You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Workload-Identity-Federation-for-SCIM-Provisioning.md
+18-2Lines changed: 18 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# Workload Identity Federation: A New Authentication Method for SCIM Provisioning
2
2
3
-
**Date:**9th June 2026
3
+
**Date:**25th June 2026
4
4
5
5
---
6
6
@@ -62,6 +62,8 @@ This is a fundamental shift from the traditional model where admins had to:
62
62
63
63
The administrator must perform **3 steps** to set up the integration for their app. The administrator must have at least the **Application Administrator** role on the customer's tenant.
### Step 1: Configure ISV App and Workload Identity in Entra Portal
66
68
67
69
In the Entra App Gallery, the administrator:
@@ -70,6 +72,16 @@ In the Entra App Gallery, the administrator:
70
72
2. On the Connectivity Page, picks **"Workload Identity Federation"** as the auth method
71
73
3. Clicks **"Select Workload Identity"** — customers can register a new Workload Identity App or reuse an existing one they have already used to set up with the ISV
72
74
75
+
The Connectivity page exposes **Workload Identity Federation** as an authentication method alongside the existing authentication options.
76
+
77
+

78
+
79
+
After selecting **Workload Identity Federation**, the administrator chooses **Select Workload Identity**. From there, they can either register a new workload identity app or select an existing workload identity that has already been configured with the ISV.
80
+
81
+
| Register a new workload identity | Select an existing workload identity |
82
+
|---|---|
83
+
|||
84
+
73
85
After the access app is configured, the UX displays the following values to be **copied to the ISV Portal**:
74
86
75
87
| Value | Format |
@@ -79,6 +91,8 @@ After the access app is configured, the UX displays the following values to be *

95
+
82
96
### Step 2: Set up SCIM Client with JWKS in ISV Portal
83
97
84
98
In the ISV portal, the administrator sets up a client for the ISV's SCIM endpoint. As part of setting up the auth integration, the administrator copies the values from Step 1 (issuer, JWKS URL, subject, audience) into the ISV portal.
@@ -99,6 +113,8 @@ Back in the Entra App Gallery:
99
113
2. Click **"Test Connection"** — this invokes the backend to perform all the token exchange steps and validate the integration
100
114
3.**Save** the configuration — the app is now ready to configure provisioning
101
115
116
+

117
+
102
118
---
103
119
104
120
## How the JWT Bearer Assertion Flow Works
@@ -402,4 +418,4 @@ If the JWKS endpoint is temporarily unavailable:
402
418
| Microsoft Identity Platform OIDC Metadata |`https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration`|
0 commit comments