1. Go to DocuWare **Configurations > General > User Provisioning.**
2. In the **User Provisioning** plugin, activate the option **Enable User Provisioning**.
3. In the dropdown **Identity Provider** select **Azure Entra**.
4. In the dropdown **Application Registration** select previously created app registration or click “**Create Application Registration**“ button. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(688).png)
5. Write the **Application Name:** ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(689).png)
6. From the just created app registration copy the values of
  1. **Application (Client) ID**
  2. **Client Secret**

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(690).png)
7. Click the **Done** button.
8. After saving, two authentication methods are provided as options: **OAuth2 Client Credentials Grant** and **Bearer Authentication**. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(489).png)
9. The next steps depend on your authentication method choice:
  1. **OAuth2 Client Credentials Grant**
    - Copy the links **Tenant URL, Token Endpoint.**
    - Navigate back to **Entra > your application > Manage > Provisioning > Admin Credentials.**
    - Make sure that the **OAuth2 Client Credentials Grant** is selected in the **Authentication Method** dropdown.
    - Paste all the copied data from step 5 in the appropriate fields there.
    - When all the required data is populated click the **Test Connection**button.
    - Then **Save** the changes.
    - If an error is displayed in the top-right corner after saving, click the **Save** button again. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(490).png)
  2. **Bearer Authentication**
    - Copy the link for the **Tenant URL** and the generated **Bearer token.**
    - Navigate back to **Entra > your application > Manage > Provisioning > Admin Credentials**.
    - Make sure that the **Bearer Authentication** is selected in the **Authentication Method**dropdown.
    - Paste the previously copied link for the **Tenant URL** and the **Bearer token.**
    - When all the required data is populated click on the **Test Connection** button.
    - Then **Save** the changes.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(473).png)

### Mapping user and group attributes in DocuWare and Microsoft Entra ID

Mapping user and group attributes between DocuWare and Microsoft Entra ID allows users and groups to be matched and synchronized

1. Open Microsoft Entra ID.
2. To map the users choose **Provisioning > Attribute Mapping**> **Provision Microsoft Entra ID Users** ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(474).png)
3. Set the User attribute mappings:
  1. Required mappings:
    - userName: Item(Split([userPrincipalName], "@"), 1)
    - active: Switch([IsSoftDeleted], , "False", "True", "True", "False")
    - emails[type eq "work"].value: Coalesce([mail],[userPrincipalName])
    - externalId: objectId
  2. Optional mappings:
    - name.givenName: givenName
    - name.familyName: surname
4. Additional Information
  1. For mapping the userName attribute you will need first to update its configuration:

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(492).png)
    - Open for **Edit Attribute** the attribute: userPrincipalName
    - Change the mapping type to **Expression**
    - Update the expression field to: Item(Split([userPrincipalName], "@"), 1)
    - Click **OK** to save.
  2. For mapping the email attribute you will need first to update its configuration:
    - Open for **Edit Attribute** the attribute: emails[type eq "work"].value
    - Change the mapping type to **Expression**
    - Update the expression field to: **Coalesce([mail],[userPrincipalName])**
    - Click **OK** to save. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(491).png)
  3. For mapping the *externalId* attribute properly you will also need to first update it’s configuration:
    - Open for Edit the attribute: *externalId*: *mailNickname*
    - Change the **Source attribute** to: objectId
    - Click **OK** to save. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(478).png)
5. Delete all the extra mappings and **Save**. If the mappings are not deleted, it can cause errors when updated users are provisioned. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(479).png)
6. To map the groups choose **Provisioning > Attribute Mapping** > **Provision Microsoft Entra ID Groups**

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(480).png)

1. Set the Groups Mappings:
  1. Delete the redundant mapping **externalId → objectId**
  2. Disable the Delete option from **Target Object Actions**
  3. Save the changes

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(481).png)

### **Provisioning users and groups**

Navigate to the **Overview**page in your Entra application and click the **Start Provisioning** button:

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(482).png)

**Provisioning users**

1. Click **Manage > Users and Groups > Add user/group > Select the users you would like to provision > Assign**.
2. After adding the desired users for provisioning, they will either be automatically provisioned after some time or you can choose to provision them on demand.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(483).png)

1. Navigate to **DocuWare Configurations > General > User Management.**
2. Check if the expected users are provisioned successfully there.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/howto_integrateazureentratouserprovisioning-1.doc-image-qx21e5wy.png)

**Provisioning groups:**

1. Click **Manage > Users and Groups > Add user/group > Select a group for provisioning > Assign**. Note: If you want to assign the members of the group on-demand, you must add them to the list as well.
2. After adding the desired groups and users for provisioning, they will either be automatically provisioned after some time or you can choose to provision them on demand.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/howto_integrateazureentratouserprovisioning-1.doc-image-xdwu5820.png)

1. Navigate to **DocuWare Configurations > General > User Management.**
2. Check if the expected groups and users are provisioned successfully there.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(484).png)

### Additional information about the group provisioning process

1. Searching for Groups: The system first searches for an existing group using the given displayName. If a group with that displayName exists in DocuWare, the process moves to updating the group; otherwise, it proceeds to creating a new group.
2. Group Creation and Update Handling: a) Creating New Groups: When no existing group in DocuWare matches the displayName, the service creates a new group with the specified members. b) Updating Existing Groups: If a matching group is found, the service updates the group’s details and adds new members to the group. It ensures that existing members are not replaced but retained alongside the new members.

Once the groups are mapped after their first synchronization, future mapping is done using the ID attribute. For example, if you decide to change a group's name in Entra ID and then provision the updated group, the group will be mapped by its ID. The service will update the group's name in DocuWare accordingly without removing its members.
3. Member Management: a) Adding Members: When updating groups, any new members are added while keeping the current members intact. b) Preventing Duplicates: The system is designed to avoid adding duplicate members to groups, ensuring each member is unique within the group.
4. Leading system: Microsoft Entra ID is the leading system for all provisioned users and groups. Perform all changes, such as adding or removing users from groups, in Entra ID. Avoid making manual changes directly in DocuWare. These changes are not synchronized back to Entra ID and can cause inconsistencies. For example, if you manually remove a user from a synchronized group in DocuWare, the provisioning service cannot reassign that user to the group. To restore the correct membership, make the change in Entra ID instead.

## Supported versions: DocuWare Cloud